Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Roblox Evo...57.exe

windows10-ltsc 2021-x64

7

Roblox Evo...57.exe

windows11-21h2-x64

10

Resubmissions

26/03/2025, 14:51 UTC

250326-r8fcmaypv6 7

06/02/2025, 18:35 UTC

250206-w8pcrasqgx 7

16/01/2025, 14:09 UTC

250116-rf53ksvldl 10

08/01/2025, 00:01 UTC

250108-abax7svle1 7

06/01/2025, 13:40 UTC

250106-qykc6axqav 10

18/12/2024, 13:25 UTC

241218-qn96tszrbs 7

12/12/2024, 19:51 UTC

241212-yk9d5avrew 10

28/03/2024, 18:16 UTC

240328-wwlfbsdf99 7

Analysis

  • max time kernel
    435s
  • max time network
    437s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250113-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    16/01/2025, 14:09 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Roblox Evon Exploit V4_41257.exe

  • Size

    8.7MB

  • MD5

    98194b1fd3ceea50438976b40ea59d05

  • SHA1

    ed918fbb5765aa91e5c9d2c492ec00667478ac35

  • SHA256

    3e091df4051e6b0859c2142a0869a415e5968c20edb5e9a60fcd077f7b61be19

  • SHA512

    9587acb23ee51e4743c5399b78b64f2a0e87e2413cd56e220df8c08ebe0f352ac0ca83c1826f09718876a6248057e9cbac0f38ee725de83b4ca7de4f805f30bf

  • SSDEEP

    196608:wu6nOE62LOa8ewFCrqNeuUG59Fa9FVDNWXVkHo/ly:MOb2C6wFCrqNZ529PDNs2Ho/k

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 15 IoCs
  • Checks for any installed AV software in registry 1 TTPs 8 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies system certificate store 2 TTPs 8 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Roblox Evon Exploit V4_41257.exe
    "C:\Users\Admin\AppData\Local\Temp\Roblox Evon Exploit V4_41257.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1556
    • C:\Users\Admin\AppData\Local\setup41257.exe
      C:\Users\Admin\AppData\Local\setup41257.exe hhwnd=590154 hreturntoinstaller hextras=id:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>404 &mdash; Not Found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta name="description" content="Sorry- page not found"/> <style type="text/css"> body {font-size:14px; color:#777777; font-family:arial; text-align:center;} h1 {font-size:180px; color:#99A7AF; margin: 70px 0 0 0;} h2 {color: #DE6C5D; font-family: arial; font-size: 20px; font-weight: bold; letter-spacing: -1px; margin: -3px 0 39px;} p {width:320px; text-align:center; margin-left:auto;margin-right:auto; margin-top: 30px } div {width:320px; text-align:center; margin-left:auto;margin-right:auto;} a:link {color: #34536A;} a:visited {color: #34536A;} a:active {color: #34536A;} a:hover {color: #34536A;} </style> </head> <body> <p><a href="http://dlsft.com/">dlsft.com</a></p> <h1>404</h1> <h2>Page Not Found</h2> <div> It seems that the page you were trying to reach does not exist anymore-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>404 &mdash; Not Found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta name="description" content="Sorry, page not found"/> <style type="text/css"> body {font-size:14px; color:#777777; font-family:arial; text-align:center;} h1 {font-size:180px; color:#99A7AF; margin: 70px 0 0 0;} h2 {color: #DE6C5D; font-family: arial; font-size: 20px; font-weight: bold; letter-spacing: -1px; margin: -3px 0 39px;} p {width:320px; text-align:center; margin-left:auto;margin-right:auto; margin-top: 30px } div {width:320px; text-align:center; margin-left:auto;margin-right:auto;} a:link {color: #34536A;} a:visited {color: #34536A;} a:active {color: #34536A;} a:hover {color: #34536A;} </style> </head> <body> <p><a href="http://dlsft.com/">dlsft.com</a></p> <h1>404</h1> <h2>Page Not Found</h2> <div> It seems that the page you were trying to reach does not exist anymore, or maybe it has just moved. You can start again from the <a href="http://dlsft.com/">home</a> or go back to <a href="javascript:%20history.go(-1)">previous page</a>. </div> </body> </html>
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1788
      • C:\Users\Admin\AppData\Local\Temp\7zSCF644687\GenericSetup.exe
        .\GenericSetup.exe hhwnd=590154 hreturntoinstaller hextras=id:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>404 &mdash; Not Found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta name="description" content="Sorry- page not found"/> <style type="text/css"> body {font-size:14px; color:#777777; font-family:arial; text-align:center;} h1 {font-size:180px; color:#99A7AF; margin: 70px 0 0 0;} h2 {color: #DE6C5D; font-family: arial; font-size: 20px; font-weight: bold; letter-spacing: -1px; margin: -3px 0 39px;} p {width:320px; text-align:center; margin-left:auto;margin-right:auto; margin-top: 30px } div {width:320px; text-align:center; margin-left:auto;margin-right:auto;} a:link {color: #34536A;} a:visited {color: #34536A;} a:active {color: #34536A;} a:hover {color: #34536A;} </style> </head> <body> <p><a href="http://dlsft.com/">dlsft.com</a></p> <h1>404</h1> <h2>Page Not Found</h2> <div> It seems that the page you were trying to reach does not exist anymore-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>404 &mdash; Not Found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta name="description" content="Sorry, page not found"/> <style type="text/css"> body {font-size:14px; color:#777777; font-family:arial; text-align:center;} h1 {font-size:180px; color:#99A7AF; margin: 70px 0 0 0;} h2 {color: #DE6C5D; font-family: arial; font-size: 20px; font-weight: bold; letter-spacing: -1px; margin: -3px 0 39px;} p {width:320px; text-align:center; margin-left:auto;margin-right:auto; margin-top: 30px } div {width:320px; text-align:center; margin-left:auto;margin-right:auto;} a:link {color: #34536A;} a:visited {color: #34536A;} a:active {color: #34536A;} a:hover {color: #34536A;} </style> </head> <body> <p><a href="http://dlsft.com/">dlsft.com</a></p> <h1>404</h1> <h2>Page Not Found</h2> <div> It seems that the page you were trying to reach does not exist anymore, or maybe it has just moved. You can start again from the <a href="http://dlsft.com/">home</a> or go back to <a href="javascript:%20history.go(-1)">previous page</a>. </div> </body> </html>
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks for any installed AV software in registry
        • System Location Discovery: System Language Discovery
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1632

Network

  • flag-us
    DNS
    www.dlsft.com
    Roblox Evon Exploit V4_41257.exe
    Remote address:
    8.8.8.8:53
    Request
    www.dlsft.com
    IN A
    Response
    www.dlsft.com
    IN CNAME
    dlsft.com
    dlsft.com
    IN A
    35.190.60.70
  • flag-us
    GET
    https://www.dlsft.com/callback/geo/geo.php
    Roblox Evon Exploit V4_41257.exe
    Remote address:
    35.190.60.70:443
    Request
    GET /callback/geo/geo.php HTTP/1.1
    User-Agent: Mozilla/5.0
    Host: www.dlsft.com
    Response
    HTTP/1.1 404 Not Found
    Server: nginx
    Date: Thu, 16 Jan 2025 14:09:30 GMT
    Content-Type: text/html
    Content-Length: 1402
    Last-Modified: Fri, 23 Mar 2018 22:36:15 GMT
    ETag: "57a-5681c0d5965b4"
    Accept-Ranges: bytes
    Via: 1.1 google
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-us
    GET
    https://www.dlsft.com/callback/info.php?id=41257
    Roblox Evon Exploit V4_41257.exe
    Remote address:
    35.190.60.70:443
    Request
    GET /callback/info.php?id=41257 HTTP/1.1
    User-Agent: Mozilla/5.0
    Host: www.dlsft.com
    Response
    HTTP/1.1 404 Not Found
    Server: nginx
    Date: Thu, 16 Jan 2025 14:09:30 GMT
    Content-Type: text/html
    Content-Length: 1402
    Last-Modified: Fri, 23 Mar 2018 22:36:15 GMT
    ETag: "57a-5681c0d5965b4"
    Accept-Ranges: bytes
    Via: 1.1 google
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-us
    DNS
    c.pki.goog
    Roblox Evon Exploit V4_41257.exe
    Remote address:
    8.8.8.8:53
    Request
    c.pki.goog
    IN A
    Response
    c.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    142.250.200.35
  • flag-gb
    GET
    http://c.pki.goog/r/r1.crl
    Roblox Evon Exploit V4_41257.exe
    Remote address:
    142.250.200.35:80
    Request
    GET /r/r1.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 854
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Thu, 16 Jan 2025 13:20:39 GMT
    Expires: Thu, 16 Jan 2025 14:10:39 GMT
    Cache-Control: public, max-age=3000
    Age: 2931
    Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    70.60.190.35.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    70.60.190.35.in-addr.arpa
    IN PTR
    Response
    70.60.190.35.in-addr.arpa
    IN PTR
    706019035bcgoogleusercontentcom
  • flag-us
    DNS
    133.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    60.153.16.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    60.153.16.2.in-addr.arpa
    IN PTR
    Response
    60.153.16.2.in-addr.arpa
    IN PTR
    a2-16-153-60deploystaticakamaitechnologiescom
  • flag-us
    DNS
    7.98.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    7.98.22.2.in-addr.arpa
    IN PTR
    Response
    7.98.22.2.in-addr.arpa
    IN PTR
    a2-22-98-7deploystaticakamaitechnologiescom
  • flag-us
    DNS
    o.pki.goog
    Roblox Evon Exploit V4_41257.exe
    Remote address:
    8.8.8.8:53
    Request
    o.pki.goog
    IN A
    Response
    o.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    142.250.200.35
  • flag-gb
    GET
    http://o.pki.goog/s/wr3/fgA/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQSq0i5t2Pafi2Gw9uzwnc7KTctWgQUx4H1%2FY6I2QA8TWOiUDEkoM4j%2FiMCEH4AzC8CtsuHCuCmoKpV7Vk%3D
    Roblox Evon Exploit V4_41257.exe
    Remote address:
    142.250.200.35:80
    Request
    GET /s/wr3/fgA/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQSq0i5t2Pafi2Gw9uzwnc7KTctWgQUx4H1%2FY6I2QA8TWOiUDEkoM4j%2FiMCEH4AzC8CtsuHCuCmoKpV7Vk%3D HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: o.pki.goog
    Response
    HTTP/1.1 200 OK
    Content-Security-Policy-Report-Only: script-src 'none'; form-action 'none'; frame-src 'none'; report-uri https://csp.withgoogle.com/csp/scaffolding/sytroprc:52:0
    Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to=coop_reporting
    Report-To: {"group":"coop_reporting","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/scaffolding/sytroprc:52:0"}],}
    Server: scaffolding on HTTPServer2
    Content-Length: 471
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Date: Thu, 16 Jan 2025 13:26:16 GMT
    Cache-Control: public, max-age=14400
    Content-Type: application/ocsp-response
    Age: 2594
  • flag-us
    DNS
    81.244.100.95.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    81.244.100.95.in-addr.arpa
    IN PTR
    Response
    81.244.100.95.in-addr.arpa
    IN PTR
    a95-100-244-81deploystaticakamaitechnologiescom
  • flag-us
    DNS
    www.google.com
    GenericSetup.exe
    Remote address:
    8.8.8.8:53
    Request
    www.google.com
    IN A
    Response
    www.google.com
    IN A
    142.250.187.196
  • flag-us
    DNS
    dlsft.com
    Roblox Evon Exploit V4_41257.exe
    Remote address:
    8.8.8.8:53
    Request
    dlsft.com
    IN A
    Response
    dlsft.com
    IN A
    35.190.60.70
  • flag-us
    POST
    http://dlsft.com/callback/geo/geo.php
    Roblox Evon Exploit V4_41257.exe
    Remote address:
    35.190.60.70:80
    Request
    POST /callback/geo/geo.php HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded;charset=utf-8
    User-Agent: sciter 4.3.0.0; Windows-8; www.sciter.com)
    Host: dlsft.com
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Server: nginx
    Date: Thu, 16 Jan 2025 14:09:33 GMT
    Content-Type: text/html
    Last-Modified: Fri, 23 Mar 2018 22:36:15 GMT
    ETag: W/"57a-5681c0d5965b4"
    Content-Encoding: gzip
    Via: 1.1 google
    Transfer-Encoding: chunked
  • flag-us
    GET
    http://dlsft.com/callback/info.php?id=41257
    Roblox Evon Exploit V4_41257.exe
    Remote address:
    35.190.60.70:80
    Request
    GET /callback/info.php?id=41257 HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: sciter 4.3.0.0; Windows-8; www.sciter.com)
    Host: dlsft.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 404 Not Found
    Server: nginx
    Date: Thu, 16 Jan 2025 14:09:33 GMT
    Content-Type: text/html
    Last-Modified: Fri, 23 Mar 2018 22:36:15 GMT
    ETag: W/"57a-5681c0d5965b4"
    Content-Encoding: gzip
    Via: 1.1 google
    Transfer-Encoding: chunked
  • flag-us
    GET
    http://dlsft.com/callback/offers.php
    Roblox Evon Exploit V4_41257.exe
    Remote address:
    35.190.60.70:80
    Request
    GET /callback/offers.php HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: sciter 4.3.0.0; Windows-8; www.sciter.com)
    Host: dlsft.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 404 Not Found
    Server: nginx
    Date: Thu, 16 Jan 2025 14:09:33 GMT
    Content-Type: text/html
    Last-Modified: Fri, 23 Mar 2018 22:36:15 GMT
    ETag: W/"57a-5681c0d5965b4"
    Content-Encoding: gzip
    Via: 1.1 google
    Transfer-Encoding: chunked
  • flag-us
    DNS
    flow.lavasoft.com
    GenericSetup.exe
    Remote address:
    8.8.8.8:53
    Request
    flow.lavasoft.com
    IN A
    Response
    flow.lavasoft.com
    IN A
    104.16.149.130
    flow.lavasoft.com
    IN A
    104.16.148.130
  • flag-us
    POST
    https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleInstallStart
    GenericSetup.exe
    Remote address:
    104.16.149.130:443
    Request
    POST /v1/event-stat/?ProductID=IS&Type=BundleInstallStart HTTP/1.1
    User-Agent: .NET Framework (Microsoft Windows NT 10.0.19044.0; x64; H2O/6.9.0.0)
    Content-Type: application/json;charset=utf-8
    Host: flow.lavasoft.com
    installid: 59f3abb6-8a58-4fba-b602-c7883ae62b92
    Content-Length: 3623
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Thu, 16 Jan 2025 14:09:34 GMT
    Content-Type: application/json; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Access-Control-Allow-Methods: GET, POST, OPTIONS
    Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Access-Control-Allow-Origin
    Access-Control-Expose-Headers: Content-Length,Content-Range
    CF-Cache-Status: DYNAMIC
    Server: cloudflare
    CF-RAY: 902eaf1b6ba03dac-LHR
  • flag-us
    POST
    https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleProposedOffers
    GenericSetup.exe
    Remote address:
    104.16.149.130:443
    Request
    POST /v1/event-stat/?ProductID=IS&Type=BundleProposedOffers HTTP/1.1
    User-Agent: .NET Framework (Microsoft Windows NT 10.0.19044.0; x64; H2O/6.9.0.0)
    Content-Type: application/json;charset=utf-8
    Host: flow.lavasoft.com
    installid: 59f3abb6-8a58-4fba-b602-c7883ae62b92
    Content-Length: 18746
    Response
    HTTP/1.1 200 OK
    Date: Thu, 16 Jan 2025 14:09:37 GMT
    Content-Type: application/json; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Access-Control-Allow-Methods: GET, POST, OPTIONS
    Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Access-Control-Allow-Origin
    Access-Control-Expose-Headers: Content-Length,Content-Range
    CF-Cache-Status: DYNAMIC
    Server: cloudflare
    CF-RAY: 902eaf22cc603dac-LHR
  • flag-us
    POST
    https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleOfferRejected
    GenericSetup.exe
    Remote address:
    104.16.149.130:443
    Request
    POST /v1/event-stat/?ProductID=IS&Type=BundleOfferRejected HTTP/1.1
    User-Agent: .NET Framework (Microsoft Windows NT 10.0.19044.0; x64; H2O/6.9.0.0)
    Content-Type: application/json;charset=utf-8
    Host: flow.lavasoft.com
    installid: 59f3abb6-8a58-4fba-b602-c7883ae62b92
    Content-Length: 467
    Response
    HTTP/1.1 200 OK
    Date: Thu, 16 Jan 2025 14:09:38 GMT
    Content-Type: application/json; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Access-Control-Allow-Methods: GET, POST, OPTIONS
    Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Access-Control-Allow-Origin
    Access-Control-Expose-Headers: Content-Length,Content-Range
    CF-Cache-Status: DYNAMIC
    Server: cloudflare
    CF-RAY: 902eaf315fe23dac-LHR
  • flag-us
    POST
    https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleOfferRejected
    GenericSetup.exe
    Remote address:
    104.16.149.130:443
    Request
    POST /v1/event-stat/?ProductID=IS&Type=BundleOfferRejected HTTP/1.1
    User-Agent: .NET Framework (Microsoft Windows NT 10.0.19044.0; x64; H2O/6.9.0.0)
    Content-Type: application/json;charset=utf-8
    Host: flow.lavasoft.com
    installid: 59f3abb6-8a58-4fba-b602-c7883ae62b92
    Content-Length: 455
    Response
    HTTP/1.1 200 OK
    Date: Thu, 16 Jan 2025 14:09:38 GMT
    Content-Type: application/json; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Access-Control-Allow-Methods: GET, POST, OPTIONS
    Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Access-Control-Allow-Origin
    Access-Control-Expose-Headers: Content-Length,Content-Range
    CF-Cache-Status: DYNAMIC
    Server: cloudflare
    CF-RAY: 902eaf354d2a3dac-LHR
  • flag-us
    POST
    https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleOfferRejected
    GenericSetup.exe
    Remote address:
    104.16.149.130:443
    Request
    POST /v1/event-stat/?ProductID=IS&Type=BundleOfferRejected HTTP/1.1
    User-Agent: .NET Framework (Microsoft Windows NT 10.0.19044.0; x64; H2O/6.9.0.0)
    Content-Type: application/json;charset=utf-8
    Host: flow.lavasoft.com
    installid: 59f3abb6-8a58-4fba-b602-c7883ae62b92
    Content-Length: 457
    Response
    HTTP/1.1 200 OK
    Date: Thu, 16 Jan 2025 14:09:38 GMT
    Content-Type: application/json; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Access-Control-Allow-Methods: GET, POST, OPTIONS
    Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Access-Control-Allow-Origin
    Access-Control-Expose-Headers: Content-Length,Content-Range
    CF-Cache-Status: DYNAMIC
    Server: cloudflare
    CF-RAY: 902eaf368eca3dac-LHR
  • flag-us
    POST
    https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=OfferDetailsReceived
    GenericSetup.exe
    Remote address:
    104.16.149.130:443
    Request
    POST /v1/event-stat/?ProductID=IS&Type=OfferDetailsReceived HTTP/1.1
    User-Agent: .NET Framework (Microsoft Windows NT 10.0.19044.0; x64; H2O/6.9.0.0)
    Content-Type: application/json;charset=utf-8
    Host: flow.lavasoft.com
    installid: 59f3abb6-8a58-4fba-b602-c7883ae62b92
    Content-Length: 442
    Response
    HTTP/1.1 200 OK
    Date: Thu, 16 Jan 2025 14:09:38 GMT
    Content-Type: application/json; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Access-Control-Allow-Methods: GET, POST, OPTIONS
    Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Access-Control-Allow-Origin
    Access-Control-Expose-Headers: Content-Length,Content-Range
    CF-Cache-Status: DYNAMIC
    Server: cloudflare
    CF-RAY: 902eaf3778063dac-LHR
  • flag-us
    POST
    https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=OfferDetailsReceived
    GenericSetup.exe
    Remote address:
    104.16.149.130:443
    Request
    POST /v1/event-stat/?ProductID=IS&Type=OfferDetailsReceived HTTP/1.1
    User-Agent: .NET Framework (Microsoft Windows NT 10.0.19044.0; x64; H2O/6.9.0.0)
    Content-Type: application/json;charset=utf-8
    Host: flow.lavasoft.com
    installid: 59f3abb6-8a58-4fba-b602-c7883ae62b92
    Content-Length: 404
    Response
    HTTP/1.1 200 OK
    Date: Thu, 16 Jan 2025 14:09:38 GMT
    Content-Type: application/json; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Access-Control-Allow-Methods: GET, POST, OPTIONS
    Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Access-Control-Allow-Origin
    Access-Control-Expose-Headers: Content-Length,Content-Range
    CF-Cache-Status: DYNAMIC
    Server: cloudflare
    CF-RAY: 902eaf3919fa3dac-LHR
  • flag-us
    POST
    https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=OfferDetailsReceived
    GenericSetup.exe
    Remote address:
    104.16.149.130:443
    Request
    POST /v1/event-stat/?ProductID=IS&Type=OfferDetailsReceived HTTP/1.1
    User-Agent: .NET Framework (Microsoft Windows NT 10.0.19044.0; x64; H2O/6.9.0.0)
    Content-Type: application/json;charset=utf-8
    Host: flow.lavasoft.com
    installid: 59f3abb6-8a58-4fba-b602-c7883ae62b92
    Content-Length: 408
    Response
    HTTP/1.1 200 OK
    Date: Thu, 16 Jan 2025 14:09:39 GMT
    Content-Type: application/json; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Access-Control-Allow-Methods: GET, POST, OPTIONS
    Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Access-Control-Allow-Origin
    Access-Control-Expose-Headers: Content-Length,Content-Range
    CF-Cache-Status: DYNAMIC
    Server: cloudflare
    CF-RAY: 902eaf3a0b473dac-LHR
  • flag-us
    POST
    https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=OfferDetailsReceived
    GenericSetup.exe
    Remote address:
    104.16.149.130:443
    Request
    POST /v1/event-stat/?ProductID=IS&Type=OfferDetailsReceived HTTP/1.1
    User-Agent: .NET Framework (Microsoft Windows NT 10.0.19044.0; x64; H2O/6.9.0.0)
    Content-Type: application/json;charset=utf-8
    Host: flow.lavasoft.com
    installid: 59f3abb6-8a58-4fba-b602-c7883ae62b92
    Content-Length: 431
    Response
    HTTP/1.1 200 OK
    Date: Thu, 16 Jan 2025 14:09:39 GMT
    Content-Type: application/json; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Access-Control-Allow-Methods: GET, POST, OPTIONS
    Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Access-Control-Allow-Origin
    Access-Control-Expose-Headers: Content-Length,Content-Range
    CF-Cache-Status: DYNAMIC
    Server: cloudflare
    CF-RAY: 902eaf3afcbb3dac-LHR
  • flag-us
    POST
    https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=OfferDetailsReceived
    GenericSetup.exe
    Remote address:
    104.16.149.130:443
    Request
    POST /v1/event-stat/?ProductID=IS&Type=OfferDetailsReceived HTTP/1.1
    User-Agent: .NET Framework (Microsoft Windows NT 10.0.19044.0; x64; H2O/6.9.0.0)
    Content-Type: application/json;charset=utf-8
    Host: flow.lavasoft.com
    installid: 59f3abb6-8a58-4fba-b602-c7883ae62b92
    Content-Length: 419
    Response
    HTTP/1.1 200 OK
    Date: Thu, 16 Jan 2025 14:09:39 GMT
    Content-Type: application/json; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Access-Control-Allow-Methods: GET, POST, OPTIONS
    Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Access-Control-Allow-Origin
    Access-Control-Expose-Headers: Content-Length,Content-Range
    CF-Cache-Status: DYNAMIC
    Server: cloudflare
    CF-RAY: 902eaf3e79e93dac-LHR
  • flag-us
    POST
    https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleOffersApproved
    GenericSetup.exe
    Remote address:
    104.16.149.130:443
    Request
    POST /v1/event-stat/?ProductID=IS&Type=BundleOffersApproved HTTP/1.1
    User-Agent: .NET Framework (Microsoft Windows NT 10.0.19044.0; x64; H2O/6.9.0.0)
    Content-Type: application/json;charset=utf-8
    Host: flow.lavasoft.com
    installid: 59f3abb6-8a58-4fba-b602-c7883ae62b92
    Content-Length: 1085
    Response
    HTTP/1.1 200 OK
    Date: Thu, 16 Jan 2025 14:09:39 GMT
    Content-Type: application/json; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Access-Control-Allow-Methods: GET, POST, OPTIONS
    Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Access-Control-Allow-Origin
    Access-Control-Expose-Headers: Content-Length,Content-Range
    CF-Cache-Status: DYNAMIC
    Server: cloudflare
    CF-RAY: 902eaf3f8b333dac-LHR
  • flag-us
    POST
    https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=OfferPageShowDelay
    GenericSetup.exe
    Remote address:
    104.16.149.130:443
    Request
    POST /v1/event-stat/?ProductID=IS&Type=OfferPageShowDelay HTTP/1.1
    User-Agent: .NET Framework (Microsoft Windows NT 10.0.19044.0; x64; H2O/6.9.0.0)
    Content-Type: application/json;charset=utf-8
    Host: flow.lavasoft.com
    installid: 59f3abb6-8a58-4fba-b602-c7883ae62b92
    Content-Length: 340
    Response
    HTTP/1.1 200 OK
    Date: Thu, 16 Jan 2025 14:09:40 GMT
    Content-Type: application/json; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Access-Control-Allow-Methods: GET, POST, OPTIONS
    Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Access-Control-Allow-Origin
    Access-Control-Expose-Headers: Content-Length,Content-Range
    CF-Cache-Status: DYNAMIC
    Server: cloudflare
    CF-RAY: 902eaf411d433dac-LHR
  • flag-us
    POST
    https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=PostbackRequest
    GenericSetup.exe
    Remote address:
    104.16.149.130:443
    Request
    POST /v1/event-stat/?ProductID=IS&Type=PostbackRequest HTTP/1.1
    User-Agent: .NET Framework (Microsoft Windows NT 10.0.19044.0; x64; H2O/6.9.0.0)
    Content-Type: application/json;charset=utf-8
    Host: flow.lavasoft.com
    installid: 59f3abb6-8a58-4fba-b602-c7883ae62b92
    Content-Length: 325
    Response
    HTTP/1.1 200 OK
    Date: Thu, 16 Jan 2025 14:09:40 GMT
    Content-Type: application/json; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Access-Control-Allow-Methods: GET, POST, OPTIONS
    Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Access-Control-Allow-Origin
    Access-Control-Expose-Headers: Content-Length,Content-Range
    CF-Cache-Status: DYNAMIC
    Server: cloudflare
    CF-RAY: 902eaf421eb53dac-LHR
  • flag-us
    POST
    https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=OfferShown
    GenericSetup.exe
    Remote address:
    104.16.149.130:443
    Request
    POST /v1/event-stat/?ProductID=IS&Type=OfferShown HTTP/1.1
    User-Agent: .NET Framework (Microsoft Windows NT 10.0.19044.0; x64; H2O/6.9.0.0)
    Content-Type: application/json;charset=utf-8
    Host: flow.lavasoft.com
    installid: 59f3abb6-8a58-4fba-b602-c7883ae62b92
    Content-Length: 461
    Response
    HTTP/1.1 200 OK
    Date: Thu, 16 Jan 2025 14:09:40 GMT
    Content-Type: application/json; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Access-Control-Allow-Methods: GET, POST, OPTIONS
    Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Access-Control-Allow-Origin
    Access-Control-Expose-Headers: Content-Length,Content-Range
    CF-Cache-Status: DYNAMIC
    Server: cloudflare
    CF-RAY: 902eaf4318183dac-LHR
  • flag-us
    POST
    https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=PageShown
    GenericSetup.exe
    Remote address:
    104.16.149.130:443
    Request
    POST /v1/event-stat/?ProductID=IS&Type=PageShown HTTP/1.1
    User-Agent: .NET Framework (Microsoft Windows NT 10.0.19044.0; x64; H2O/6.9.0.0)
    Content-Type: application/json;charset=utf-8
    Host: flow.lavasoft.com
    installid: 59f3abb6-8a58-4fba-b602-c7883ae62b92
    Content-Length: 266
    Response
    HTTP/1.1 200 OK
    Date: Thu, 16 Jan 2025 14:09:57 GMT
    Content-Type: application/json; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Access-Control-Allow-Methods: GET, POST, OPTIONS
    Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Access-Control-Allow-Origin
    Access-Control-Expose-Headers: Content-Length,Content-Range
    CF-Cache-Status: DYNAMIC
    Server: cloudflare
    CF-RAY: 902eafaadba23dac-LHR
  • flag-us
    DNS
    sos.adaware.com
    GenericSetup.exe
    Remote address:
    8.8.8.8:53
    Request
    sos.adaware.com
    IN A
    Response
    sos.adaware.com
    IN A
    104.16.213.94
    sos.adaware.com
    IN A
    104.16.212.94
  • flag-us
    POST
    https://sos.adaware.com/v1/bundle/list?bundleId=DT001
    GenericSetup.exe
    Remote address:
    104.16.213.94:443
    Request
    POST /v1/bundle/list?bundleId=DT001 HTTP/1.1
    User-Agent: .NET Framework (Microsoft Windows NT 10.0.19044.0; x64; H2O/6.9.0.0)
    installid: 59f3abb6-8a58-4fba-b602-c7883ae62b92
    Content-Type: application/json;charset=utf-8
    Host: sos.adaware.com
    Content-Length: 354
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Thu, 16 Jan 2025 14:09:35 GMT
    Content-Type: application/json
    Content-Length: 28227
    Connection: keep-alive
    CF-Cache-Status: DYNAMIC
    Server: cloudflare
    CF-RAY: 902eaf1d9b9393f0-LHR
  • flag-us
    GET
    https://sos.adaware.com/v1/offer/detail?_id=574e67ffa35da5479ff8e7d0a60990fb5dedbf5c
    GenericSetup.exe
    Remote address:
    104.16.213.94:443
    Request
    GET /v1/offer/detail?_id=574e67ffa35da5479ff8e7d0a60990fb5dedbf5c HTTP/1.1
    User-Agent: .NET Framework (Microsoft Windows NT 10.0.19044.0; x64; H2O/6.9.0.0)
    installid: 59f3abb6-8a58-4fba-b602-c7883ae62b92
    Host: sos.adaware.com
    Response
    HTTP/1.1 200 OK
    Date: Thu, 16 Jan 2025 14:09:35 GMT
    Content-Type: application/json
    Content-Length: 6529
    Connection: keep-alive
    Last-Modified: Thu, 16 Jan 2025 14:09:35 GMT
    CF-Cache-Status: EXPIRED
    Expires: Thu, 16 Jan 2025 14:39:35 GMT
    Cache-Control: public, max-age=1800
    Accept-Ranges: bytes
    Server: cloudflare
    CF-RAY: 902eaf22ec3c93f0-LHR
  • flag-us
    GET
    https://sos.adaware.com/v1/offer/detail?_id=2e689ead9de434c5ff65a06c4a89eb781f997d6b
    GenericSetup.exe
    Remote address:
    104.16.213.94:443
    Request
    GET /v1/offer/detail?_id=2e689ead9de434c5ff65a06c4a89eb781f997d6b HTTP/1.1
    User-Agent: .NET Framework (Microsoft Windows NT 10.0.19044.0; x64; H2O/6.9.0.0)
    installid: 59f3abb6-8a58-4fba-b602-c7883ae62b92
    Host: sos.adaware.com
    Response
    HTTP/1.1 200 OK
    Date: Thu, 16 Jan 2025 14:09:35 GMT
    Content-Type: application/json
    Content-Length: 89846
    Connection: keep-alive
    Last-Modified: Thu, 16 Jan 2025 13:40:50 GMT
    CF-Cache-Status: HIT
    Expires: Thu, 16 Jan 2025 14:39:35 GMT
    Cache-Control: public, max-age=1800
    Accept-Ranges: bytes
    Server: cloudflare
    CF-RAY: 902eaf26282293f0-LHR
  • flag-us
    GET
    https://sos.adaware.com/v1/offer/detail?_id=98fb803d820deca6339be22b78181f5f0296f5df
    GenericSetup.exe
    Remote address:
    104.16.213.94:443
    Request
    GET /v1/offer/detail?_id=98fb803d820deca6339be22b78181f5f0296f5df HTTP/1.1
    User-Agent: .NET Framework (Microsoft Windows NT 10.0.19044.0; x64; H2O/6.9.0.0)
    installid: 59f3abb6-8a58-4fba-b602-c7883ae62b92
    Host: sos.adaware.com
    Response
    HTTP/1.1 200 OK
    Date: Thu, 16 Jan 2025 14:09:36 GMT
    Content-Type: application/json
    Content-Length: 218009
    Connection: keep-alive
    Last-Modified: Thu, 16 Jan 2025 14:09:36 GMT
    CF-Cache-Status: EXPIRED
    Expires: Thu, 16 Jan 2025 14:39:36 GMT
    Cache-Control: public, max-age=1800
    Accept-Ranges: bytes
    Server: cloudflare
    CF-RAY: 902eaf26d8dd93f0-LHR
  • flag-us
    DNS
    130.149.16.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    130.149.16.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    94.213.16.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    94.213.16.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    GET
    https://sos.adaware.com/v1/offer/detail?_id=6fbc973ae45295355324b69cee87937bc4057e68
    GenericSetup.exe
    Remote address:
    104.16.213.94:443
    Request
    GET /v1/offer/detail?_id=6fbc973ae45295355324b69cee87937bc4057e68 HTTP/1.1
    User-Agent: .NET Framework (Microsoft Windows NT 10.0.19044.0; x64; H2O/6.9.0.0)
    installid: 59f3abb6-8a58-4fba-b602-c7883ae62b92
    Host: sos.adaware.com
    Response
    HTTP/1.1 200 OK
    Date: Thu, 16 Jan 2025 14:09:35 GMT
    Content-Type: application/json
    Content-Length: 309729
    Connection: keep-alive
    Last-Modified: Thu, 16 Jan 2025 13:48:49 GMT
    CF-Cache-Status: HIT
    Expires: Thu, 16 Jan 2025 14:39:35 GMT
    Cache-Control: public, max-age=1800
    Accept-Ranges: bytes
    Server: cloudflare
    CF-RAY: 902eaf237bc1ef17-LHR
  • flag-us
    GET
    https://sos.adaware.com/v1/offer/detail?_id=b53f3407b38d6a472cf2a396a0ddb626ca0e87fb
    GenericSetup.exe
    Remote address:
    104.16.213.94:443
    Request
    GET /v1/offer/detail?_id=b53f3407b38d6a472cf2a396a0ddb626ca0e87fb HTTP/1.1
    User-Agent: .NET Framework (Microsoft Windows NT 10.0.19044.0; x64; H2O/6.9.0.0)
    installid: 59f3abb6-8a58-4fba-b602-c7883ae62b92
    Host: sos.adaware.com
    Response
    HTTP/1.1 200 OK
    Date: Thu, 16 Jan 2025 14:09:36 GMT
    Content-Type: application/json
    Content-Length: 44624
    Connection: keep-alive
    Last-Modified: Thu, 16 Jan 2025 14:09:35 GMT
    CF-Cache-Status: EXPIRED
    Expires: Thu, 16 Jan 2025 14:39:36 GMT
    Cache-Control: public, max-age=1800
    Accept-Ranges: bytes
    Server: cloudflare
    CF-RAY: 902eaf24e87bef17-LHR
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    48.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    48.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    85.65.42.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    85.65.42.20.in-addr.arpa
    IN PTR
    Response
  • 35.190.60.70:443
    https://www.dlsft.com/callback/info.php?id=41257
    tls, http
    Roblox Evon Exploit V4_41257.exe
    1.5kB
     9.0kB
     21
    18

    HTTP Request

    GET https://www.dlsft.com/callback/geo/geo.php

    HTTP Response

    404

    HTTP Request

    GET https://www.dlsft.com/callback/info.php?id=41257

    HTTP Response

    404
  • 142.250.200.35:80
    http://c.pki.goog/r/r1.crl
    http
    Roblox Evon Exploit V4_41257.exe
    395 B
     1.8kB
     6
    5

    HTTP Request

    GET http://c.pki.goog/r/r1.crl

    HTTP Response

    200
  • 142.250.200.35:80
    http://o.pki.goog/s/wr3/fgA/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQSq0i5t2Pafi2Gw9uzwnc7KTctWgQUx4H1%2FY6I2QA8TWOiUDEkoM4j%2FiMCEH4AzC8CtsuHCuCmoKpV7Vk%3D
    http
    Roblox Evon Exploit V4_41257.exe
    515 B
     1.3kB
     6
    4

    HTTP Request

    GET http://o.pki.goog/s/wr3/fgA/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQSq0i5t2Pafi2Gw9uzwnc7KTctWgQUx4H1%2FY6I2QA8TWOiUDEkoM4j%2FiMCEH4AzC8CtsuHCuCmoKpV7Vk%3D

    HTTP Response

    200
  • 35.190.60.70:80
    http://dlsft.com/callback/info.php?id=41257
    http
    Roblox Evon Exploit V4_41257.exe
    1.1kB
     2.4kB
     14
    12

    HTTP Request

    POST http://dlsft.com/callback/geo/geo.php

    HTTP Response

    404

    HTTP Request

    GET http://dlsft.com/callback/info.php?id=41257

    HTTP Response

    404
  • 35.190.60.70:80
    http://dlsft.com/callback/offers.php
    http
    Roblox Evon Exploit V4_41257.exe
    501 B
     1.2kB
     7
    5

    HTTP Request

    GET http://dlsft.com/callback/offers.php

    HTTP Response

    404
  • 104.16.149.130:443
    https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=PageShown
    tls, http
    GenericSetup.exe
    36.9kB
     14.5kB
     67
    70

    HTTP Request

    POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleInstallStart

    HTTP Response

    200

    HTTP Request

    POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleProposedOffers

    HTTP Response

    200

    HTTP Request

    POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleOfferRejected

    HTTP Response

    200

    HTTP Request

    POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleOfferRejected

    HTTP Response

    200

    HTTP Request

    POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleOfferRejected

    HTTP Response

    200

    HTTP Request

    POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=OfferDetailsReceived

    HTTP Response

    200

    HTTP Request

    POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=OfferDetailsReceived

    HTTP Response

    200

    HTTP Request

    POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=OfferDetailsReceived

    HTTP Response

    200

    HTTP Request

    POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=OfferDetailsReceived

    HTTP Response

    200

    HTTP Request

    POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=OfferDetailsReceived

    HTTP Response

    200

    HTTP Request

    POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleOffersApproved

    HTTP Response

    200

    HTTP Request

    POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=OfferPageShowDelay

    HTTP Response

    200

    HTTP Request

    POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=PostbackRequest

    HTTP Response

    200

    HTTP Request

    POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=OfferShown

    HTTP Response

    200

    HTTP Request

    POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=PageShown

    HTTP Response

    200
  • 104.16.213.94:443
    https://sos.adaware.com/v1/offer/detail?_id=98fb803d820deca6339be22b78181f5f0296f5df
    tls, http
    GenericSetup.exe
    8.9kB
     361.2kB
     157
    292

    HTTP Request

    POST https://sos.adaware.com/v1/bundle/list?bundleId=DT001

    HTTP Response

    200

    HTTP Request

    GET https://sos.adaware.com/v1/offer/detail?_id=574e67ffa35da5479ff8e7d0a60990fb5dedbf5c

    HTTP Response

    200

    HTTP Request

    GET https://sos.adaware.com/v1/offer/detail?_id=2e689ead9de434c5ff65a06c4a89eb781f997d6b

    HTTP Response

    200

    HTTP Request

    GET https://sos.adaware.com/v1/offer/detail?_id=98fb803d820deca6339be22b78181f5f0296f5df

    HTTP Response

    200
  • 104.16.213.94:443
    https://sos.adaware.com/v1/offer/detail?_id=b53f3407b38d6a472cf2a396a0ddb626ca0e87fb
    tls, http
    GenericSetup.exe
    10.8kB
     369.2kB
     194
    284

    HTTP Request

    GET https://sos.adaware.com/v1/offer/detail?_id=6fbc973ae45295355324b69cee87937bc4057e68

    HTTP Response

    200

    HTTP Request

    GET https://sos.adaware.com/v1/offer/detail?_id=b53f3407b38d6a472cf2a396a0ddb626ca0e87fb

    HTTP Response

    200
  • 8.8.8.8:53
    www.dlsft.com
    dns
    Roblox Evon Exploit V4_41257.exe
    59 B
     89 B
     1
    1

    DNS Request

    www.dlsft.com

    DNS Response

    35.190.60.70

  • 8.8.8.8:53
    c.pki.goog
    dns
    Roblox Evon Exploit V4_41257.exe
    56 B
     107 B
     1
    1

    DNS Request

    c.pki.goog

    DNS Response

    142.250.200.35

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    70.60.190.35.in-addr.arpa
    dns
    71 B
     122 B
     1
    1

    DNS Request

    70.60.190.35.in-addr.arpa

  • 8.8.8.8:53
    133.32.126.40.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    133.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    60.153.16.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    60.153.16.2.in-addr.arpa

  • 8.8.8.8:53
    7.98.22.2.in-addr.arpa
    dns
    68 B
     129 B
     1
    1

    DNS Request

    7.98.22.2.in-addr.arpa

  • 8.8.8.8:53
    o.pki.goog
    dns
    Roblox Evon Exploit V4_41257.exe
    56 B
     107 B
     1
    1

    DNS Request

    o.pki.goog

    DNS Response

    142.250.200.35

  • 8.8.8.8:53
    81.244.100.95.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    81.244.100.95.in-addr.arpa

  • 8.8.8.8:53
    www.google.com
    dns
    GenericSetup.exe
    60 B
     76 B
     1
    1

    DNS Request

    www.google.com

    DNS Response

    142.250.187.196

  • 8.8.8.8:53
    dlsft.com
    dns
    Roblox Evon Exploit V4_41257.exe
    55 B
     71 B
     1
    1

    DNS Request

    dlsft.com

    DNS Response

    35.190.60.70

  • 8.8.8.8:53
    flow.lavasoft.com
    dns
    GenericSetup.exe
    63 B
     95 B
     1
    1

    DNS Request

    flow.lavasoft.com

    DNS Response

    104.16.149.130
    104.16.148.130

  • 8.8.8.8:53
    sos.adaware.com
    dns
    GenericSetup.exe
    61 B
     93 B
     1
    1

    DNS Request

    sos.adaware.com

    DNS Response

    104.16.213.94
    104.16.212.94

  • 8.8.8.8:53
    130.149.16.104.in-addr.arpa
    dns
    73 B
     135 B
     1
    1

    DNS Request

    130.149.16.104.in-addr.arpa

  • 8.8.8.8:53
    94.213.16.104.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    94.213.16.104.in-addr.arpa

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    48.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    48.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    85.65.42.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    85.65.42.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7zSCF644687\GenericSetup.LastScreen.dll
    Filesize

    31KB

    MD5

    3319432d3a694a481f5672fa9eb743d0

    SHA1

    99bff8f4941eb3cee3e0a7cb86b89eda1df07bf9

    SHA256

    768b4eb487e2dc8bcb8ec6221734ca69dce7f522d7640cc2a547f95296509693

    SHA512

    7f2a1c6c8d9d135b9e00e04f715c9b6b8ba12cb317f7b78ee3efbe3e426a99afce022306eb5bf02fe51c13857d3943b2b009b10b9cc96683e6bcbca1f9045c7f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7zSCF644687\GenericSetup.dll
    Filesize

    6.8MB

    MD5

    4d65e6eb25db2ce61f4a7a48d9f6082a

    SHA1

    130abbae19f227b0ef4f278e90398b3b3c7c2eff

    SHA256

    1e2e26d769d69f6b06cad2f2fec81a125e4f3d14aee969357784fb533d80b89a

    SHA512

    b0842b4fc07dd332c53f56f1337b32064dad7a15663397655b73061bf3d61b44ecdd47ed626b92e69383cfaa41a9c70d4a18ece79fdbab2daf1d06adb1be4bfb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7zSCF644687\GenericSetup.exe
    Filesize

    25KB

    MD5

    85b0a721491803f8f0208a1856241562

    SHA1

    90beb8d419b83bd76924826725a14c03b3e6533f

    SHA256

    18be33f7c9f28b0a514f3f40983f452f476470691b1be4f2aba5ba5e06c6a345

    SHA512

    8ff86e4b4d9cb5e2e88826a822457cb863262e3b73645c0c3309f13fb496997e53005ebe1825c6f92463c6642ec9abc6bbe359b35410b0621649b8d3aaf66c71

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7zSCF644687\GenericSetup.exe.config
    Filesize

    814B

    MD5

    fd63ee3928edd99afc5bdf17e4f1e7b6

    SHA1

    1b40433b064215ea6c001332c2ffa093b1177875

    SHA256

    2a2ddbdc4600e829ad756fd5e84a79c0401fa846ad4f2f2fb235b410e82434a9

    SHA512

    1925cde90ee84db1e5c15fa774ee5f10fa368948df7643259b03599ad58cfce9d409fd2cd752ff4cbca60b4bbe92b184ff92a0c6e8b78849c4497d38266bd3b4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7zSCF644687\HtmlAgilityPack.dll
    Filesize

    149KB

    MD5

    7874850410e21b5f48bfe34174fb318c

    SHA1

    19522b1b9d932aa89df580c73ef629007ec32b6f

    SHA256

    c6250da15c349033de9b910c3dc10a156e47d69ec7e2076ce9011af7f3d885d1

    SHA512

    dad611ca9779b594aad7898261cc7ef0db500850eb81560c04d5d938ae4e2338e786773f63f59aab6564ad13acb4800f1862a2189803cc8cc8ad26a368f25eaa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7zSCF644687\MyDownloader.Core.dll
    Filesize

    56KB

    MD5

    f931e960cc4ed0d2f392376525ff44db

    SHA1

    1895aaa8f5b8314d8a4c5938d1405775d3837109

    SHA256

    1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870

    SHA512

    7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7zSCF644687\MyDownloader.Extension.dll
    Filesize

    168KB

    MD5

    28f1996059e79df241388bd9f89cf0b1

    SHA1

    6ad6f7cde374686a42d9c0fcebadaf00adf21c76

    SHA256

    c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce

    SHA512

    9654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7zSCF644687\Newtonsoft.Json.dll
    Filesize

    476KB

    MD5

    3c4d2f6fd240dc804e10bbb5f16c6182

    SHA1

    30d66e6a1ead9541133bad2c715c1971ae943196

    SHA256

    1f7a328eb4fa73df5d2996202f5dab02530b0339458137774c72731b9f85ca2e

    SHA512

    0657f0ab1d7fc9730d4bf6b8c8373f512d57a34063bcfa1f93a803b0afe2a93219da5dc679414dd155956bd696cb7547fc09663f8891eb9b03d9c93b3c1fe95d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7zSCF644687\Ninject.dll
    Filesize

    133KB

    MD5

    ce80365e2602b7cff0222e0db395428c

    SHA1

    50c9625eda1d156c9d7a672839e9faaea1dffdbd

    SHA256

    3475dd6f1612e984573276529d8147029d6bfa55d41bef2577b3aa601d2fbbe5

    SHA512

    5ea1de091a108143bb74fccdb4f0553f72613e58d8551fff51ce1aab34636c856758719dfa1a0e4cc833acb8e75729793dede65c4562e1aa3f68ec50463d36f3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1737036572\Resources\OfferPage.html
    Filesize

    1KB

    MD5

    5f29b47126c45d119442ad3b896f74eb

    SHA1

    801a4e5b7d01f81c9c398b4d8d9a5f49e5269eef

    SHA256

    4e85074502c0267e04b324cdbb46df644e040513e94dd13c6625fb2e039c9a3f

    SHA512

    81ddcda6399365ad83689b14d22488137b88a80988eeed40ff1678fc387cb098227f520514a3d1a2a213efb4a8f435d87f40647bbe35a273c8d277d2c639c18e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1737036572\sciter32.dll
    Filesize

    5.6MB

    MD5

    b431083586e39d018e19880ad1a5ce8f

    SHA1

    3bbf957ab534d845d485a8698accc0a40b63cedd

    SHA256

    b525fdcc32c5a359a7f5738a30eff0c6390734d8a2c987c62e14c619f99d406b

    SHA512

    7805a3464fcc3ac4ea1258e2412180c52f2af40a79b540348486c830a20c2bbed337bbf5f4a8926b3ef98c63c87747014f5b43c35f7ec4e7a3693b9dbd0ae67b

    Download Submit

  • C:\Users\Admin\AppData\Local\setup41257.exe
    Filesize

    3.1MB

    MD5

    369acf60d8b5ed6168c74955ee04654f

    SHA1

    1753fff63efa6ed5ad30ede6b959261ac67dd13e

    SHA256

    3ff8ec8f9f27a27f414a90bfed5b7f5a3c118b33cf0f80aeb7026e0a53e26632

    SHA512

    2582b3b4525321fece978710403e4bd4dd6e9f0869de1fec784e4e79ac98e8c6498a601c9db45d5af4f1b99e3a2cc07b9e3ec18144e18ce82b41eb64ce4eb643

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-us\default.dic
    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    Download Submit

  • memory/1632-72-0x0000000005240000-0x000000000526C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1632-96-0x0000000007C60000-0x0000000007CF2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1632-77-0x00000000057B0000-0x00000000057C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1632-68-0x0000000005190000-0x00000000051B8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1632-90-0x00000000072F0000-0x000000000736C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/1632-92-0x0000000007600000-0x0000000007957000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1632-93-0x0000000007F30000-0x00000000084D6000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1632-73-0x00000000054C0000-0x0000000005526000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1632-64-0x0000000005840000-0x0000000005F1A000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1632-60-0x0000000004D50000-0x0000000004D5C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1632-56-0x0000000000450000-0x000000000045A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1632-140-0x0000000006050000-0x000000000607E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1632-54-0x000000007191E000-0x000000007191F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1632-156-0x000000007191E000-0x000000007191F000-memory.dmp

    Filesize

    4KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.