Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8

a85040e7ec...87.exe

windows7-x64

10

a85040e7ec...87.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    187s
  • max time network
    195s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/12/2022, 08:49 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a85040e7ecb3f06082b5292804267433e611040c89d835a8ffd3151b148ed687.exe

  • Size

    73KB

  • MD5

    ab115f0a6d01203b54f3d4b1a327b587

  • SHA1

    bbb4761896d6f206f085ed5f0481b8e68f8e80d6

  • SHA256

    a85040e7ecb3f06082b5292804267433e611040c89d835a8ffd3151b148ed687

  • SHA512

    c047ca3e2c725df30284d8fbc06f88dd99588ae6c2c25f656060c21ecb055396018447aad65349e2261d9c9ff1b5e39caeb013665e8210d975abf4e95fba28da

  • SSDEEP

    1536:bNCJMvSU05Ct8NwAJH7Bs3UHRazKxiH0vrb+cd8nouy8Z:bNiUQCt5Ia3SYPUvriGcoutZ

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 18 IoCs
    evasion
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 15 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Modifies registry class 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\a85040e7ecb3f06082b5292804267433e611040c89d835a8ffd3151b148ed687.exe
    "C:\Users\Admin\AppData\Local\Temp\a85040e7ecb3f06082b5292804267433e611040c89d835a8ffd3151b148ed687.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4908
    • C:\Users\Admin\E696D64614\winlogon.exe
      "C:\Users\Admin\E696D64614\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4960
      • C:\Users\Admin\E696D64614\winlogon.exe
        "C:\Users\Admin\E696D64614\winlogon.exe"
        3⤵
        • Modifies firewall policy service
        • Modifies security service
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Sets file execution options in registry
        • Windows security modification
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:1360
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
      PID:1324
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3180
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3180 CREDAT:17410 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:4624

    Network

    • flag-unknown
      DNS
      whos.amung.us
      winlogon.exe
      Remote address:
      8.8.8.8:53
      Request
      whos.amung.us
      IN A
      Response
      whos.amung.us
      IN A
      172.67.8.141
      whos.amung.us
      IN A
      104.22.74.171
      whos.amung.us
      IN A
      104.22.75.171
    • flag-unknown
      DNS
      spaon11524j.ipcheker.com
      winlogon.exe
      Remote address:
      8.8.8.8:53
      Request
      spaon11524j.ipcheker.com
      IN A
      Response
      spaon11524j.ipcheker.com
      IN A
      35.205.61.67
    • flag-unknown
      DNS
      whos.amung.us
      winlogon.exe
      Remote address:
      8.8.8.8:53
      Request
      whos.amung.us
      IN A
      Response
      whos.amung.us
      IN A
      172.67.8.141
      whos.amung.us
      IN A
      104.22.74.171
      whos.amung.us
      IN A
      104.22.75.171
    • flag-unknown
      DNS
      xtt3j3pp3m0.ipgreat.com
      winlogon.exe
      Remote address:
      8.8.8.8:53
      Request
      xtt3j3pp3m0.ipgreat.com
      IN A
      Response
    • flag-unknown
      DNS
      97.97.242.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      97.97.242.52.in-addr.arpa
      IN PTR
      Response
    • flag-unknown
      GET
      http://whos.amung.us/swidget/d23r523t4id
      winlogon.exe
      Remote address:
      104.22.74.171:80
      Request
      GET /swidget/d23r523t4id HTTP/1.1
      Host: whos.amung.us
      Response
      HTTP/1.1 307 Temporary Redirect
      Date: Wed, 07 Dec 2022 22:26:21 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      cache-control: no-cache, no-store, must-revalidate
      location: http://widgets.amung.us/small/00/2.png
      CF-Cache-Status: DYNAMIC
      Server: cloudflare
      CF-RAY: 7760aeb24c51b8af-AMS
    • flag-unknown
      DNS
      widgets.amung.us
      winlogon.exe
      Remote address:
      8.8.8.8:53
      Request
      widgets.amung.us
      IN A
      Response
      widgets.amung.us
      IN A
      104.22.74.171
      widgets.amung.us
      IN A
      172.67.8.141
      widgets.amung.us
      IN A
      104.22.75.171
    • flag-unknown
      GET
      http://widgets.amung.us/small/00/2.png
      winlogon.exe
      Remote address:
      104.22.74.171:80
      Request
      GET /small/00/2.png HTTP/1.1
      Host: widgets.amung.us
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Wed, 07 Dec 2022 22:26:21 GMT
      Content-Type: image/png
      Content-Length: 313
      Connection: keep-alive
      last-modified: Sun, 13 Jun 2010 09:48:29 GMT
      etag: "4c14a96d-139"
      expires: Sat, 03 Dec 2022 16:13:15 GMT
      cache-control: max-age=2678400
      access-control-allow-origin: *
      CF-Cache-Status: HIT
      Age: 454386
      Accept-Ranges: bytes
      Server: cloudflare
      CF-RAY: 7760aeb46e280e3b-AMS
    • flag-unknown
      DNS
      3vi4914078a7r73.youtubeta.com
      winlogon.exe
      Remote address:
      8.8.8.8:53
      Request
      3vi4914078a7r73.youtubeta.com
      IN A
      Response
      3vi4914078a7r73.youtubeta.com
      IN CNAME
      pixie.porkbun.com
      pixie.porkbun.com
      IN A
      44.227.65.245
      pixie.porkbun.com
      IN A
      44.227.76.166
    • flag-unknown
      POST
      http://3vi4914078a7r73.youtubeta.com/index.php
      winlogon.exe
      Remote address:
      44.227.65.245:80
      Request
      POST /index.php HTTP/1.1
      Content-Type: application/x-www-form-urlencoded
      User-Agent: [�_S�_][�_T�_][�_E�_][�_A�_][�_L�_][�_E�_][�_R�_]
      Host: 3vi4914078a7r73.youtubeta.com
      Content-Length: 37
      Cache-Control: no-cache
      Response
      HTTP/1.1 307 Temporary Redirect
      Server: openresty
      Date: Wed, 07 Dec 2022 22:26:22 GMT
      Content-Type: text/html; charset=utf-8
      Content-Length: 168
      Connection: keep-alive
      Location: http://youtubeta.com
      X-Frame-Options: sameorigin
    • flag-unknown
      DNS
      l19772ko05d8r44.directorio-w.com
      iexplore.exe
      Remote address:
      8.8.8.8:53
      Request
      l19772ko05d8r44.directorio-w.com
      IN A
      Response
      l19772ko05d8r44.directorio-w.com
      IN A
      72.52.178.23
    • flag-unknown
      DNS
      www.directorio-w.com
      IEXPLORE.EXE
      Remote address:
      8.8.8.8:53
      Request
      www.directorio-w.com
      IN A
      Response
      www.directorio-w.com
      IN A
      72.52.178.23
    • flag-unknown
      GET
      http://www.directorio-w.com/
      IEXPLORE.EXE
      Remote address:
      72.52.178.23:80
      Request
      GET / HTTP/1.1
      Accept: text/html, application/xhtml+xml, image/jxr, */*
      Accept-Language: en-US
      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
      Accept-Encoding: gzip, deflate
      Host: www.directorio-w.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 302 Moved Temporarily
      Date: Wed, 07 Dec 2022 22:26:24 GMT
      Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9
      X-Powered-By: PHP/5.4.16
      Location: http://ww7.directorio-w.com
      Keep-Alive: timeout=5, max=84
      Connection: Keep-Alive
      Transfer-Encoding: chunked
      Content-Type: text/html; charset=UTF-8
    • flag-unknown
      DNS
      ww7.directorio-w.com
      IEXPLORE.EXE
      Remote address:
      8.8.8.8:53
      Request
      ww7.directorio-w.com
      IN A
      Response
      ww7.directorio-w.com
      IN CNAME
      62978.bodis.com
      62978.bodis.com
      IN A
      199.59.243.222
    • flag-unknown
      GET
      http://ww7.directorio-w.com/
      IEXPLORE.EXE
      Remote address:
      199.59.243.222:80
      Request
      GET / HTTP/1.1
      Accept: text/html, application/xhtml+xml, image/jxr, */*
      Accept-Language: en-US
      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
      Accept-Encoding: gzip, deflate
      Connection: Keep-Alive
      Host: ww7.directorio-w.com
      Response
      HTTP/1.1 200 OK
      Server: openresty
      Date: Wed, 07 Dec 2022 22:26:25 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      Set-Cookie: parking_session=e104a6b9-7cf0-67b3-d6d7-d79e26dc56e0; expires=Wed, 07-Dec-2022 22:41:25 GMT; Max-Age=900; path=/; HttpOnly
      X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_TR1ZsR9oUacTOiUzTdO5wnq0Upxn3ov3EgKCAcSt2rhdmVhkhPHv2EnFg2SAlMYtbNkvsTGncDmDLS0OzEeG3Q==
      Cache-Control: no-cache
      Accept-CH: sec-ch-prefers-color-scheme
      Critical-CH: sec-ch-prefers-color-scheme
      Vary: sec-ch-prefers-color-scheme
      Expires: Thu, 01 Jan 1970 00:00:01 GMT
      Cache-Control: no-store, must-revalidate
      Cache-Control: post-check=0, pre-check=0
      Pragma: no-cache
      Content-Encoding: gzip
    • flag-unknown
      GET
      http://ww7.directorio-w.com/js/parking.2.100.2.js
      IEXPLORE.EXE
      Remote address:
      199.59.243.222:80
      Request
      GET /js/parking.2.100.2.js HTTP/1.1
      Accept: application/javascript, */*;q=0.8
      Referer: http://ww7.directorio-w.com/
      Accept-Language: en-US
      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
      Accept-Encoding: gzip, deflate
      Host: ww7.directorio-w.com
      Connection: Keep-Alive
      Cookie: parking_session=e104a6b9-7cf0-67b3-d6d7-d79e26dc56e0
      Response
      HTTP/1.1 200 OK
      Server: openresty
      Date: Wed, 07 Dec 2022 22:26:25 GMT
      Content-Type: application/javascript; charset=utf-8
      Last-Modified: Mon, 14 Nov 2022 17:45:15 GMT
      Transfer-Encoding: chunked
      Connection: keep-alive
      Expires: Thu, 01 Jan 1970 00:00:01 GMT
      Cache-Control: no-cache
      Cache-Control: no-store, must-revalidate
      Cache-Control: post-check=0, pre-check=0
      Pragma: no-cache
      Content-Encoding: gzip
    • flag-unknown
      DNS
      parking.bodiscdn.com
      iexplore.exe
      Remote address:
      8.8.8.8:53
      Request
      parking.bodiscdn.com
      IN A
      Response
      parking.bodiscdn.com
      IN A
      104.22.40.120
      parking.bodiscdn.com
      IN A
      104.22.41.120
      parking.bodiscdn.com
      IN A
      172.67.5.15
    • flag-unknown
      DNS
      mkwm3jfy48v.ipcheker.com
      winlogon.exe
      Remote address:
      8.8.8.8:53
      Request
      mkwm3jfy48v.ipcheker.com
      IN A
      Response
      mkwm3jfy48v.ipcheker.com
      IN A
      35.205.61.67
    • flag-unknown
      GET
      http://mkwm3jfy48v.ipcheker.com/
      winlogon.exe
      Remote address:
      35.205.61.67:80
      Request
      GET / HTTP/1.1
      User-Agent: �����������Ī������׼��¥��������֡��ư���ä�ο���ʪ
      Host: mkwm3jfy48v.ipcheker.com
      Response
      HTTP/1.1 302 Moved Temporarily
      Server: nginx
      Date: Wed, 07 Dec 2022 22:26:47 GMT
      Content-Type: text/html
      Connection: close
      Set-Cookie: btst=fadb858121f6c720dae4491d7568d1e0|154.61.71.13|1670452007|1670452007|0|1|0; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
      Location: 1
    • flag-unknown
      GET
      http://mkwm3jfy48v.ipcheker.com/1
      winlogon.exe
      Remote address:
      35.205.61.67:80
      Request
      GET /1 HTTP/1.1
      User-Agent: �����������Ī������׼��¥��������֡��ư���ä�ο���ʪ
      Host: mkwm3jfy48v.ipcheker.com
      Connection: Keep-Alive
      Cookie: btst=fadb858121f6c720dae4491d7568d1e0|154.61.71.13|1670452007|1670452007|0|1|0
      Response
      HTTP/1.1 302 Moved Temporarily
      Server: nginx
      Date: Wed, 07 Dec 2022 22:26:47 GMT
      Content-Type: text/html
      Connection: close
      Set-Cookie: btst=fadb858121f6c720dae4491d7568d1e0|154.61.71.13|1670452007|1670452007|0|2|0; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
      Location: 1
    • flag-unknown
      GET
      http://mkwm3jfy48v.ipcheker.com/1
      winlogon.exe
      Remote address:
      35.205.61.67:80
      Request
      GET /1 HTTP/1.1
      User-Agent: �����������Ī������׼��¥��������֡��ư���ä�ο���ʪ
      Host: mkwm3jfy48v.ipcheker.com
      Connection: Keep-Alive
      Cookie: btst=fadb858121f6c720dae4491d7568d1e0|154.61.71.13|1670452007|1670452007|0|2|0
      Response
      HTTP/1.1 302 Moved Temporarily
      Server: nginx
      Date: Wed, 07 Dec 2022 22:26:47 GMT
      Content-Type: text/html
      Connection: close
      Set-Cookie: btst=fadb858121f6c720dae4491d7568d1e0|154.61.71.13|1670452007|1670452007|0|3|0; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
      Location: 1
    • flag-unknown
      GET
      http://mkwm3jfy48v.ipcheker.com/1
      winlogon.exe
      Remote address:
      35.205.61.67:80
      Request
      GET /1 HTTP/1.1
      User-Agent: �����������Ī������׼��¥��������֡��ư���ä�ο���ʪ
      Host: mkwm3jfy48v.ipcheker.com
      Connection: Keep-Alive
      Cookie: btst=fadb858121f6c720dae4491d7568d1e0|154.61.71.13|1670452007|1670452007|0|3|0
      Response
      HTTP/1.1 302 Moved Temporarily
      Server: nginx
      Date: Wed, 07 Dec 2022 22:26:48 GMT
      Content-Type: text/html
      Connection: close
      Set-Cookie: btst=fadb858121f6c720dae4491d7568d1e0|154.61.71.13|1670452008|1670452007|0|4|0; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
      Location: 1
    • flag-unknown
      GET
      http://mkwm3jfy48v.ipcheker.com/1
      winlogon.exe
      Remote address:
      35.205.61.67:80
      Request
      GET /1 HTTP/1.1
      User-Agent: �����������Ī������׼��¥��������֡��ư���ä�ο���ʪ
      Host: mkwm3jfy48v.ipcheker.com
      Connection: Keep-Alive
      Cookie: btst=fadb858121f6c720dae4491d7568d1e0|154.61.71.13|1670452008|1670452007|0|4|0
      Response
      HTTP/1.1 302 Moved Temporarily
      Server: nginx
      Date: Wed, 07 Dec 2022 22:26:49 GMT
      Content-Type: text/html
      Connection: close
      Set-Cookie: btst=fadb858121f6c720dae4491d7568d1e0|154.61.71.13|1670452009|1670452007|0|5|0; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
      Location: 1
    • flag-unknown
      GET
      http://mkwm3jfy48v.ipcheker.com/1
      winlogon.exe
      Remote address:
      35.205.61.67:80
      Request
      GET /1 HTTP/1.1
      User-Agent: �����������Ī������׼��¥��������֡��ư���ä�ο���ʪ
      Host: mkwm3jfy48v.ipcheker.com
      Connection: Keep-Alive
      Cookie: btst=fadb858121f6c720dae4491d7568d1e0|154.61.71.13|1670452009|1670452007|0|5|0
      Response
      HTTP/1.1 302 Moved Temporarily
      Server: nginx
      Date: Wed, 07 Dec 2022 22:26:49 GMT
      Content-Type: text/html
      Connection: close
      Set-Cookie: btst=fadb858121f6c720dae4491d7568d1e0|154.61.71.13|1670452009|1670452007|0|6|0; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
      Location: 1
    • flag-unknown
      GET
      http://mkwm3jfy48v.ipcheker.com/1
      winlogon.exe
      Remote address:
      35.205.61.67:80
      Request
      GET /1 HTTP/1.1
      User-Agent: �����������Ī������׼��¥��������֡��ư���ä�ο���ʪ
      Host: mkwm3jfy48v.ipcheker.com
      Connection: Keep-Alive
      Cookie: btst=fadb858121f6c720dae4491d7568d1e0|154.61.71.13|1670452009|1670452007|0|6|0
      Response
      HTTP/1.1 302 Moved Temporarily
      Server: nginx
      Date: Wed, 07 Dec 2022 22:26:52 GMT
      Content-Type: text/html
      Connection: close
      Set-Cookie: btst=fadb858121f6c720dae4491d7568d1e0|154.61.71.13|1670452012|1670452007|1|7|0; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
      Location: 1
    • flag-unknown
      POST
      http://ww7.directorio-w.com/_fd
      IEXPLORE.EXE
      Remote address:
      199.59.243.222:80
      Request
      POST /_fd HTTP/1.1
      Accept: application/json
      Content-Type: application/json
      Referer: http://ww7.directorio-w.com/
      Accept-Language: en-US
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
      Host: ww7.directorio-w.com
      Content-Length: 0
      Connection: Keep-Alive
      Cache-Control: no-cache
      Cookie: parking_session=e104a6b9-7cf0-67b3-d6d7-d79e26dc56e0
      Response
      HTTP/1.1 200 OK
      Server: openresty
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      Cache-Control: no-cache
      Date: Wed, 07 Dec 2022 22:26:56 GMT
      X-Version: 2.100.2
      Set-Cookie: parking_session=e104a6b9-7cf0-67b3-d6d7-d79e26dc56e0; expires=Wed, 07-Dec-2022 22:41:56 GMT; Max-Age=900; path=/; httponly
      Expires: Thu, 01 Jan 1970 00:00:01 GMT
      Cache-Control: no-store, must-revalidate
      Cache-Control: post-check=0, pre-check=0
      Pragma: no-cache
      Content-Encoding: gzip
    • flag-unknown
      GET
      http://ww7.directorio-w.com/px.gif?ch=1&rn=1.16761255169662
      IEXPLORE.EXE
      Remote address:
      199.59.243.222:80
      Request
      GET /px.gif?ch=1&rn=1.16761255169662 HTTP/1.1
      Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
      Referer: http://ww7.directorio-w.com/
      Accept-Language: en-US
      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
      Accept-Encoding: gzip, deflate
      Host: ww7.directorio-w.com
      Connection: Keep-Alive
      Cookie: parking_session=e104a6b9-7cf0-67b3-d6d7-d79e26dc56e0
      Response
      HTTP/1.1 200 OK
      Server: openresty
      Date: Wed, 07 Dec 2022 22:26:56 GMT
      Content-Type: image/gif
      Content-Length: 42
      Last-Modified: Wed, 15 Sep 2021 19:38:30 GMT
      Connection: keep-alive
      Expires: Thu, 01 Jan 1970 00:00:01 GMT
      Cache-Control: no-cache
      Cache-Control: no-store, must-revalidate
      Cache-Control: post-check=0, pre-check=0
      Pragma: no-cache
      Accept-Ranges: bytes
    • flag-unknown
      GET
      http://ww7.directorio-w.com/px.gif?ch=2&rn=1.16761255169662
      IEXPLORE.EXE
      Remote address:
      199.59.243.222:80
      Request
      GET /px.gif?ch=2&rn=1.16761255169662 HTTP/1.1
      Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
      Referer: http://ww7.directorio-w.com/
      Accept-Language: en-US
      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
      Accept-Encoding: gzip, deflate
      Host: ww7.directorio-w.com
      Connection: Keep-Alive
      Cookie: parking_session=e104a6b9-7cf0-67b3-d6d7-d79e26dc56e0
      Response
      HTTP/1.1 200 OK
      Server: openresty
      Date: Wed, 07 Dec 2022 22:26:56 GMT
      Content-Type: image/gif
      Content-Length: 42
      Last-Modified: Wed, 15 Sep 2021 19:38:30 GMT
      Connection: keep-alive
      Expires: Thu, 01 Jan 1970 00:00:01 GMT
      Cache-Control: no-cache
      Cache-Control: no-store, must-revalidate
      Cache-Control: post-check=0, pre-check=0
      Pragma: no-cache
      Accept-Ranges: bytes
    • 93.184.221.240:80
      46 B
       40 B
       1
      1
    • 93.184.221.240:80
      322 B
       7
    • 93.184.221.240:80
      260 B
       5
    • 40.74.98.195:443
      322 B
       7
    • 172.67.8.141:80
      whos.amung.us
      winlogon.exe
      260 B
       5
    • 104.80.225.205:443
      322 B
       7
    • 93.184.221.240:80
      322 B
       7
    • 93.184.221.240:80
      322 B
       7
    • 93.184.221.240:80
      322 B
       7
    • 104.22.74.171:80
      whos.amung.us
      winlogon.exe
      260 B
       5
    • 20.31.108.18:443
      40 B
       1
    • 104.22.75.171:80
      whos.amung.us
      winlogon.exe
      260 B
       5
    • 35.205.61.67:80
      spaon11524j.ipcheker.com
      winlogon.exe
      260 B
       5
    • 172.67.8.141:80
      whos.amung.us
      winlogon.exe
      260 B
       5
    • 104.22.74.171:80
      http://whos.amung.us/swidget/d23r523t4id
      http
      winlogon.exe
      242 B
       479 B
       4
      3

      HTTP Request

      GET http://whos.amung.us/swidget/d23r523t4id

      HTTP Response

      307
    • 104.22.74.171:80
      http://widgets.amung.us/small/00/2.png
      http
      winlogon.exe
      264 B
       850 B
       4
      3

      HTTP Request

      GET http://widgets.amung.us/small/00/2.png

      HTTP Response

      200
    • 44.227.65.245:80
      http://3vi4914078a7r73.youtubeta.com/index.php
      http
      winlogon.exe
      489 B
       577 B
       5
      4

      HTTP Request

      POST http://3vi4914078a7r73.youtubeta.com/index.php

      HTTP Response

      307
    • 72.52.178.23:80
      http://www.directorio-w.com/
      http
      IEXPLORE.EXE
      497 B
       503 B
       5
      4

      HTTP Request

      GET http://www.directorio-w.com/

      HTTP Response

      302
    • 72.52.178.23:80
      www.directorio-w.com
      IEXPLORE.EXE
      156 B
       3
    • 199.59.243.222:80
      ww7.directorio-w.com
      IEXPLORE.EXE
      190 B
       92 B
       4
      2
    • 199.59.243.222:80
      http://ww7.directorio-w.com/js/parking.2.100.2.js
      http
      IEXPLORE.EXE
      2.1kB
       26.0kB
       27
      26

      HTTP Request

      GET http://ww7.directorio-w.com/

      HTTP Response

      200

      HTTP Request

      GET http://ww7.directorio-w.com/js/parking.2.100.2.js

      HTTP Response

      200
    • 35.205.61.67:80
      http://mkwm3jfy48v.ipcheker.com/
      http
      winlogon.exe
      484 B
       808 B
       8
      6

      HTTP Request

      GET http://mkwm3jfy48v.ipcheker.com/

      HTTP Response

      302
    • 35.205.61.67:80
      http://mkwm3jfy48v.ipcheker.com/1
      http
      winlogon.exe
      505 B
       486 B
       6
      5

      HTTP Request

      GET http://mkwm3jfy48v.ipcheker.com/1

      HTTP Response

      302
    • 35.205.61.67:80
      http://mkwm3jfy48v.ipcheker.com/1
      http
      winlogon.exe
      505 B
       446 B
       6
      4

      HTTP Request

      GET http://mkwm3jfy48v.ipcheker.com/1

      HTTP Response

      302
    • 35.205.61.67:80
      http://mkwm3jfy48v.ipcheker.com/1
      http
      winlogon.exe
      551 B
       486 B
       7
      5

      HTTP Request

      GET http://mkwm3jfy48v.ipcheker.com/1

      HTTP Response

      302
    • 35.205.61.67:80
      http://mkwm3jfy48v.ipcheker.com/1
      http
      winlogon.exe
      689 B
       808 B
       10
      6

      HTTP Request

      GET http://mkwm3jfy48v.ipcheker.com/1

      HTTP Response

      302
    • 35.205.61.67:80
      http://mkwm3jfy48v.ipcheker.com/1
      http
      winlogon.exe
      505 B
       486 B
       6
      5

      HTTP Request

      GET http://mkwm3jfy48v.ipcheker.com/1

      HTTP Response

      302
    • 35.205.61.67:80
      http://mkwm3jfy48v.ipcheker.com/1
      http
      winlogon.exe
      655 B
       486 B
       9
      5

      HTTP Request

      GET http://mkwm3jfy48v.ipcheker.com/1

      HTTP Response

      302
    • 35.205.61.67:80
      mkwm3jfy48v.ipcheker.com
      winlogon.exe
      208 B
       4
    • 199.59.243.222:80
      http://ww7.directorio-w.com/_fd
      http
      IEXPLORE.EXE
      744 B
       4.7kB
       7
      6

      HTTP Request

      POST http://ww7.directorio-w.com/_fd

      HTTP Response

      200
    • 199.59.243.222:80
      http://ww7.directorio-w.com/px.gif?ch=1&rn=1.16761255169662
      http
      IEXPLORE.EXE
      596 B
       513 B
       4
      2

      HTTP Request

      GET http://ww7.directorio-w.com/px.gif?ch=1&rn=1.16761255169662

      HTTP Response

      200
    • 199.59.243.222:80
      http://ww7.directorio-w.com/px.gif?ch=2&rn=1.16761255169662
      http
      IEXPLORE.EXE
      596 B
       553 B
       4
      3

      HTTP Request

      GET http://ww7.directorio-w.com/px.gif?ch=2&rn=1.16761255169662

      HTTP Response

      200
    • 8.8.8.8:53
      whos.amung.us
      dns
      winlogon.exe
      59 B
       107 B
       1
      1

      DNS Request

      whos.amung.us

      DNS Response

      172.67.8.141
      104.22.74.171
      104.22.75.171

    • 8.8.8.8:53
      spaon11524j.ipcheker.com
      dns
      winlogon.exe
      70 B
       86 B
       1
      1

      DNS Request

      spaon11524j.ipcheker.com

      DNS Response

      35.205.61.67

    • 8.8.8.8:53
      whos.amung.us
      dns
      winlogon.exe
      59 B
       107 B
       1
      1

      DNS Request

      whos.amung.us

      DNS Response

      172.67.8.141
      104.22.74.171
      104.22.75.171

    • 8.8.8.8:53
      xtt3j3pp3m0.ipgreat.com
      dns
      winlogon.exe
      69 B
       142 B
       1
      1

      DNS Request

      xtt3j3pp3m0.ipgreat.com

    • 8.8.8.8:53
      97.97.242.52.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      97.97.242.52.in-addr.arpa

    • 8.8.8.8:53
      widgets.amung.us
      dns
      winlogon.exe
      62 B
       110 B
       1
      1

      DNS Request

      widgets.amung.us

      DNS Response

      104.22.74.171
      172.67.8.141
      104.22.75.171

    • 8.8.8.8:53
      3vi4914078a7r73.youtubeta.com
      dns
      winlogon.exe
      75 B
       135 B
       1
      1

      DNS Request

      3vi4914078a7r73.youtubeta.com

      DNS Response

      44.227.65.245
      44.227.76.166

    • 8.8.8.8:53
      l19772ko05d8r44.directorio-w.com
      dns
      iexplore.exe
      78 B
       94 B
       1
      1

      DNS Request

      l19772ko05d8r44.directorio-w.com

      DNS Response

      72.52.178.23

    • 8.8.8.8:53
      www.directorio-w.com
      dns
      IEXPLORE.EXE
      66 B
       82 B
       1
      1

      DNS Request

      www.directorio-w.com

      DNS Response

      72.52.178.23

    • 8.8.8.8:53
      ww7.directorio-w.com
      dns
      IEXPLORE.EXE
      66 B
       108 B
       1
      1

      DNS Request

      ww7.directorio-w.com

      DNS Response

      199.59.243.222

    • 8.8.8.8:53
      parking.bodiscdn.com
      dns
      iexplore.exe
      66 B
       114 B
       1
      1

      DNS Request

      parking.bodiscdn.com

      DNS Response

      104.22.40.120
      104.22.41.120
      172.67.5.15

    • 8.8.8.8:53
      mkwm3jfy48v.ipcheker.com
      dns
      winlogon.exe
      70 B
       86 B
       1
      1

      DNS Request

      mkwm3jfy48v.ipcheker.com

      DNS Response

      35.205.61.67

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\E696D64614\winlogon.exe
      Filesize

      73KB

      MD5

      ab115f0a6d01203b54f3d4b1a327b587

      SHA1

      bbb4761896d6f206f085ed5f0481b8e68f8e80d6

      SHA256

      a85040e7ecb3f06082b5292804267433e611040c89d835a8ffd3151b148ed687

      SHA512

      c047ca3e2c725df30284d8fbc06f88dd99588ae6c2c25f656060c21ecb055396018447aad65349e2261d9c9ff1b5e39caeb013665e8210d975abf4e95fba28da

      Download Submit

    • C:\Users\Admin\E696D64614\winlogon.exe
      Filesize

      73KB

      MD5

      ab115f0a6d01203b54f3d4b1a327b587

      SHA1

      bbb4761896d6f206f085ed5f0481b8e68f8e80d6

      SHA256

      a85040e7ecb3f06082b5292804267433e611040c89d835a8ffd3151b148ed687

      SHA512

      c047ca3e2c725df30284d8fbc06f88dd99588ae6c2c25f656060c21ecb055396018447aad65349e2261d9c9ff1b5e39caeb013665e8210d975abf4e95fba28da

      Download Submit

    • C:\Users\Admin\E696D64614\winlogon.exe
      Filesize

      73KB

      MD5

      ab115f0a6d01203b54f3d4b1a327b587

      SHA1

      bbb4761896d6f206f085ed5f0481b8e68f8e80d6

      SHA256

      a85040e7ecb3f06082b5292804267433e611040c89d835a8ffd3151b148ed687

      SHA512

      c047ca3e2c725df30284d8fbc06f88dd99588ae6c2c25f656060c21ecb055396018447aad65349e2261d9c9ff1b5e39caeb013665e8210d975abf4e95fba28da

      Download Submit

    • memory/1360-144-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1360-147-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1360-148-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1360-151-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1360-152-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4908-138-0x0000000000400000-0x000000000044B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4908-132-0x0000000000400000-0x000000000044B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4960-141-0x0000000000400000-0x000000000044B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4960-142-0x0000000000400000-0x000000000044B000-memory.dmp

      Filesize

      300KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.