Analysis

  • max time kernel
    95s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2024, 23:45 UTC

General

  • Target

    file.exe

  • Size

    292KB

  • MD5

    0c4b826cab211945649ac4bbb0c48c6b

  • SHA1

    fe0132f85b63833f55a41651fcc0f32c1c96124d

  • SHA256

    41b381e462f4108957fbab888701dfb9e605621507f8dd2d3f71a32b429c5f0c

  • SHA512

    6e4ea6a514002c61cadfea41ae6aa9e81178570dbae5f78b79e95f654dc6c7716a8f98b812c805ad45423f0e657fab260492e46b2e6bb45d25520d933dc27363

  • SSDEEP

    6144:D8zag1zxFKmMqtXpA8dI41MwJckA3/l6ah4LXeofOdLBhShSpk+JEO:OjNxjXrX1z1845DdfCLBxZEO

Malware Config

Extracted

Family

vidar

C2

https://t.me/edm0d

https://steamcommunity.com/profiles/76561199768374681

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0

Extracted

Family

lumma

C2

https://questionmwq.shop/api

https://chickerkuso.shop/api

https://achievenmtynwjq.shop/api

https://puredoffustow.shop/api

https://opponnentduei.shop/api

https://metallygaricwo.shop/api

https://milldymarskwom.shop/api

https://quotamkdsdqo.shop/api

https://carrtychaintnyw.shop/api

Signatures

  • Detect Vidar Stealer 20 IoCs
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 3 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4280
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • Checks computer location settings
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4812
      • C:\ProgramData\AEGHIJEHJD.exe
        "C:\ProgramData\AEGHIJEHJD.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3460
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3840
      • C:\ProgramData\HJDAKFBFBF.exe
        "C:\ProgramData\HJDAKFBFBF.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5068
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          4⤵
            PID:1340
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            4⤵
              PID:4896
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              4⤵
              • System Location Discovery: System Language Discovery
              • Checks processor information in registry
              • Suspicious behavior: EnumeratesProcesses
              PID:3936
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\HJJEGCAAECBF" & exit
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4212
            • C:\Windows\SysWOW64\timeout.exe
              timeout /t 10
              4⤵
              • System Location Discovery: System Language Discovery
              • Delays execution with timeout.exe
              PID:4092

      Network

      • flag-us
        DNS
        97.17.167.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        97.17.167.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        68.32.126.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        68.32.126.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        t.me
        RegAsm.exe
        Remote address:
        8.8.8.8:53
        Request
        t.me
        IN A
        Response
        t.me
        IN A
        149.154.167.99
      • flag-nl
        GET
        https://t.me/edm0d
        RegAsm.exe
        Remote address:
        149.154.167.99:443
        Request
        GET /edm0d HTTP/1.1
        Host: t.me
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx/1.18.0
        Date: Thu, 19 Sep 2024 23:45:12 GMT
        Content-Type: text/html; charset=utf-8
        Content-Length: 12286
        Connection: keep-alive
        Set-Cookie: stel_ssid=fc93891a7683ccce4d_4810675215694977228; expires=Fri, 20 Sep 2024 23:45:12 GMT; path=/; samesite=None; secure; HttpOnly
        Pragma: no-cache
        Cache-control: no-store
        X-Frame-Options: ALLOW-FROM https://web.telegram.org
        Content-Security-Policy: frame-ancestors https://web.telegram.org
        Strict-Transport-Security: max-age=35768000
      • flag-us
        DNS
        99.167.154.149.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        99.167.154.149.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        23.249.124.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        23.249.124.192.in-addr.arpa
        IN PTR
        Response
        23.249.124.192.in-addr.arpa
        IN PTR
        cloudproxy10023sucurinet
      • flag-de
        GET
        https://116.202.0.195/
        RegAsm.exe
        Remote address:
        116.202.0.195:443
        Request
        GET / HTTP/1.1
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
        Host: 116.202.0.195
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Thu, 19 Sep 2024 23:45:12 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
      • flag-de
        POST
        https://116.202.0.195/
        RegAsm.exe
        Remote address:
        116.202.0.195:443
        Request
        POST / HTTP/1.1
        Content-Type: multipart/form-data; boundary=----FBFCGIDAKECGCBGDBAFI
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
        Host: 116.202.0.195
        Content-Length: 256
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Thu, 19 Sep 2024 23:45:13 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
      • flag-us
        DNS
        195.0.202.116.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        195.0.202.116.in-addr.arpa
        IN PTR
        Response
        195.0.202.116.in-addr.arpa
        IN PTR
        static1950202116clients your-serverde
      • flag-de
        POST
        https://116.202.0.195/
        RegAsm.exe
        Remote address:
        116.202.0.195:443
        Request
        POST / HTTP/1.1
        Content-Type: multipart/form-data; boundary=----GHIJJJEGDBFHDHJJDBAK
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
        Host: 116.202.0.195
        Content-Length: 331
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Thu, 19 Sep 2024 23:45:13 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
      • flag-de
        POST
        https://116.202.0.195/
        RegAsm.exe
        Remote address:
        116.202.0.195:443
        Request
        POST / HTTP/1.1
        Content-Type: multipart/form-data; boundary=----KJDGDGDHDGDBFIDHDBAF
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
        Host: 116.202.0.195
        Content-Length: 331
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Thu, 19 Sep 2024 23:45:14 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
      • flag-de
        POST
        https://116.202.0.195/
        RegAsm.exe
        Remote address:
        116.202.0.195:443
        Request
        POST / HTTP/1.1
        Content-Type: multipart/form-data; boundary=----CFHDBFIEGIDGIECBKJEC
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
        Host: 116.202.0.195
        Content-Length: 332
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Thu, 19 Sep 2024 23:45:14 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
      • flag-de
        POST
        https://116.202.0.195/
        RegAsm.exe
        Remote address:
        116.202.0.195:443
        Request
        POST / HTTP/1.1
        Content-Type: multipart/form-data; boundary=----HJDAKFBFBFBAAAAAEBKJ
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
        Host: 116.202.0.195
        Content-Length: 4621
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Thu, 19 Sep 2024 23:45:15 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
      • flag-de
        GET
        https://116.202.0.195/sqlp.dll
        RegAsm.exe
        Remote address:
        116.202.0.195:443
        Request
        GET /sqlp.dll HTTP/1.1
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
        Host: 116.202.0.195
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Thu, 19 Sep 2024 23:45:15 GMT
        Content-Type: application/octet-stream
        Content-Length: 2459136
        Connection: keep-alive
        Last-Modified: Thursday, 19-Sep-2024 23:45:15 GMT
        Cache-Control: no-store, no-cache
        Accept-Ranges: bytes
      • flag-de
        POST
        https://116.202.0.195/
        RegAsm.exe
        Remote address:
        116.202.0.195:443
        Request
        POST / HTTP/1.1
        Content-Type: multipart/form-data; boundary=----AKKKFBGDHJKFHJJJJDGC
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
        Host: 116.202.0.195
        Content-Length: 437
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Thu, 19 Sep 2024 23:45:17 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
      • flag-de
        POST
        https://116.202.0.195/
        RegAsm.exe
        Remote address:
        116.202.0.195:443
        Request
        POST / HTTP/1.1
        Content-Type: multipart/form-data; boundary=----EGDGIEGHJEGIDGCAFBFC
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
        Host: 116.202.0.195
        Content-Length: 437
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Thu, 19 Sep 2024 23:45:17 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
      • flag-de
        GET
        https://116.202.0.195/freebl3.dll
        RegAsm.exe
        Remote address:
        116.202.0.195:443
        Request
        GET /freebl3.dll HTTP/1.1
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
        Host: 116.202.0.195
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Thu, 19 Sep 2024 23:45:17 GMT
        Content-Type: application/octet-stream
        Content-Length: 685392
        Connection: keep-alive
        Last-Modified: Thursday, 19-Sep-2024 23:45:17 GMT
        Cache-Control: no-store, no-cache
        Accept-Ranges: bytes
      • flag-de
        GET
        https://116.202.0.195/mozglue.dll
        RegAsm.exe
        Remote address:
        116.202.0.195:443
        Request
        GET /mozglue.dll HTTP/1.1
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
        Host: 116.202.0.195
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Thu, 19 Sep 2024 23:45:18 GMT
        Content-Type: application/octet-stream
        Content-Length: 608080
        Connection: keep-alive
        Last-Modified: Thursday, 19-Sep-2024 23:45:18 GMT
        Cache-Control: no-store, no-cache
        Accept-Ranges: bytes
      • flag-de
        GET
        https://116.202.0.195/msvcp140.dll
        RegAsm.exe
        Remote address:
        116.202.0.195:443
        Request
        GET /msvcp140.dll HTTP/1.1
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
        Host: 116.202.0.195
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Thu, 19 Sep 2024 23:45:18 GMT
        Content-Type: application/octet-stream
        Content-Length: 450024
        Connection: keep-alive
        Last-Modified: Thursday, 19-Sep-2024 23:45:18 GMT
        Cache-Control: no-store, no-cache
        Accept-Ranges: bytes
      • flag-de
        GET
        https://116.202.0.195/softokn3.dll
        RegAsm.exe
        Remote address:
        116.202.0.195:443
        Request
        GET /softokn3.dll HTTP/1.1
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
        Host: 116.202.0.195
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Thu, 19 Sep 2024 23:45:19 GMT
        Content-Type: application/octet-stream
        Content-Length: 257872
        Connection: keep-alive
        Last-Modified: Thursday, 19-Sep-2024 23:45:19 GMT
        Cache-Control: no-store, no-cache
        Accept-Ranges: bytes
      • flag-de
        GET
        https://116.202.0.195/vcruntime140.dll
        RegAsm.exe
        Remote address:
        116.202.0.195:443
        Request
        GET /vcruntime140.dll HTTP/1.1
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
        Host: 116.202.0.195
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Thu, 19 Sep 2024 23:45:19 GMT
        Content-Type: application/octet-stream
        Content-Length: 80880
        Connection: keep-alive
        Last-Modified: Thursday, 19-Sep-2024 23:45:19 GMT
        Cache-Control: no-store, no-cache
        Accept-Ranges: bytes
      • flag-de
        GET
        https://116.202.0.195/nss3.dll
        RegAsm.exe
        Remote address:
        116.202.0.195:443
        Request
        GET /nss3.dll HTTP/1.1
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
        Host: 116.202.0.195
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Thu, 19 Sep 2024 23:45:19 GMT
        Content-Type: application/octet-stream
        Content-Length: 2046288
        Connection: keep-alive
        Last-Modified: Thursday, 19-Sep-2024 23:45:19 GMT
        Cache-Control: no-store, no-cache
        Accept-Ranges: bytes
      • flag-de
        POST
        https://116.202.0.195/
        RegAsm.exe
        Remote address:
        116.202.0.195:443
        Request
        POST / HTTP/1.1
        Content-Type: multipart/form-data; boundary=----ECBKKKFHCFIDHIECGCAF
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
        Host: 116.202.0.195
        Content-Length: 1025
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Thu, 19 Sep 2024 23:45:21 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
      • flag-de
        POST
        https://116.202.0.195/
        RegAsm.exe
        Remote address:
        116.202.0.195:443
        Request
        POST / HTTP/1.1
        Content-Type: multipart/form-data; boundary=----DHDHCGHDHIDHCBGCBGCA
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
        Host: 116.202.0.195
        Content-Length: 331
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Thu, 19 Sep 2024 23:45:21 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
      • flag-de
        POST
        https://116.202.0.195/
        RegAsm.exe
        Remote address:
        116.202.0.195:443
        Request
        POST / HTTP/1.1
        Content-Type: multipart/form-data; boundary=----DHIDHIEGIIIECAKEBFBA
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
        Host: 116.202.0.195
        Content-Length: 331
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Thu, 19 Sep 2024 23:45:22 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
      • flag-de
        POST
        https://116.202.0.195/
        RegAsm.exe
        Remote address:
        116.202.0.195:443
        Request
        POST / HTTP/1.1
        Content-Type: multipart/form-data; boundary=----JEGHCBAFBFHIIECBKFCG
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
        Host: 116.202.0.195
        Content-Length: 461
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Thu, 19 Sep 2024 23:45:22 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
      • flag-de
        POST
        https://116.202.0.195/
        RegAsm.exe
        Remote address:
        116.202.0.195:443
        Request
        POST / HTTP/1.1
        Content-Type: multipart/form-data; boundary=----CAAKFIIDGIEHIDGCGHII
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
        Host: 116.202.0.195
        Content-Length: 109297
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Thu, 19 Sep 2024 23:45:23 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
      • flag-de
        POST
        https://116.202.0.195/
        RegAsm.exe
        Remote address:
        116.202.0.195:443
        Request
        POST / HTTP/1.1
        Content-Type: multipart/form-data; boundary=----EBKKKEGIDBGHIDGDHDBF
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
        Host: 116.202.0.195
        Content-Length: 331
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Thu, 19 Sep 2024 23:45:24 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
      • flag-ch
        GET
        http://147.45.44.104/prog/66ecb454d2b4a_lgfdsjgds.exe
        RegAsm.exe
        Remote address:
        147.45.44.104:80
        Request
        GET /prog/66ecb454d2b4a_lgfdsjgds.exe HTTP/1.1
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
        Host: 147.45.44.104
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Thu, 19 Sep 2024 23:45:24 GMT
        Content-Type: application/octet-stream
        Content-Length: 363424
        Last-Modified: Thu, 19 Sep 2024 23:31:32 GMT
        Connection: keep-alive
        Keep-Alive: timeout=120
        ETag: "66ecb454-58ba0"
        X-Content-Type-Options: nosniff
        Accept-Ranges: bytes
      • flag-ch
        GET
        http://147.45.44.104/prog/66ecb44c35444_vfdhsgdf.exe
        RegAsm.exe
        Remote address:
        147.45.44.104:80
        Request
        GET /prog/66ecb44c35444_vfdhsgdf.exe HTTP/1.1
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
        Host: 147.45.44.104
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Thu, 19 Sep 2024 23:45:26 GMT
        Content-Type: application/octet-stream
        Content-Length: 299936
        Last-Modified: Thu, 19 Sep 2024 23:31:24 GMT
        Connection: keep-alive
        Keep-Alive: timeout=120
        ETag: "66ecb44c-493a0"
        X-Content-Type-Options: nosniff
        Accept-Ranges: bytes
      • flag-us
        DNS
        104.44.45.147.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        104.44.45.147.in-addr.arpa
        IN PTR
        Response
      • flag-de
        POST
        https://116.202.0.195/
        RegAsm.exe
        Remote address:
        116.202.0.195:443
        Request
        POST / HTTP/1.1
        Content-Type: multipart/form-data; boundary=----GCGCBAECFCAKKEBFCFII
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
        Host: 116.202.0.195
        Content-Length: 499
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Thu, 19 Sep 2024 23:45:26 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
      • flag-de
        POST
        https://116.202.0.195/
        RegAsm.exe
        Remote address:
        116.202.0.195:443
        Request
        POST / HTTP/1.1
        Content-Type: multipart/form-data; boundary=----DHDHCGHDHIDHCBGCBGCA
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
        Host: 116.202.0.195
        Content-Length: 499
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Thu, 19 Sep 2024 23:45:26 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
      • flag-us
        DNS
        questionmwq.shop
        RegAsm.exe
        Remote address:
        8.8.8.8:53
        Request
        questionmwq.shop
        IN A
        Response
        questionmwq.shop
        IN A
        172.67.204.62
        questionmwq.shop
        IN A
        104.21.85.92
      • flag-us
        POST
        https://questionmwq.shop/api
        RegAsm.exe
        Remote address:
        172.67.204.62:443
        Request
        POST /api HTTP/1.1
        Connection: Keep-Alive
        Content-Type: application/x-www-form-urlencoded
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
        Content-Length: 8
        Host: questionmwq.shop
        Response
        HTTP/1.1 200 OK
        Date: Thu, 19 Sep 2024 23:45:27 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
        Set-Cookie: PHPSESSID=p63p8gfdcn8616che444nufdrl; expires=Mon, 13 Jan 2025 17:32:05 GMT; Max-Age=9999999; path=/
        Expires: Thu, 19 Nov 1981 08:52:00 GMT
        Cache-Control: no-store, no-cache, must-revalidate
        Pragma: no-cache
        CF-Cache-Status: DYNAMIC
        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qWznpB0X%2FUTGHUwtftty3N9Kr3Uw1IidpC%2BBUJ8SFC1A0C1sUOJbhX0fIs%2F9NeWU%2FJItLtFtfi7hx9dZTej%2BxoAtUjt0KiYrApqUQobR8QUBAXzh0FEzyBSAxmbHKqqYNMnP"}],"group":"cf-nel","max_age":604800}
        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
        Server: cloudflare
        CF-RAY: 8c5d730e7b6c638e-LHR
        alt-svc: h3=":443"; ma=86400
      • flag-de
        POST
        https://116.202.0.195/
        RegAsm.exe
        Remote address:
        116.202.0.195:443
        Request
        POST / HTTP/1.1
        Content-Type: multipart/form-data; boundary=----FCAAEBFHJJDAAKFIECGD
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
        Host: 116.202.0.195
        Content-Length: 331
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Thu, 19 Sep 2024 23:45:27 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
      • flag-us
        DNS
        chickerkuso.shop
        RegAsm.exe
        Remote address:
        8.8.8.8:53
        Request
        chickerkuso.shop
        IN A
        Response
        chickerkuso.shop
        IN A
        172.67.173.81
        chickerkuso.shop
        IN A
        104.21.88.61
      • flag-us
        POST
        https://chickerkuso.shop/api
        RegAsm.exe
        Remote address:
        172.67.173.81:443
        Request
        POST /api HTTP/1.1
        Connection: Keep-Alive
        Content-Type: application/x-www-form-urlencoded
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
        Content-Length: 8
        Host: chickerkuso.shop
        Response
        HTTP/1.1 200 OK
        Date: Thu, 19 Sep 2024 23:45:27 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
        Set-Cookie: PHPSESSID=8lpphg64h7qo5qvnol2omhvl23; expires=Mon, 13 Jan 2025 17:32:06 GMT; Max-Age=9999999; path=/
        Expires: Thu, 19 Nov 1981 08:52:00 GMT
        Cache-Control: no-store, no-cache, must-revalidate
        Pragma: no-cache
        CF-Cache-Status: DYNAMIC
        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d3FCj0ublwshyw0%2FYm1afWwfeQq%2Fin5fZMXHPj5G00gQpo7rtf%2BLMLRfC4hs4QuhYrnZx9RYE5Ht8W1TvXMbYTAXQ6BlOS8YqzFgr8a7N2htimU%2B0zbKjf09OxWYG%2FG1%2B1UX"}],"group":"cf-nel","max_age":604800}
        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
        Server: cloudflare
        CF-RAY: 8c5d7310dfba63c8-LHR
        alt-svc: h3=":443"; ma=86400
      • flag-us
        DNS
        62.204.67.172.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        62.204.67.172.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        achievenmtynwjq.shop
        RegAsm.exe
        Remote address:
        8.8.8.8:53
        Request
        achievenmtynwjq.shop
        IN A
        Response
        achievenmtynwjq.shop
        IN A
        172.67.143.200
        achievenmtynwjq.shop
        IN A
        104.21.39.77
      • flag-us
        POST
        https://achievenmtynwjq.shop/api
        RegAsm.exe
        Remote address:
        172.67.143.200:443
        Request
        POST /api HTTP/1.1
        Connection: Keep-Alive
        Content-Type: application/x-www-form-urlencoded
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
        Content-Length: 8
        Host: achievenmtynwjq.shop
        Response
        HTTP/1.1 200 OK
        Date: Thu, 19 Sep 2024 23:45:27 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
        Set-Cookie: PHPSESSID=72d1ok710l5436p51n4s7l7gol; expires=Mon, 13 Jan 2025 17:32:06 GMT; Max-Age=9999999; path=/
        Expires: Thu, 19 Nov 1981 08:52:00 GMT
        Cache-Control: no-store, no-cache, must-revalidate
        Pragma: no-cache
        CF-Cache-Status: DYNAMIC
        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5o8VVzYq2Ky3dyWQKPZSOQZwiaVHyLrlJXf6ipYYg8uIVxS0Gu6XNhuw8TmbxOZ2rfM34YHSON5iJLXJz4umaBKy73xgf1PIyGJOAF1VodHk%2FK4DXaUi8z6wAP9hzpSavslBCB7n1w%3D%3D"}],"group":"cf-nel","max_age":604800}
        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
        Server: cloudflare
        CF-RAY: 8c5d7313bf75527e-LHR
        alt-svc: h3=":443"; ma=86400
      • flag-us
        DNS
        gacan.zapto.org
        RegAsm.exe
        Remote address:
        8.8.8.8:53
        Request
        gacan.zapto.org
        IN A
        Response
      • flag-nl
        GET
        https://t.me/edm0d
        RegAsm.exe
        Remote address:
        149.154.167.99:443
        Request
        GET /edm0d HTTP/1.1
        Host: t.me
        Connection: Keep-Alive
        Cache-Control: no-cache
        Cookie: stel_ssid=fc93891a7683ccce4d_4810675215694977228
        Response
        HTTP/1.1 200 OK
        Server: nginx/1.18.0
        Date: Thu, 19 Sep 2024 23:45:27 GMT
        Content-Type: text/html; charset=utf-8
        Content-Length: 12286
        Connection: keep-alive
        Pragma: no-cache
        Cache-control: no-store
        X-Frame-Options: ALLOW-FROM https://web.telegram.org
        Content-Security-Policy: frame-ancestors https://web.telegram.org
        Strict-Transport-Security: max-age=35768000
      • flag-us
        DNS
        puredoffustow.shop
        RegAsm.exe
        Remote address:
        8.8.8.8:53
        Request
        puredoffustow.shop
        IN A
        Response
        puredoffustow.shop
        IN A
        172.67.211.222
        puredoffustow.shop
        IN A
        104.21.85.226
      • flag-us
        POST
        https://puredoffustow.shop/api
        RegAsm.exe
        Remote address:
        172.67.211.222:443
        Request
        POST /api HTTP/1.1
        Connection: Keep-Alive
        Content-Type: application/x-www-form-urlencoded
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
        Content-Length: 8
        Host: puredoffustow.shop
        Response
        HTTP/1.1 200 OK
        Date: Thu, 19 Sep 2024 23:45:28 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
        Set-Cookie: PHPSESSID=c22fi66vj0ti4f0vten41sbc4t; expires=Mon, 13 Jan 2025 17:32:07 GMT; Max-Age=9999999; path=/
        Expires: Thu, 19 Nov 1981 08:52:00 GMT
        Cache-Control: no-store, no-cache, must-revalidate
        Pragma: no-cache
        CF-Cache-Status: DYNAMIC
        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=StcrfVfX0MIPDsfsOkYu4infQxtJ29X69GvmUwKPfOippAGCn1flzHv%2BsxRuKNAAiWvGxcWuJVaXPdUi3eHbEsbIDW2ZXqehw9DlB4GXseVQtffQnRwrCwB2%2BK4kuk%2BjVW9JTTg%3D"}],"group":"cf-nel","max_age":604800}
        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
        Server: cloudflare
        CF-RAY: 8c5d73160eb4653f-LHR
        alt-svc: h3=":443"; ma=86400
      • flag-de
        GET
        https://116.202.0.195/
        RegAsm.exe
        Remote address:
        116.202.0.195:443
        Request
        GET / HTTP/1.1
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
        Host: 116.202.0.195
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Thu, 19 Sep 2024 23:45:28 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
      • flag-us
        DNS
        81.173.67.172.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        81.173.67.172.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        200.143.67.172.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        200.143.67.172.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        opponnentduei.shop
        RegAsm.exe
        Remote address:
        8.8.8.8:53
        Request
        opponnentduei.shop
        IN A
        Response
        opponnentduei.shop
        IN A
        104.21.45.51
        opponnentduei.shop
        IN A
        172.67.209.183
      • flag-us
        POST
        https://opponnentduei.shop/api
        RegAsm.exe
        Remote address:
        104.21.45.51:443
        Request
        POST /api HTTP/1.1
        Connection: Keep-Alive
        Content-Type: application/x-www-form-urlencoded
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
        Content-Length: 8
        Host: opponnentduei.shop
        Response
        HTTP/1.1 200 OK
        Date: Thu, 19 Sep 2024 23:45:28 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
        Set-Cookie: PHPSESSID=9sktp5c2m37qsfgscbh5ke14hm; expires=Mon, 13 Jan 2025 17:32:07 GMT; Max-Age=9999999; path=/
        Expires: Thu, 19 Nov 1981 08:52:00 GMT
        Cache-Control: no-store, no-cache, must-revalidate
        Pragma: no-cache
        CF-Cache-Status: DYNAMIC
        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5t8KkwQ%2B3xufTGfzBWetpLTqT9Hds21teOKksqYQJUR3R36%2BcCUUfaK2nMQ%2BNZrgv7sIgVR5W8h7unIDnNBEeRRUtAAWJ0zDQOX980tUhWOr6W%2B8kGi8ViVvuOkcgV8sYE6EQR4%3D"}],"group":"cf-nel","max_age":604800}
        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
        Server: cloudflare
        CF-RAY: 8c5d73185f14cdc1-LHR
        alt-svc: h3=":443"; ma=86400
      • flag-de
        POST
        https://116.202.0.195/
        RegAsm.exe
        Remote address:
        116.202.0.195:443
        Request
        POST / HTTP/1.1
        Content-Type: multipart/form-data; boundary=----DAAAKFHIEGDGCAAAEGDG
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
        Host: 116.202.0.195
        Content-Length: 256
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Thu, 19 Sep 2024 23:45:28 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
      • flag-us
        DNS
        metallygaricwo.shop
        RegAsm.exe
        Remote address:
        8.8.8.8:53
        Request
        metallygaricwo.shop
        IN A
        Response
        metallygaricwo.shop
        IN A
        104.21.75.242
        metallygaricwo.shop
        IN A
        172.67.184.9
      • flag-us
        POST
        https://metallygaricwo.shop/api
        RegAsm.exe
        Remote address:
        104.21.75.242:443
        Request
        POST /api HTTP/1.1
        Connection: Keep-Alive
        Content-Type: application/x-www-form-urlencoded
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
        Content-Length: 8
        Host: metallygaricwo.shop
        Response
        HTTP/1.1 200 OK
        Date: Thu, 19 Sep 2024 23:45:28 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
        Set-Cookie: PHPSESSID=udp80l3aopcroos4ma8n1818qs; expires=Mon, 13 Jan 2025 17:32:07 GMT; Max-Age=9999999; path=/
        Expires: Thu, 19 Nov 1981 08:52:00 GMT
        Cache-Control: no-store, no-cache, must-revalidate
        Pragma: no-cache
        CF-Cache-Status: DYNAMIC
        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Exhz4HSR%2F2LGYsMn8Ws5adtUPppNRwOoj9S5RnhouTcAX5HsN6UbFjhSYSVP11mpBNXt43Vl78Bktnxn2tLbwiH4QV1jYozqa5muNzTvjWO9Ca7fv3nVDpEciJTCjDpzNgnGF75l"}],"group":"cf-nel","max_age":604800}
        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
        Server: cloudflare
        CF-RAY: 8c5d731abbe29400-LHR
        alt-svc: h3=":443"; ma=86400
      • flag-de
        POST
        https://116.202.0.195/
        RegAsm.exe
        Remote address:
        116.202.0.195:443
        Request
        POST / HTTP/1.1
        Content-Type: multipart/form-data; boundary=----FCAAEBFHJJDAAKFIECGD
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
        Host: 116.202.0.195
        Content-Length: 331
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Thu, 19 Sep 2024 23:45:29 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
      • flag-us
        DNS
        milldymarskwom.shop
        RegAsm.exe
        Remote address:
        8.8.8.8:53
        Request
        milldymarskwom.shop
        IN A
        Response
        milldymarskwom.shop
        IN A
        104.21.50.100
        milldymarskwom.shop
        IN A
        172.67.204.182
      • flag-us
        POST
        https://milldymarskwom.shop/api
        RegAsm.exe
        Remote address:
        104.21.50.100:443
        Request
        POST /api HTTP/1.1
        Connection: Keep-Alive
        Content-Type: application/x-www-form-urlencoded
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
        Content-Length: 8
        Host: milldymarskwom.shop
        Response
        HTTP/1.1 200 OK
        Date: Thu, 19 Sep 2024 23:45:29 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
        Set-Cookie: PHPSESSID=o1jhrnape42b80rmhaavbhccug; expires=Mon, 13 Jan 2025 17:32:08 GMT; Max-Age=9999999; path=/
        Expires: Thu, 19 Nov 1981 08:52:00 GMT
        Cache-Control: no-store, no-cache, must-revalidate
        Pragma: no-cache
        CF-Cache-Status: DYNAMIC
        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=59szmODJX0%2Fu5IJVqw0VPpa%2BYLl7t6rCVBl2BVhpCVR1xdAAUKbSYfk7RyZ3DxpstFZv6n0qOPfQnuEYr%2FGG5B9YUXubtYOz%2BG5vpf6euztfmdijyhc%2B0nScTW7Cv4HGYvMwMXET"}],"group":"cf-nel","max_age":604800}
        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
        Server: cloudflare
        CF-RAY: 8c5d731d2daa385f-LHR
        alt-svc: h3=":443"; ma=86400
      • flag-us
        DNS
        222.211.67.172.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        222.211.67.172.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        51.45.21.104.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        51.45.21.104.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        242.75.21.104.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        242.75.21.104.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        quotamkdsdqo.shop
        RegAsm.exe
        Remote address:
        8.8.8.8:53
        Request
        quotamkdsdqo.shop
        IN A
        Response
        quotamkdsdqo.shop
        IN A
        172.67.203.241
        quotamkdsdqo.shop
        IN A
        104.21.37.45
      • flag-us
        POST
        https://quotamkdsdqo.shop/api
        RegAsm.exe
        Remote address:
        172.67.203.241:443
        Request
        POST /api HTTP/1.1
        Connection: Keep-Alive
        Content-Type: application/x-www-form-urlencoded
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
        Content-Length: 8
        Host: quotamkdsdqo.shop
        Response
        HTTP/1.1 200 OK
        Date: Thu, 19 Sep 2024 23:45:29 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
        Set-Cookie: PHPSESSID=g7od8osgt9s226qd591d8sk0fp; expires=Mon, 13 Jan 2025 17:32:08 GMT; Max-Age=9999999; path=/
        Expires: Thu, 19 Nov 1981 08:52:00 GMT
        Cache-Control: no-store, no-cache, must-revalidate
        Pragma: no-cache
        CF-Cache-Status: DYNAMIC
        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Ba2x41MGJEzSoCJe8YtKphM6tBItH1rO2%2BSPXgbWmvNPxI%2BBi8EVU6RkEm2ZzrhltdUBUaiPVV0JLWgw6Nnd8bc1EMrkS4Tm9U9S0FMFAFHh%2Fw%2FoD80MahfUyC0DMWxi%2F6IaqQ%3D%3D"}],"group":"cf-nel","max_age":604800}
        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
        Server: cloudflare
        CF-RAY: 8c5d731f8e33948d-LHR
        alt-svc: h3=":443"; ma=86400
      • flag-de
        POST
        https://116.202.0.195/
        RegAsm.exe
        Remote address:
        116.202.0.195:443
        Request
        POST / HTTP/1.1
        Content-Type: multipart/form-data; boundary=----JDAFIEHIEGDHIDGDGHDH
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
        Host: 116.202.0.195
        Content-Length: 331
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Thu, 19 Sep 2024 23:45:29 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
      • flag-us
        DNS
        carrtychaintnyw.shop
        RegAsm.exe
        Remote address:
        8.8.8.8:53
        Request
        carrtychaintnyw.shop
        IN A
        Response
        carrtychaintnyw.shop
        IN A
        104.21.81.254
        carrtychaintnyw.shop
        IN A
        172.67.192.105
      • flag-us
        POST
        https://carrtychaintnyw.shop/api
        RegAsm.exe
        Remote address:
        104.21.81.254:443
        Request
        POST /api HTTP/1.1
        Connection: Keep-Alive
        Content-Type: application/x-www-form-urlencoded
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
        Content-Length: 8
        Host: carrtychaintnyw.shop
        Response
        HTTP/1.1 200 OK
        Date: Thu, 19 Sep 2024 23:45:30 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
        Set-Cookie: PHPSESSID=it2ac0ucpuopuli7dlqlnpap6f; expires=Mon, 13 Jan 2025 17:32:09 GMT; Max-Age=9999999; path=/
        Expires: Thu, 19 Nov 1981 08:52:00 GMT
        Cache-Control: no-store, no-cache, must-revalidate
        Pragma: no-cache
        CF-Cache-Status: DYNAMIC
        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZdunIpARkDnRbmhLXQYMmMX0%2BgL6oXnO1PNEpAV8vZK9mB%2BuvnzV26F%2FFC8%2BzppQ8PWgUD3TlvqjDPtQDbWWLeJ%2BEeaq5W7WkK%2BnxYwsUjCSWrL%2B%2BEn0IW2NKFY0MWG6pFFq%2BBtW4Q%3D%3D"}],"group":"cf-nel","max_age":604800}
        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
        Server: cloudflare
        CF-RAY: 8c5d73221821cd32-LHR
        alt-svc: h3=":443"; ma=86400
      • flag-de
        POST
        https://116.202.0.195/
        RegAsm.exe
        Remote address:
        116.202.0.195:443
        Request
        POST / HTTP/1.1
        Content-Type: multipart/form-data; boundary=----AFHJJEHIEBKKFIDHDGHJ
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
        Host: 116.202.0.195
        Content-Length: 332
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Thu, 19 Sep 2024 23:45:30 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
      • flag-us
        DNS
        100.50.21.104.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        100.50.21.104.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        241.203.67.172.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        241.203.67.172.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        steamcommunity.com
        RegAsm.exe
        Remote address:
        8.8.8.8:53
        Request
        steamcommunity.com
        IN A
        Response
        steamcommunity.com
        IN A
        104.82.131.75
      • flag-gb
        GET
        https://steamcommunity.com/profiles/76561199724331900
        RegAsm.exe
        Remote address:
        104.82.131.75:443
        Request
        GET /profiles/76561199724331900 HTTP/1.1
        Connection: Keep-Alive
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
        Host: steamcommunity.com
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Content-Type: text/html; charset=UTF-8
        Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
        Expires: Mon, 26 Jul 1997 05:00:00 GMT
        Cache-Control: no-cache
        Date: Thu, 19 Sep 2024 23:45:30 GMT
        Content-Length: 34734
        Connection: keep-alive
        Set-Cookie: sessionid=75012adeae4283c264b82865; Path=/; Secure; SameSite=None
        Set-Cookie: steamCountry=GB%7C0cca5b35055ce513436d8b708d875660; Path=/; Secure; HttpOnly; SameSite=None
      • flag-us
        DNS
        genedjestytw.shop
        RegAsm.exe
        Remote address:
        8.8.8.8:53
        Request
        genedjestytw.shop
        IN A
        Response
      • flag-de
        POST
        https://116.202.0.195/
        RegAsm.exe
        Remote address:
        116.202.0.195:443
        Request
        POST / HTTP/1.1
        Content-Type: multipart/form-data; boundary=----AFCBFIJEHDHCBGDGDGCB
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
        Host: 116.202.0.195
        Content-Length: 4709
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Thu, 19 Sep 2024 23:45:31 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
      • flag-us
        DNS
        254.81.21.104.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        254.81.21.104.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        75.131.82.104.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        75.131.82.104.in-addr.arpa
        IN PTR
        Response
        75.131.82.104.in-addr.arpa
        IN PTR
        a104-82-131-75deploystaticakamaitechnologiescom
      • flag-de
        GET
        https://116.202.0.195/sqlp.dll
        RegAsm.exe
        Remote address:
        116.202.0.195:443
        Request
        GET /sqlp.dll HTTP/1.1
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
        Host: 116.202.0.195
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Thu, 19 Sep 2024 23:45:31 GMT
        Content-Type: application/octet-stream
        Content-Length: 2459136
        Connection: keep-alive
        Last-Modified: Thursday, 19-Sep-2024 23:45:31 GMT
        Cache-Control: no-store, no-cache
        Accept-Ranges: bytes
      • flag-de
        POST
        https://116.202.0.195/
        RegAsm.exe
        Remote address:
        116.202.0.195:443
        Request
        POST / HTTP/1.1
        Content-Type: multipart/form-data; boundary=----GCGCBAECFCAKKEBFCFII
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
        Host: 116.202.0.195
        Content-Length: 437
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Thu, 19 Sep 2024 23:45:32 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
      • flag-us
        DNS
        183.59.114.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        183.59.114.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        206.23.85.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        206.23.85.13.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        37.56.20.217.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        37.56.20.217.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        29.243.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        29.243.111.52.in-addr.arpa
        IN PTR
        Response
      • 149.154.167.99:443
        https://t.me/edm0d
        tls, http
        RegAsm.exe
        1.5kB
        19.4kB
        24
        20

        HTTP Request

        GET https://t.me/edm0d

        HTTP Response

        200
      • 116.202.0.195:443
        https://116.202.0.195/
        tls, http
        RegAsm.exe
        1.0kB
        2.7kB
        11
        8

        HTTP Request

        GET https://116.202.0.195/

        HTTP Response

        200
      • 116.202.0.195:443
        https://116.202.0.195/
        tls, http
        RegAsm.exe
        1.4kB
        622 B
        9
        6

        HTTP Request

        POST https://116.202.0.195/

        HTTP Response

        200
      • 116.202.0.195:443
        https://116.202.0.195/
        tls, http
        RegAsm.exe
        1.5kB
        2.2kB
        10
        7

        HTTP Request

        POST https://116.202.0.195/

        HTTP Response

        200
      • 116.202.0.195:443
        https://116.202.0.195/
        tls, http
        RegAsm.exe
        1.7kB
        6.4kB
        13
        10

        HTTP Request

        POST https://116.202.0.195/

        HTTP Response

        200
      • 116.202.0.195:443
        https://116.202.0.195/
        tls, http
        RegAsm.exe
        1.5kB
        672 B
        9
        6

        HTTP Request

        POST https://116.202.0.195/

        HTTP Response

        200
      • 116.202.0.195:443
        https://116.202.0.195/
        tls, http
        RegAsm.exe
        6.0kB
        645 B
        13
        8

        HTTP Request

        POST https://116.202.0.195/

        HTTP Response

        200
      • 116.202.0.195:443
        https://116.202.0.195/sqlp.dll
        tls, http
        RegAsm.exe
        86.4kB
        2.5MB
        1834
        1829

        HTTP Request

        GET https://116.202.0.195/sqlp.dll

        HTTP Response

        200
      • 116.202.0.195:443
        https://116.202.0.195/
        tls, http
        RegAsm.exe
        1.6kB
        565 B
        9
        6

        HTTP Request

        POST https://116.202.0.195/

        HTTP Response

        200
      • 116.202.0.195:443
        https://116.202.0.195/
        tls, http
        RegAsm.exe
        1.6kB
        565 B
        9
        6

        HTTP Request

        POST https://116.202.0.195/

        HTTP Response

        200
      • 116.202.0.195:443
        https://116.202.0.195/freebl3.dll
        tls, http
        RegAsm.exe
        24.4kB
        707.6kB
        517
        514

        HTTP Request

        GET https://116.202.0.195/freebl3.dll

        HTTP Response

        200
      • 116.202.0.195:443
        https://116.202.0.195/mozglue.dll
        tls, http
        RegAsm.exe
        21.8kB
        627.9kB
        460
        457

        HTTP Request

        GET https://116.202.0.195/mozglue.dll

        HTTP Response

        200
      • 116.202.0.195:443
        https://116.202.0.195/msvcp140.dll
        tls, http
        RegAsm.exe
        16.3kB
        464.7kB
        341
        338

        HTTP Request

        GET https://116.202.0.195/msvcp140.dll

        HTTP Response

        200
      • 116.202.0.195:443
        https://116.202.0.195/softokn3.dll
        tls, http
        RegAsm.exe
        9.8kB
        266.6kB
        199
        196

        HTTP Request

        GET https://116.202.0.195/softokn3.dll

        HTTP Response

        200
      • 116.202.0.195:443
        https://116.202.0.195/vcruntime140.dll
        tls, http
        RegAsm.exe
        3.8kB
        84.0kB
        68
        65

        HTTP Request

        GET https://116.202.0.195/vcruntime140.dll

        HTTP Response

        200
      • 116.202.0.195:443
        https://116.202.0.195/nss3.dll
        tls, http
        RegAsm.exe
        80.1kB
        2.1MB
        1532
        1529

        HTTP Request

        GET https://116.202.0.195/nss3.dll

        HTTP Response

        200
      • 116.202.0.195:443
        https://116.202.0.195/
        tls, http
        RegAsm.exe
        2.3kB
        565 B
        10
        6

        HTTP Request

        POST https://116.202.0.195/

        HTTP Response

        200
      • 116.202.0.195:443
        https://116.202.0.195/
        tls, http
        RegAsm.exe
        1.5kB
        2.8kB
        10
        7

        HTTP Request

        POST https://116.202.0.195/

        HTTP Response

        200
      • 116.202.0.195:443
        https://116.202.0.195/
        tls, http
        RegAsm.exe
        1.5kB
        2.1kB
        10
        7

        HTTP Request

        POST https://116.202.0.195/

        HTTP Response

        200
      • 116.202.0.195:443
        https://116.202.0.195/
        tls, http
        RegAsm.exe
        1.6kB
        565 B
        9
        6

        HTTP Request

        POST https://116.202.0.195/

        HTTP Response

        200
      • 116.202.0.195:443
        https://116.202.0.195/
        tls, http
        RegAsm.exe
        113.9kB
        2.4kB
        91
        53

        HTTP Request

        POST https://116.202.0.195/

        HTTP Response

        200
      • 116.202.0.195:443
        https://116.202.0.195/
        tls, http
        RegAsm.exe
        1.5kB
        748 B
        9
        6

        HTTP Request

        POST https://116.202.0.195/

        HTTP Response

        200
      • 147.45.44.104:80
        http://147.45.44.104/prog/66ecb44c35444_vfdhsgdf.exe
        http
        RegAsm.exe
        24.1kB
        683.7kB
        497
        493

        HTTP Request

        GET http://147.45.44.104/prog/66ecb454d2b4a_lgfdsjgds.exe

        HTTP Response

        200

        HTTP Request

        GET http://147.45.44.104/prog/66ecb44c35444_vfdhsgdf.exe

        HTTP Response

        200
      • 116.202.0.195:443
        https://116.202.0.195/
        tls, http
        RegAsm.exe
        1.7kB
        565 B
        9
        6

        HTTP Request

        POST https://116.202.0.195/

        HTTP Response

        200
      • 116.202.0.195:443
        https://116.202.0.195/
        tls, http
        RegAsm.exe
        1.6kB
        525 B
        8
        5

        HTTP Request

        POST https://116.202.0.195/

        HTTP Response

        200
      • 172.67.204.62:443
        https://questionmwq.shop/api
        tls, http
        RegAsm.exe
        1.0kB
        4.6kB
        10
        9

        HTTP Request

        POST https://questionmwq.shop/api

        HTTP Response

        200
      • 116.202.0.195:443
        https://116.202.0.195/
        tls, http
        RegAsm.exe
        1.4kB
        518 B
        8
        5

        HTTP Request

        POST https://116.202.0.195/

        HTTP Response

        200
      • 172.67.173.81:443
        https://chickerkuso.shop/api
        tls, http
        RegAsm.exe
        1.0kB
        4.6kB
        9
        9

        HTTP Request

        POST https://chickerkuso.shop/api

        HTTP Response

        200
      • 172.67.143.200:443
        https://achievenmtynwjq.shop/api
        tls, http
        RegAsm.exe
        1.0kB
        4.6kB
        9
        9

        HTTP Request

        POST https://achievenmtynwjq.shop/api

        HTTP Response

        200
      • 149.154.167.99:443
        https://t.me/edm0d
        tls, http
        RegAsm.exe
        1.5kB
        19.2kB
        24
        20

        HTTP Request

        GET https://t.me/edm0d

        HTTP Response

        200
      • 172.67.211.222:443
        https://puredoffustow.shop/api
        tls, http
        RegAsm.exe
        1.0kB
        4.6kB
        9
        9

        HTTP Request

        POST https://puredoffustow.shop/api

        HTTP Response

        200
      • 116.202.0.195:443
        https://116.202.0.195/
        tls, http
        RegAsm.exe
        1.0kB
        2.7kB
        11
        8

        HTTP Request

        GET https://116.202.0.195/

        HTTP Response

        200
      • 104.21.45.51:443
        https://opponnentduei.shop/api
        tls, http
        RegAsm.exe
        1.0kB
        4.6kB
        9
        9

        HTTP Request

        POST https://opponnentduei.shop/api

        HTTP Response

        200
      • 116.202.0.195:443
        https://116.202.0.195/
        tls, http
        RegAsm.exe
        1.4kB
        622 B
        9
        6

        HTTP Request

        POST https://116.202.0.195/

        HTTP Response

        200
      • 104.21.75.242:443
        https://metallygaricwo.shop/api
        tls, http
        RegAsm.exe
        1.0kB
        4.6kB
        9
        9

        HTTP Request

        POST https://metallygaricwo.shop/api

        HTTP Response

        200
      • 116.202.0.195:443
        https://116.202.0.195/
        tls, http
        RegAsm.exe
        1.5kB
        2.2kB
        10
        7

        HTTP Request

        POST https://116.202.0.195/

        HTTP Response

        200
      • 104.21.50.100:443
        https://milldymarskwom.shop/api
        tls, http
        RegAsm.exe
        1.0kB
        4.6kB
        9
        9

        HTTP Request

        POST https://milldymarskwom.shop/api

        HTTP Response

        200
      • 172.67.203.241:443
        https://quotamkdsdqo.shop/api
        tls, http
        RegAsm.exe
        1.0kB
        4.6kB
        9
        9

        HTTP Request

        POST https://quotamkdsdqo.shop/api

        HTTP Response

        200
      • 116.202.0.195:443
        https://116.202.0.195/
        tls, http
        RegAsm.exe
        1.7kB
        6.4kB
        13
        10

        HTTP Request

        POST https://116.202.0.195/

        HTTP Response

        200
      • 104.21.81.254:443
        https://carrtychaintnyw.shop/api
        tls, http
        RegAsm.exe
        1.0kB
        4.6kB
        9
        9

        HTTP Request

        POST https://carrtychaintnyw.shop/api

        HTTP Response

        200
      • 116.202.0.195:443
        https://116.202.0.195/
        tls, http
        RegAsm.exe
        1.5kB
        672 B
        9
        6

        HTTP Request

        POST https://116.202.0.195/

        HTTP Response

        200
      • 104.82.131.75:443
        https://steamcommunity.com/profiles/76561199724331900
        tls, http
        RegAsm.exe
        1.5kB
        42.2kB
        21
        36

        HTTP Request

        GET https://steamcommunity.com/profiles/76561199724331900

        HTTP Response

        200
      • 116.202.0.195:443
        https://116.202.0.195/
        tls, http
        RegAsm.exe
        6.1kB
        565 B
        13
        6

        HTTP Request

        POST https://116.202.0.195/

        HTTP Response

        200
      • 116.202.0.195:443
        https://116.202.0.195/sqlp.dll
        tls, http
        RegAsm.exe
        85.2kB
        2.5MB
        1837
        1830

        HTTP Request

        GET https://116.202.0.195/sqlp.dll

        HTTP Response

        200
      • 116.202.0.195:443
        https://116.202.0.195/
        tls, http
        RegAsm.exe
        1.5kB
        528 B
        8
        5

        HTTP Request

        POST https://116.202.0.195/

        HTTP Response

        200
      • 8.8.8.8:53
        97.17.167.52.in-addr.arpa
        dns
        71 B
        145 B
        1
        1

        DNS Request

        97.17.167.52.in-addr.arpa

      • 8.8.8.8:53
        68.32.126.40.in-addr.arpa
        dns
        71 B
        157 B
        1
        1

        DNS Request

        68.32.126.40.in-addr.arpa

      • 8.8.8.8:53
        t.me
        dns
        RegAsm.exe
        50 B
        66 B
        1
        1

        DNS Request

        t.me

        DNS Response

        149.154.167.99

      • 8.8.8.8:53
        99.167.154.149.in-addr.arpa
        dns
        73 B
        166 B
        1
        1

        DNS Request

        99.167.154.149.in-addr.arpa

      • 8.8.8.8:53
        23.249.124.192.in-addr.arpa
        dns
        73 B
        113 B
        1
        1

        DNS Request

        23.249.124.192.in-addr.arpa

      • 8.8.8.8:53
        195.0.202.116.in-addr.arpa
        dns
        72 B
        129 B
        1
        1

        DNS Request

        195.0.202.116.in-addr.arpa

      • 8.8.8.8:53
        104.44.45.147.in-addr.arpa
        dns
        72 B
        127 B
        1
        1

        DNS Request

        104.44.45.147.in-addr.arpa

      • 8.8.8.8:53
        questionmwq.shop
        dns
        RegAsm.exe
        62 B
        94 B
        1
        1

        DNS Request

        questionmwq.shop

        DNS Response

        172.67.204.62
        104.21.85.92

      • 8.8.8.8:53
        chickerkuso.shop
        dns
        RegAsm.exe
        62 B
        94 B
        1
        1

        DNS Request

        chickerkuso.shop

        DNS Response

        172.67.173.81
        104.21.88.61

      • 8.8.8.8:53
        62.204.67.172.in-addr.arpa
        dns
        72 B
        134 B
        1
        1

        DNS Request

        62.204.67.172.in-addr.arpa

      • 8.8.8.8:53
        achievenmtynwjq.shop
        dns
        RegAsm.exe
        66 B
        98 B
        1
        1

        DNS Request

        achievenmtynwjq.shop

        DNS Response

        172.67.143.200
        104.21.39.77

      • 8.8.8.8:53
        gacan.zapto.org
        dns
        RegAsm.exe
        61 B
        121 B
        1
        1

        DNS Request

        gacan.zapto.org

      • 8.8.8.8:53
        puredoffustow.shop
        dns
        RegAsm.exe
        64 B
        96 B
        1
        1

        DNS Request

        puredoffustow.shop

        DNS Response

        172.67.211.222
        104.21.85.226

      • 8.8.8.8:53
        81.173.67.172.in-addr.arpa
        dns
        72 B
        134 B
        1
        1

        DNS Request

        81.173.67.172.in-addr.arpa

      • 8.8.8.8:53
        200.143.67.172.in-addr.arpa
        dns
        73 B
        135 B
        1
        1

        DNS Request

        200.143.67.172.in-addr.arpa

      • 8.8.8.8:53
        opponnentduei.shop
        dns
        RegAsm.exe
        64 B
        96 B
        1
        1

        DNS Request

        opponnentduei.shop

        DNS Response

        104.21.45.51
        172.67.209.183

      • 8.8.8.8:53
        metallygaricwo.shop
        dns
        RegAsm.exe
        65 B
        97 B
        1
        1

        DNS Request

        metallygaricwo.shop

        DNS Response

        104.21.75.242
        172.67.184.9

      • 8.8.8.8:53
        milldymarskwom.shop
        dns
        RegAsm.exe
        65 B
        97 B
        1
        1

        DNS Request

        milldymarskwom.shop

        DNS Response

        104.21.50.100
        172.67.204.182

      • 8.8.8.8:53
        222.211.67.172.in-addr.arpa
        dns
        73 B
        135 B
        1
        1

        DNS Request

        222.211.67.172.in-addr.arpa

      • 8.8.8.8:53
        51.45.21.104.in-addr.arpa
        dns
        71 B
        133 B
        1
        1

        DNS Request

        51.45.21.104.in-addr.arpa

      • 8.8.8.8:53
        242.75.21.104.in-addr.arpa
        dns
        72 B
        134 B
        1
        1

        DNS Request

        242.75.21.104.in-addr.arpa

      • 8.8.8.8:53
        quotamkdsdqo.shop
        dns
        RegAsm.exe
        63 B
        95 B
        1
        1

        DNS Request

        quotamkdsdqo.shop

        DNS Response

        172.67.203.241
        104.21.37.45

      • 8.8.8.8:53
        carrtychaintnyw.shop
        dns
        RegAsm.exe
        66 B
        98 B
        1
        1

        DNS Request

        carrtychaintnyw.shop

        DNS Response

        104.21.81.254
        172.67.192.105

      • 8.8.8.8:53
        100.50.21.104.in-addr.arpa
        dns
        72 B
        134 B
        1
        1

        DNS Request

        100.50.21.104.in-addr.arpa

      • 8.8.8.8:53
        241.203.67.172.in-addr.arpa
        dns
        73 B
        135 B
        1
        1

        DNS Request

        241.203.67.172.in-addr.arpa

      • 8.8.8.8:53
        steamcommunity.com
        dns
        RegAsm.exe
        64 B
        80 B
        1
        1

        DNS Request

        steamcommunity.com

        DNS Response

        104.82.131.75

      • 8.8.8.8:53
        genedjestytw.shop
        dns
        RegAsm.exe
        63 B
        120 B
        1
        1

        DNS Request

        genedjestytw.shop

      • 8.8.8.8:53
        254.81.21.104.in-addr.arpa
        dns
        72 B
        134 B
        1
        1

        DNS Request

        254.81.21.104.in-addr.arpa

      • 8.8.8.8:53
        75.131.82.104.in-addr.arpa
        dns
        72 B
        137 B
        1
        1

        DNS Request

        75.131.82.104.in-addr.arpa

      • 8.8.8.8:53
        183.59.114.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        183.59.114.20.in-addr.arpa

      • 8.8.8.8:53
        206.23.85.13.in-addr.arpa
        dns
        71 B
        145 B
        1
        1

        DNS Request

        206.23.85.13.in-addr.arpa

      • 8.8.8.8:53
        37.56.20.217.in-addr.arpa
        dns
        71 B
        131 B
        1
        1

        DNS Request

        37.56.20.217.in-addr.arpa

      • 8.8.8.8:53
        29.243.111.52.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        29.243.111.52.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\AEGHIJEHJD.exe

        Filesize

        354KB

        MD5

        384a847ad2833788fa253433fd2eea8d

        SHA1

        1984d8788fe40bd95a90d7d4e9dea6c4e4ff6201

        SHA256

        de30491736617249b3e80fc9436ecf0f7675b3c3014509398c3db7298f93336a

        SHA512

        bcdbd44837629d8881c29a7c7f6a2d4e98b52fbc49952bad2c89340a1dee18fac9987aaa8a3d91905a1f88a216c0e2501201a8665f3df7d5f627ff71a2418aac

      • C:\ProgramData\BFBGCFCFHCFH\CFHDBF

        Filesize

        160KB

        MD5

        f310cf1ff562ae14449e0167a3e1fe46

        SHA1

        85c58afa9049467031c6c2b17f5c12ca73bb2788

        SHA256

        e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

        SHA512

        1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

      • C:\ProgramData\HJDAKFBFBF.exe

        Filesize

        292KB

        MD5

        4a8a0ccfecc930091116324c79c1006e

        SHA1

        d790befcbc31a4befafeaf08879e15f99633b2a1

        SHA256

        146b7006b041d25b6846c797234f38387ec4b141c4a7e4f100d0e6d2eda29088

        SHA512

        ffef04766c2a9f9d038ccf6156ac7f03a0e0809adaf245a1347e5ece6ad31f9b37f283d71d34c031350456f30036078d5a3e97fa563bf6af6a8fcf6edeeb25d2

      • C:\ProgramData\mozglue.dll

        Filesize

        593KB

        MD5

        c8fd9be83bc728cc04beffafc2907fe9

        SHA1

        95ab9f701e0024cedfbd312bcfe4e726744c4f2e

        SHA256

        ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

        SHA512

        fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

      • C:\ProgramData\nss3.dll

        Filesize

        2.0MB

        MD5

        1cc453cdf74f31e4d913ff9c10acdde2

        SHA1

        6e85eae544d6e965f15fa5c39700fa7202f3aafe

        SHA256

        ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

        SHA512

        dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\156887258BBD6E1FEF562837733EA04E_5BBC02CEDFD3F7AC9E268D830CF231EE

        Filesize

        2KB

        MD5

        4c4bf9e4d624f1045d8f73ed7f97dc3e

        SHA1

        1d78800f4a780fc6f75a778faeed2baaf84f2206

        SHA256

        6dcfee83067db655225002d6ee68c1948d82de8a4b488355fbdee6fce73638db

        SHA512

        4c950580ec4fb088382f066948964846bbee5d575eac1f70253e5adc3c09f071d398c1b6eb42fb2a00e017ba2a344ef6709c6f321a5b38db8bd39933989494bb

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

        Filesize

        2KB

        MD5

        7ec05ad5ad4ea2f59d78a181b608dfb1

        SHA1

        95dfcb1ca8c7c6353bfc940c79f877d491158faa

        SHA256

        197a38efa533f9ff60b730cbc9b5fb604893e8dfb08a9ba85f0e5424779e3759

        SHA512

        da07b1ce6b278f20a93cfb83107be1a96bd134657be71f31b314e981ae9f85a8db50ae10458612bd460baca5e9402d5bce61b11ed648b191be42882273b8c00a

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

        Filesize

        1KB

        MD5

        9ea353ed4fed6ed641da2a1a1e66cbf3

        SHA1

        42cf55d3608819795042c23df5f18fcd2b6b0c58

        SHA256

        5245794a9cb70971f00a51f56b8b5305d16629c4d0d0e95916371a20a6119485

        SHA512

        7476acf575e998c56bae27703d635c82a5cfd43f736b9618ec430168148f25d79c97ca344670298b51956ca0b3707d6499ef5865fe1b933acb948dddc822d05e

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\156887258BBD6E1FEF562837733EA04E_5BBC02CEDFD3F7AC9E268D830CF231EE

        Filesize

        458B

        MD5

        4011b7a0a04581fb845dc6a81fbf85b1

        SHA1

        cd5f32a9f6754a0781cb62de8220048d6f63da0a

        SHA256

        f6d25531203fc5b891cc1bf25f28d373e976532c7d863c667c8811baf3c44c3e

        SHA512

        2f43a119bdf3293225480403c53b6fa1c23febf67f8c63a5b19d1cd0bd0c72e40b2b157d8dde073ffae7e9f682c6b443ed92fc77782316a262abbdb45ae4c051

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

        Filesize

        450B

        MD5

        d3a09b5bf976d1948282956a2589acaf

        SHA1

        4ec90fcb38780bffb56480ac30db92e070b77e3d

        SHA256

        66d00e4f7ab9c86ffedfbf990abac314538c03ca7b63f5b6cbe174953177ce8a

        SHA512

        73f451db521f6ebee91f383b00e978e813446ce4e348ad4926b52284bdc11b282c7621397a66e0c883e0afc0e14c036599e87adcaec148f8df12b826f29926cd

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

        Filesize

        458B

        MD5

        11c1a7d1acccd5fa49dcebc9baea7c14

        SHA1

        ac2a0dec6b4a2bec8e95d37299f18d4af5378186

        SHA256

        f0d2644603b5486cab5837eec5afa2ec6be6a1de3a0932c4e71448214fab1317

        SHA512

        3c15353c63cf8915cbbb43821be5904f9b76a8d63c04866a4f5cb2e9de1ae5a06d723ea09c2ce034509957b90a1adb206d3c7d0ea6ed2dcf6f22f49e9165ecc3

      • memory/3460-130-0x0000000072950000-0x0000000073100000-memory.dmp

        Filesize

        7.7MB

      • memory/3460-109-0x0000000072950000-0x0000000073100000-memory.dmp

        Filesize

        7.7MB

      • memory/3460-108-0x000000007295E000-0x000000007295F000-memory.dmp

        Filesize

        4KB

      • memory/3460-107-0x0000000000B40000-0x0000000000B9A000-memory.dmp

        Filesize

        360KB

      • memory/3840-127-0x0000000000400000-0x000000000045D000-memory.dmp

        Filesize

        372KB

      • memory/3840-129-0x0000000000400000-0x000000000045D000-memory.dmp

        Filesize

        372KB

      • memory/3840-125-0x0000000000400000-0x000000000045D000-memory.dmp

        Filesize

        372KB

      • memory/3936-135-0x0000000000400000-0x0000000000657000-memory.dmp

        Filesize

        2.3MB

      • memory/3936-132-0x0000000000400000-0x0000000000657000-memory.dmp

        Filesize

        2.3MB

      • memory/3936-162-0x0000000000400000-0x0000000000657000-memory.dmp

        Filesize

        2.3MB

      • memory/3936-161-0x0000000000400000-0x0000000000657000-memory.dmp

        Filesize

        2.3MB

      • memory/3936-147-0x00000000227B0000-0x0000000022A0F000-memory.dmp

        Filesize

        2.4MB

      • memory/3936-146-0x0000000000400000-0x0000000000657000-memory.dmp

        Filesize

        2.3MB

      • memory/3936-145-0x0000000000400000-0x0000000000657000-memory.dmp

        Filesize

        2.3MB

      • memory/3936-136-0x0000000000400000-0x0000000000657000-memory.dmp

        Filesize

        2.3MB

      • memory/4280-6-0x00000000753B0000-0x0000000075B60000-memory.dmp

        Filesize

        7.7MB

      • memory/4280-0-0x00000000753BE000-0x00000000753BF000-memory.dmp

        Filesize

        4KB

      • memory/4280-1-0x0000000000030000-0x000000000007A000-memory.dmp

        Filesize

        296KB

      • memory/4280-2-0x00000000753B0000-0x0000000075B60000-memory.dmp

        Filesize

        7.7MB

      • memory/4280-7-0x00000000753B0000-0x0000000075B60000-memory.dmp

        Filesize

        7.7MB

      • memory/4812-9-0x0000000000400000-0x0000000000657000-memory.dmp

        Filesize

        2.3MB

      • memory/4812-4-0x0000000000400000-0x0000000000657000-memory.dmp

        Filesize

        2.3MB

      • memory/4812-93-0x0000000000400000-0x0000000000657000-memory.dmp

        Filesize

        2.3MB

      • memory/4812-11-0x0000000000400000-0x0000000000657000-memory.dmp

        Filesize

        2.3MB

      • memory/4812-42-0x0000000000400000-0x0000000000657000-memory.dmp

        Filesize

        2.3MB

      • memory/4812-25-0x0000000000400000-0x0000000000657000-memory.dmp

        Filesize

        2.3MB

      • memory/4812-92-0x0000000000400000-0x0000000000657000-memory.dmp

        Filesize

        2.3MB

      • memory/4812-43-0x0000000000400000-0x0000000000657000-memory.dmp

        Filesize

        2.3MB

      • memory/4812-26-0x0000000000400000-0x0000000000657000-memory.dmp

        Filesize

        2.3MB

      • memory/4812-59-0x0000000000400000-0x0000000000657000-memory.dmp

        Filesize

        2.3MB

      • memory/4812-60-0x0000000000400000-0x0000000000657000-memory.dmp

        Filesize

        2.3MB

      • memory/4812-84-0x0000000000400000-0x0000000000657000-memory.dmp

        Filesize

        2.3MB

      • memory/4812-85-0x0000000000400000-0x0000000000657000-memory.dmp

        Filesize

        2.3MB

      • memory/4812-28-0x0000000020460000-0x00000000206BF000-memory.dmp

        Filesize

        2.4MB

      • memory/5068-123-0x0000000000E90000-0x0000000000EDA000-memory.dmp

        Filesize

        296KB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.