xred | 35acdf1a5578a8605697cc8053509c51e8737921168f6f9917ba72d4e8bdc3ee

Analysis

max time kernel
144s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06/01/2025, 02:24 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Size

34.7MB
MD5

253baf4a712d3bacc42c2c944c688feb
SHA1

9c54c6810b05ad51f31a14acd60131dca259716e
SHA256

35acdf1a5578a8605697cc8053509c51e8737921168f6f9917ba72d4e8bdc3ee
SHA512

3cc204d205fc509ebc6b0857de825b1e4fc4c5b0478fe44bb3a0e97d4bed95e67878ebee824e3e69d94b663c0abf7c21c2a31021d4e30e788c7e5451111c4d91
SSDEEP

393216:mXXdmf1JPPIbTv2zqfFOsvSqQs8yDuDhxMewmIaOiRrqNuZif8l1hSp0huAePYn6:Qw1JPGTvXfIsb45O8ZiY1s7g8Sw

Score

10^/10

xred backdoor bootkit discovery persistence spyware stealer

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
xredline1@gmail.com
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe

Executes dropped EXE 3 IoCs

pid	Process
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
740	Synaptics.exe
3720	._cache_Synaptics.exe

Loads dropped DLL 2 IoCs

pid	Process
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3720	._cache_Synaptics.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\AVAST Software\Avast	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avira\Antivirus	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\AVAST Software\Avast	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avira\Antivirus	._cache_Synaptics.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
File opened for modification	\??\PhysicalDrive0	._cache_Synaptics.exe

Checks system information in the registry 2 TTPs 4 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	._cache_Synaptics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2984	3544	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Checks processor information in registry 2 TTPs 23 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	._cache_Synaptics.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_Synaptics.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4424	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Token: SeDebugPrivilege	3720	._cache_Synaptics.exe
Token: SeShutdownPrivilege	3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Token: SeCreatePagefilePrivilege	3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Token: SeShutdownPrivilege	3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Token: SeCreatePagefilePrivilege	3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Token: SeShutdownPrivilege	3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Token: SeCreatePagefilePrivilege	3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Token: SeShutdownPrivilege	3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Token: SeCreatePagefilePrivilege	3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Token: SeShutdownPrivilege	3720	._cache_Synaptics.exe
Token: SeCreatePagefilePrivilege	3720	._cache_Synaptics.exe
Token: SeShutdownPrivilege	3720	._cache_Synaptics.exe
Token: SeCreatePagefilePrivilege	3720	._cache_Synaptics.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4424	EXCEL.EXE
4424	EXCEL.EXE
4424	EXCEL.EXE
4424	EXCEL.EXE
4424	EXCEL.EXE
4424	EXCEL.EXE
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3720	._cache_Synaptics.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3720	._cache_Synaptics.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3536 wrote to memory of 3544	3536	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe	83
PID 3536 wrote to memory of 3544	3536	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe	83
PID 3536 wrote to memory of 3544	3536	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe	83
PID 3536 wrote to memory of 740	3536	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe	84
PID 3536 wrote to memory of 740	3536	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe	84
PID 3536 wrote to memory of 740	3536	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe	84
PID 740 wrote to memory of 3720	740	Synaptics.exe	85
PID 740 wrote to memory of 3720	740	Synaptics.exe	85
PID 740 wrote to memory of 3720	740	Synaptics.exe	85

C:\Users\Admin\AppData\Local\Temp\2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Writes to the Master Boot Record (MBR)
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3544
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 3884
    3⤵
    - Program crash
    PID:2984
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - Writes to the Master Boot Record (MBR)
    - Checks system information in the registry
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3720

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3544 -ip 3544
1⤵
PID:1924

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

4.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.159.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

ncc.avast.com

._cache_Synaptics.exe

Remote address:

8.8.8.8:53

Request

ncc.avast.com

IN A

Response

ncc.avast.com

IN CNAME

ncc.avast.com.edgesuite.net

ncc.avast.com.edgesuite.net

IN CNAME

a1488.dscd.akamai.net

a1488.dscd.akamai.net

IN A

2.18.190.163

a1488.dscd.akamai.net

IN A

2.18.190.168
GET

http://ncc.avast.com/ncc.txt

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Remote address:

2.18.190.163:80

Request

GET /ncc.txt HTTP/1.1
Connection: Keep-Alive
User-Agent: Avast Antivirus
Host: ncc.avast.com

Response

HTTP/1.1 200 OK

Content-Type: text/html
Content-Length: 26
Date: Mon, 06 Jan 2025 02:24:26 GMT
Connection: keep-alive
DNS

163.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

163.190.18.2.in-addr.arpa

IN PTR

Response

163.190.18.2.in-addr.arpa

IN PTR

a2-18-190-163deploystaticakamaitechnologiescom
GET

http://ncc.avast.com/ncc.txt

._cache_Synaptics.exe

Remote address:

2.18.190.163:80

Request

GET /ncc.txt HTTP/1.1
Connection: Keep-Alive
User-Agent: Avast Antivirus
Host: ncc.avast.com

Response

HTTP/1.1 200 OK

Content-Type: text/html
Content-Length: 26
Date: Mon, 06 Jan 2025 02:24:31 GMT
Connection: keep-alive
DNS

xred.mooo.com

Synaptics.exe

Remote address:

8.8.8.8:53

Request

xred.mooo.com

IN A

Response
DNS

freedns.afraid.org

Synaptics.exe

Remote address:

8.8.8.8:53

Request

freedns.afraid.org

IN A

Response

freedns.afraid.org

IN A

69.42.215.252
GET

http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

Synaptics.exe

Remote address:

69.42.215.252:80

Request

GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1
User-Agent: MyApp
Host: freedns.afraid.org
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 06 Jan 2025 02:24:34 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Cache: MISS
DNS

46.28.109.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

46.28.109.52.in-addr.arpa

IN PTR

Response
DNS

31.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.243.111.52.in-addr.arpa

IN PTR

Response
DNS

95.16.208.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.16.208.104.in-addr.arpa

IN PTR

Response
DNS

252.215.42.69.in-addr.arpa

Remote address:

8.8.8.8:53

Request

252.215.42.69.in-addr.arpa

IN PTR

Response
DNS

252.215.42.69.in-addr.arpa

Remote address:

8.8.8.8:53

Request

252.215.42.69.in-addr.arpa

IN PTR

Response
DNS

analytics.avcdn.net

._cache_Synaptics.exe

Remote address:

8.8.8.8:53

Request

analytics.avcdn.net

IN A

Response

analytics.avcdn.net

IN CNAME

analytics.ff.avast.com

analytics.ff.avast.com

IN CNAME

analytics-prod-gcp.ff.avast.com

analytics-prod-gcp.ff.avast.com

IN A

34.117.223.223
POST

https://analytics.avcdn.net/receive3

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Remote address:

34.117.223.223:443

Request

POST /receive3 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-enc-sb
User-Agent: Avast Antivirus
Content-Length: 278
Host: analytics.avcdn.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 06 Jan 2025 02:24:38 GMT
Content-Type: application/octet-stream
Content-Length: 24
X-ASW-Receiver-Ack: processed
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
POST

https://analytics.avcdn.net/receive3

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Remote address:

34.117.223.223:443

Request

POST /receive3 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-enc-sb
User-Agent: Avast Antivirus
Content-Length: 270
Host: analytics.avcdn.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 06 Jan 2025 02:24:38 GMT
Content-Type: application/octet-stream
Content-Length: 24
X-ASW-Receiver-Ack: processed
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
POST

https://analytics.avcdn.net/receive3

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Remote address:

34.117.223.223:443

Request

POST /receive3 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-enc-sb
User-Agent: Avast Antivirus
Content-Length: 269
Host: analytics.avcdn.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 06 Jan 2025 02:24:38 GMT
Content-Type: application/octet-stream
Content-Length: 24
X-ASW-Receiver-Ack: processed
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
POST

https://analytics.avcdn.net/receive3

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Remote address:

34.117.223.223:443

Request

POST /receive3 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-enc-sb
User-Agent: Avast Antivirus
Content-Length: 281
Host: analytics.avcdn.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 06 Jan 2025 02:24:38 GMT
Content-Type: application/octet-stream
Content-Length: 24
X-ASW-Receiver-Ack: processed
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
POST

https://analytics.avcdn.net/receive3

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Remote address:

34.117.223.223:443

Request

POST /receive3 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-enc-sb
User-Agent: Avast Antivirus
Content-Length: 284
Host: analytics.avcdn.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 06 Jan 2025 02:24:38 GMT
Content-Type: application/octet-stream
Content-Length: 24
X-ASW-Receiver-Ack: processed
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
POST

https://analytics.avcdn.net/receive3

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Remote address:

34.117.223.223:443

Request

POST /receive3 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-enc-sb
User-Agent: Avast Antivirus
Content-Length: 266
Host: analytics.avcdn.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 06 Jan 2025 02:24:38 GMT
Content-Type: application/octet-stream
Content-Length: 24
X-ASW-Receiver-Ack: processed
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
POST

https://analytics.avcdn.net/receive3

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Remote address:

34.117.223.223:443

Request

POST /receive3 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-enc-sb
User-Agent: Avast Antivirus
Content-Length: 284
Host: analytics.avcdn.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 06 Jan 2025 02:24:38 GMT
Content-Type: application/octet-stream
Content-Length: 24
X-ASW-Receiver-Ack: processed
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
POST

https://analytics.avcdn.net/receive3

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Remote address:

34.117.223.223:443

Request

POST /receive3 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-enc-sb
User-Agent: Avast Antivirus
Content-Length: 290
Host: analytics.avcdn.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 06 Jan 2025 02:24:38 GMT
Content-Type: application/octet-stream
Content-Length: 24
X-ASW-Receiver-Ack: processed
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
POST

https://analytics.avcdn.net/receive3

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Remote address:

34.117.223.223:443

Request

POST /receive3 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-enc-sb
User-Agent: Avast Antivirus
Content-Length: 578
Host: analytics.avcdn.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 06 Jan 2025 02:24:38 GMT
Content-Type: application/octet-stream
Content-Length: 24
X-ASW-Receiver-Ack: processed
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
POST

https://analytics.avcdn.net/receive3

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Remote address:

34.117.223.223:443

Request

POST /receive3 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-enc-sb
User-Agent: Avast Antivirus
Content-Length: 235
Host: analytics.avcdn.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 06 Jan 2025 02:24:40 GMT
Content-Type: application/octet-stream
Content-Length: 24
X-ASW-Receiver-Ack: processed
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
POST

https://analytics.avcdn.net/receive3

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Remote address:

34.117.223.223:443

Request

POST /receive3 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-enc-sb
User-Agent: Avast Antivirus
Content-Length: 246
Host: analytics.avcdn.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 06 Jan 2025 02:24:40 GMT
Content-Type: application/octet-stream
Content-Length: 24
X-ASW-Receiver-Ack: processed
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
POST

https://analytics.avcdn.net/receive3

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Remote address:

34.117.223.223:443

Request

POST /receive3 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-enc-sb
User-Agent: Avast Antivirus
Content-Length: 254
Host: analytics.avcdn.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 06 Jan 2025 02:24:40 GMT
Content-Type: application/octet-stream
Content-Length: 24
X-ASW-Receiver-Ack: processed
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
POST

https://analytics.avcdn.net/receive3

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Remote address:

34.117.223.223:443

Request

POST /receive3 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-enc-sb
User-Agent: Avast Antivirus
Content-Length: 301
Host: analytics.avcdn.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 06 Jan 2025 02:24:41 GMT
Content-Type: application/octet-stream
Content-Length: 24
X-ASW-Receiver-Ack: processed
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
POST

https://analytics.avcdn.net/receive3

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Remote address:

34.117.223.223:443

Request

POST /receive3 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-enc-sb
User-Agent: Avast Antivirus
Content-Length: 237
Host: analytics.avcdn.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 06 Jan 2025 02:24:42 GMT
Content-Type: application/octet-stream
Content-Length: 24
X-ASW-Receiver-Ack: processed
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
POST

https://analytics.avcdn.net/receive3

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Remote address:

34.117.223.223:443

Request

POST /receive3 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-enc-sb
User-Agent: Avast Antivirus
Content-Length: 257
Host: analytics.avcdn.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 06 Jan 2025 02:24:42 GMT
Content-Type: application/octet-stream
Content-Length: 24
X-ASW-Receiver-Ack: processed
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
POST

https://analytics.avcdn.net/receive3

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Remote address:

34.117.223.223:443

Request

POST /receive3 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-enc-sb
User-Agent: Avast Antivirus
Content-Length: 266
Host: analytics.avcdn.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 06 Jan 2025 02:24:42 GMT
Content-Type: application/octet-stream
Content-Length: 24
X-ASW-Receiver-Ack: processed
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
POST

https://analytics.avcdn.net/receive3

._cache_Synaptics.exe

Remote address:

34.117.223.223:443

Request

POST /receive3 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-enc-sb
User-Agent: Avast Antivirus
Content-Length: 278
Host: analytics.avcdn.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 06 Jan 2025 02:24:38 GMT
Content-Type: application/octet-stream
Content-Length: 24
X-ASW-Receiver-Ack: processed
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
POST

https://analytics.avcdn.net/receive3

._cache_Synaptics.exe

Remote address:

34.117.223.223:443

Request

POST /receive3 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-enc-sb
User-Agent: Avast Antivirus
Content-Length: 270
Host: analytics.avcdn.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 06 Jan 2025 02:24:38 GMT
Content-Type: application/octet-stream
Content-Length: 24
X-ASW-Receiver-Ack: processed
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
POST

https://analytics.avcdn.net/receive3

._cache_Synaptics.exe

Remote address:

34.117.223.223:443

Request

POST /receive3 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-enc-sb
User-Agent: Avast Antivirus
Content-Length: 269
Host: analytics.avcdn.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 06 Jan 2025 02:24:38 GMT
Content-Type: application/octet-stream
Content-Length: 24
X-ASW-Receiver-Ack: processed
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
POST

https://analytics.avcdn.net/receive3

._cache_Synaptics.exe

Remote address:

34.117.223.223:443

Request

POST /receive3 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-enc-sb
User-Agent: Avast Antivirus
Content-Length: 281
Host: analytics.avcdn.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 06 Jan 2025 02:24:39 GMT
Content-Type: application/octet-stream
Content-Length: 24
X-ASW-Receiver-Ack: processed
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
POST

https://analytics.avcdn.net/receive3

._cache_Synaptics.exe

Remote address:

34.117.223.223:443

Request

POST /receive3 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-enc-sb
User-Agent: Avast Antivirus
Content-Length: 284
Host: analytics.avcdn.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 06 Jan 2025 02:24:39 GMT
Content-Type: application/octet-stream
Content-Length: 24
X-ASW-Receiver-Ack: processed
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
POST

https://analytics.avcdn.net/receive3

._cache_Synaptics.exe

Remote address:

34.117.223.223:443

Request

POST /receive3 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-enc-sb
User-Agent: Avast Antivirus
Content-Length: 266
Host: analytics.avcdn.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 06 Jan 2025 02:24:39 GMT
Content-Type: application/octet-stream
Content-Length: 24
X-ASW-Receiver-Ack: processed
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
POST

https://analytics.avcdn.net/receive3

._cache_Synaptics.exe

Remote address:

34.117.223.223:443

Request

POST /receive3 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-enc-sb
User-Agent: Avast Antivirus
Content-Length: 284
Host: analytics.avcdn.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 06 Jan 2025 02:24:39 GMT
Content-Type: application/octet-stream
Content-Length: 24
X-ASW-Receiver-Ack: processed
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
POST

https://analytics.avcdn.net/receive3

._cache_Synaptics.exe

Remote address:

34.117.223.223:443

Request

POST /receive3 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-enc-sb
User-Agent: Avast Antivirus
Content-Length: 290
Host: analytics.avcdn.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 06 Jan 2025 02:24:39 GMT
Content-Type: application/octet-stream
Content-Length: 24
X-ASW-Receiver-Ack: processed
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
POST

https://analytics.avcdn.net/receive3

._cache_Synaptics.exe

Remote address:

34.117.223.223:443

Request

POST /receive3 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-enc-sb
User-Agent: Avast Antivirus
Content-Length: 578
Host: analytics.avcdn.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 06 Jan 2025 02:24:39 GMT
Content-Type: application/octet-stream
Content-Length: 24
X-ASW-Receiver-Ack: processed
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
POST

https://analytics.avcdn.net/receive3

._cache_Synaptics.exe

Remote address:

34.117.223.223:443

Request

POST /receive3 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-enc-sb
User-Agent: Avast Antivirus
Content-Length: 235
Host: analytics.avcdn.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 06 Jan 2025 02:24:40 GMT
Content-Type: application/octet-stream
Content-Length: 24
X-ASW-Receiver-Ack: processed
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
POST

https://analytics.avcdn.net/receive3

._cache_Synaptics.exe

Remote address:

34.117.223.223:443

Request

POST /receive3 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-enc-sb
User-Agent: Avast Antivirus
Content-Length: 246
Host: analytics.avcdn.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 06 Jan 2025 02:24:40 GMT
Content-Type: application/octet-stream
Content-Length: 24
X-ASW-Receiver-Ack: processed
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
POST

https://analytics.avcdn.net/receive3

._cache_Synaptics.exe

Remote address:

34.117.223.223:443

Request

POST /receive3 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-enc-sb
User-Agent: Avast Antivirus
Content-Length: 254
Host: analytics.avcdn.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 06 Jan 2025 02:24:40 GMT
Content-Type: application/octet-stream
Content-Length: 24
X-ASW-Receiver-Ack: processed
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
POST

https://analytics.avcdn.net/receive3

._cache_Synaptics.exe

Remote address:

34.117.223.223:443

Request

POST /receive3 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-enc-sb
User-Agent: Avast Antivirus
Content-Length: 301
Host: analytics.avcdn.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 06 Jan 2025 02:24:41 GMT
Content-Type: application/octet-stream
Content-Length: 24
X-ASW-Receiver-Ack: processed
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
POST

https://analytics.avcdn.net/receive3

._cache_Synaptics.exe

Remote address:

34.117.223.223:443

Request

POST /receive3 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-enc-sb
User-Agent: Avast Antivirus
Content-Length: 237
Host: analytics.avcdn.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 06 Jan 2025 02:24:42 GMT
Content-Type: application/octet-stream
Content-Length: 24
X-ASW-Receiver-Ack: processed
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
POST

https://analytics.avcdn.net/receive3

._cache_Synaptics.exe

Remote address:

34.117.223.223:443

Request

POST /receive3 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-enc-sb
User-Agent: Avast Antivirus
Content-Length: 248
Host: analytics.avcdn.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 06 Jan 2025 02:25:41 GMT
Content-Type: application/octet-stream
Content-Length: 24
X-ASW-Receiver-Ack: processed
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
POST

https://analytics.avcdn.net/receive3

._cache_Synaptics.exe

Remote address:

34.117.223.223:443

Request

POST /receive3 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-enc-sb
User-Agent: Avast Antivirus
Content-Length: 233
Host: analytics.avcdn.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 06 Jan 2025 02:25:41 GMT
Content-Type: application/octet-stream
Content-Length: 24
X-ASW-Receiver-Ack: processed
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
POST

https://analytics.avcdn.net/receive3

._cache_Synaptics.exe

Remote address:

34.117.223.223:443

Request

POST /receive3 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-enc-sb
User-Agent: Avast Antivirus
Content-Length: 250
Host: analytics.avcdn.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 06 Jan 2025 02:25:41 GMT
Content-Type: application/octet-stream
Content-Length: 24
X-ASW-Receiver-Ack: processed
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
POST

https://analytics.avcdn.net/receive3

._cache_Synaptics.exe

Remote address:

34.117.223.223:443

Request

POST /receive3 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-enc-sb
User-Agent: Avast Antivirus
Content-Length: 248
Host: analytics.avcdn.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 06 Jan 2025 02:25:48 GMT
Content-Type: application/octet-stream
Content-Length: 24
X-ASW-Receiver-Ack: processed
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
POST

https://analytics.avcdn.net/receive3

._cache_Synaptics.exe

Remote address:

34.117.223.223:443

Request

POST /receive3 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-enc-sb
User-Agent: Avast Antivirus
Content-Length: 248
Host: analytics.avcdn.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 06 Jan 2025 02:25:48 GMT
Content-Type: application/octet-stream
Content-Length: 24
X-ASW-Receiver-Ack: processed
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
DNS

223.223.117.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

223.223.117.34.in-addr.arpa

IN PTR

Response

223.223.117.34.in-addr.arpa

IN PTR

22322311734bcgoogleusercontentcom
DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR

Response
DNS

shepherd.ff.avast.com

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Remote address:

8.8.8.8:53

Request

shepherd.ff.avast.com

IN A

Response

shepherd.ff.avast.com

IN CNAME

shepherd-gcp.ff.avast.com

shepherd-gcp.ff.avast.com

IN A

34.160.176.28
DNS

ip-info.ff.avast.com

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Remote address:

8.8.8.8:53

Request

ip-info.ff.avast.com

IN A

Response

ip-info.ff.avast.com

IN CNAME

ip-info-gcp.ff.avast.com

ip-info-gcp.ff.avast.com

IN A

34.111.175.102
DNS

www.ccleaner.com

._cache_Synaptics.exe

Remote address:

8.8.8.8:53

Request

www.ccleaner.com

IN A

Response

www.ccleaner.com

IN CNAME

www.ccleaner.com.edgekey.net

www.ccleaner.com.edgekey.net

IN CNAME

e13363.dsca.akamaiedge.net

e13363.dsca.akamaiedge.net

IN A

104.96.174.89
DNS

ipm-provider.ff.avast.com

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Remote address:

8.8.8.8:53

Request

ipm-provider.ff.avast.com

IN A

Response

ipm-provider.ff.avast.com

IN CNAME

ipm-gcp-prod.ff.avast.com

ipm-gcp-prod.ff.avast.com

IN A

34.111.24.1
GET

https://shepherd.ff.avast.com/?p_lng=en&p_lid=en-us&p_ads=1&p_devrsrch=1&p_thrdprt=0&p_thrdtr=0&p_midex=488DCA4C15F9A1D330AD312B391A804E00000000000000000000000000000000&p_hid=6c5699e1-6f7b-4658-8947-57c02a9fea05&p_ubs=50&p_trs=0&p_alp=0&p_jar=0&p_cclic=&p_chcc=0&p_bld=&p_pro=90&p_vep=6&p_ves=17&p_vbd=10746&p_osv=10.0&p_gksw=1&p_chr=0&p_sbi=0&p_scbu=0&p_tos=0&p_bau=0&p_dvt=3&p_bsls=0&p_gis=0&p_fds=20409&p_cco=0&p_ccgx=0&p_cce=1&p_cced=1&p_ccnsv=0&p_ccnu=0&p_ccna=0&p_ccnl=0&p_lit=0&p_age=0&p_tcy=0&p_pct=0&p_jct=0

._cache_Synaptics.exe

Remote address:

34.160.176.28:443

Request

GET /?p_lng=en&p_lid=en-us&p_ads=1&p_devrsrch=1&p_thrdprt=0&p_thrdtr=0&p_midex=488DCA4C15F9A1D330AD312B391A804E00000000000000000000000000000000&p_hid=6c5699e1-6f7b-4658-8947-57c02a9fea05&p_ubs=50&p_trs=0&p_alp=0&p_jar=0&p_cclic=&p_chcc=0&p_bld=&p_pro=90&p_vep=6&p_ves=17&p_vbd=10746&p_osv=10.0&p_gksw=1&p_chr=0&p_sbi=0&p_scbu=0&p_tos=0&p_bau=0&p_dvt=3&p_bsls=0&p_gis=0&p_fds=20409&p_cco=0&p_ccgx=0&p_cce=1&p_cced=1&p_ccnsv=0&p_ccnu=0&p_ccna=0&p_ccnl=0&p_lit=0&p_age=0&p_tcy=0&p_pct=0&p_jct=0 HTTP/1.1
User-Agent: Mozilla/4.0 (CCleaner, 6.17.10746)
Host: shepherd.ff.avast.com
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 06 Jan 2025 02:24:41 GMT
Content-Type: text/plain
Content-Length: 1552
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Config-Id, Config-Name, Config-Version, Segments, AB-Tests, TTL, TTL-Spread
Config-Id: 33
Config-Name: CCleaner_cc-ui-launch-in-the-background_distribution---driver-updater_feedback---performance-optimizer_distribution---easy-clean-ipm_su-exclude-redistributables_surveygroupuninstall-d25dd41e569fcc7bee53562612b9161260efe6fd771206abefec9ee54b5111c2
Config-Version: 326
Segments: cc ui launch in the background,distribution - driver updater,feedback - performance optimizer,distribution - easy clean ipm,su exclude redistributables,surveygroupuninstall
TTL: 86400
TTL-Spread: 43200
Via: 1.1 google
Alt-Svc: clear
GET

https://shepherd.ff.avast.com/?p_lng=en&p_lid=en-us&p_ads=1&p_devrsrch=1&p_thrdprt=0&p_thrdtr=0&p_midex=488DCA4C15F9A1D330AD312B391A804E00000000000000000000000000000000&p_hid=6c5699e1-6f7b-4658-8947-57c02a9fea05&p_ubs=50&p_trs=0&p_alp=0&p_jar=0&p_cclic=&p_chcc=0&p_bld=&p_pro=90&p_vep=6&p_ves=17&p_vbd=10746&p_osv=10.0&p_gksw=1&p_chr=0&p_sbi=0&p_scbu=0&p_tos=0&p_bau=0&p_dvt=3&p_bsls=0&p_gis=0&p_fds=20409&p_cco=0&p_ccgx=0&p_cce=1&p_cced=1&p_ccnsv=0&p_ccnu=0&p_ccna=0&p_ccnl=0&p_lit=0&p_age=0&p_tcy=0&p_pct=0&p_jct=0

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Remote address:

34.160.176.28:443

Request

GET /?p_lng=en&p_lid=en-us&p_ads=1&p_devrsrch=1&p_thrdprt=0&p_thrdtr=0&p_midex=488DCA4C15F9A1D330AD312B391A804E00000000000000000000000000000000&p_hid=6c5699e1-6f7b-4658-8947-57c02a9fea05&p_ubs=50&p_trs=0&p_alp=0&p_jar=0&p_cclic=&p_chcc=0&p_bld=&p_pro=90&p_vep=6&p_ves=17&p_vbd=10746&p_osv=10.0&p_gksw=1&p_chr=0&p_sbi=0&p_scbu=0&p_tos=0&p_bau=0&p_dvt=3&p_bsls=0&p_gis=0&p_fds=20409&p_cco=0&p_ccgx=0&p_cce=1&p_cced=1&p_ccnsv=0&p_ccnu=0&p_ccna=0&p_ccnl=0&p_lit=0&p_age=0&p_tcy=0&p_pct=0&p_jct=0 HTTP/1.1
User-Agent: Mozilla/4.0 (CCleaner, 6.17.10746)
Host: shepherd.ff.avast.com
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 06 Jan 2025 02:24:41 GMT
Content-Type: text/plain
Content-Length: 1552
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Config-Id, Config-Name, Config-Version, Segments, AB-Tests, TTL, TTL-Spread
Config-Id: 33
Config-Name: CCleaner_cc-ui-launch-in-the-background_distribution---driver-updater_feedback---performance-optimizer_distribution---easy-clean-ipm_su-exclude-redistributables_surveygroupuninstall-d25dd41e569fcc7bee53562612b9161260efe6fd771206abefec9ee54b5111c2
Config-Version: 326
Segments: cc ui launch in the background,distribution - driver updater,feedback - performance optimizer,distribution - easy clean ipm,su exclude redistributables,surveygroupuninstall
TTL: 86400
TTL-Spread: 43200
Via: 1.1 google
Alt-Svc: clear
GET

https://ipm-provider.ff.avast.com/?action=1&p_elm=229&p_lng=en&p_lid=en-us&p_ads=1&p_devrsrch=1&p_thrdprt=0&p_thrdtr=0&p_midex=488DCA4C15F9A1D330AD312B391A804E00000000000000000000000000000000&p_hid=6c5699e1-6f7b-4658-8947-57c02a9fea05&p_ubs=50&p_trs=0&p_alp=0&p_jar=0&p_cclic=&p_chcc=0&p_bld=&p_pro=90&p_vep=6&p_ves=17&p_vbd=10746&p_osv=10.0&p_gksw=1&p_chr=0&p_sbi=0&p_scbu=0&p_tos=0&p_bau=0&p_dvt=3&p_bsls=0&p_gis=0&p_fds=20409&p_cco=0&p_ccgx=0&p_cce=1&p_cced=1&p_ccnsv=0&p_ccnu=0&p_ccna=0&p_ccnl=0&p_lit=0&p_age=0&p_tcy=0&p_pct=0&p_jct=0&p_lex=-1&p_pctn=0&p_iau=0&p_qcm=0&p_hcm=1&p_sum=1&p_ost=0&p_scr=1

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Remote address:

34.111.24.1:443

Request

GET /?action=1&p_elm=229&p_lng=en&p_lid=en-us&p_ads=1&p_devrsrch=1&p_thrdprt=0&p_thrdtr=0&p_midex=488DCA4C15F9A1D330AD312B391A804E00000000000000000000000000000000&p_hid=6c5699e1-6f7b-4658-8947-57c02a9fea05&p_ubs=50&p_trs=0&p_alp=0&p_jar=0&p_cclic=&p_chcc=0&p_bld=&p_pro=90&p_vep=6&p_ves=17&p_vbd=10746&p_osv=10.0&p_gksw=1&p_chr=0&p_sbi=0&p_scbu=0&p_tos=0&p_bau=0&p_dvt=3&p_bsls=0&p_gis=0&p_fds=20409&p_cco=0&p_ccgx=0&p_cce=1&p_cced=1&p_ccnsv=0&p_ccnu=0&p_ccna=0&p_ccnl=0&p_lit=0&p_age=0&p_tcy=0&p_pct=0&p_jct=0&p_lex=-1&p_pctn=0&p_iau=0&p_qcm=0&p_hcm=1&p_sum=1&p_ost=0&p_scr=1 HTTP/1.1
User-Agent: Mozilla/4.0 (CCleaner, 6.17.10746)
Host: ipm-provider.ff.avast.com
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 06 Jan 2025 02:24:41 GMT
Content-Type: text/html
Content-Length: 26257
IPM-Asset-URL-377676186: https://ipmcdn.avast.com/images/ccleaner/img/toaster-premium-background-a-v1.png
IPM-Asset-URL-100047109: https://ipmcdn.avast.com/images/ccleaner/img/img-optimization-bg-1_2x-v1.png
IPM-Asset-URL--1696904250: https://ipmcdn.avast.com/images/ccleaner/img/img-optimization-bg-2_2x-v1.png
IPM-Asset-URL-801111687: https://ipmcdn.avast.com/images/ccleaner/img/img-optimization-bg-3_2x-v1.png
IPM-Asset-URL--995839672: https://ipmcdn.avast.com/images/ccleaner/img/img-optimization-bg-4_2x-v1.png
IPM-Asset-URL-1502176265: https://ipmcdn.avast.com/images/ccleaner/img/img-optimization-bg-5_2x-v1.png
IPM-Asset-URL--294775094: https://ipmcdn.avast.com/images/ccleaner/img/img-optimization-bg-6_2x-v1.png
IPM-Asset-URL--2091726453: https://ipmcdn.avast.com/images/ccleaner/img/img-optimization-bg-7_2x-v1.png
IPM-Asset-URL-406289484: https://ipmcdn.avast.com/images/ccleaner/img/img-optimization-bg-8_2x-v1.png
IPM-Asset-URL--715558730: https://ipmcdn.avast.com/images/ccleaner/img/img-autoupdate-bg_2x-v1.png
IPM-Asset-URL--254277907: https://ipmcdn.avast.com/images/ccleaner/img/img-optimization-bg-a_2x-v1.jpg
IPM-Asset-URL--2051229266: https://ipmcdn.avast.com/images/ccleaner/img/img-optimization-bg-b_2x-v1.jpg
IPM-Asset-URL--1390667579: https://ipmcdn.avast.com/images/ccleaner/img/img-optimization-bg-9_2x-v1.jpg
IPM-Asset-Base-URL: https://ipm-static.avcdn.net/content-assets-prod/,https://ipmcdn.avast.com/images/
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: 0
Content-Identifier: ccleaner/en-ww/toaster-campaigns_ccleaner-update_hi_variant-3.html
ETag: W/83bccd51
Set-Cookie: ViewCounter_OTHER_CCLEANER=1736130281; Max-Age=172800; Expires=Wed, 08 Jan 2025 02:24:41 GMT; Secure; SameSite=None
Set-Cookie: ViewCounter_ccleaner_en-ww_toaster-campaigns_ccleaner-update_hi_variant-3-20211003=1736130281; Max-Age=691200; Expires=Tue, 14 Jan 2025 02:24:41 GMT; Secure; SameSite=None
Set-Cookie: ClientId=220920d6-ad00-4647-a3c9-ec74cfb5c212; Max-Age=63072000; Expires=Wed, 06 Jan 2027 02:24:41 GMT; Secure; SameSite=None
Set-Cookie: ViewCounter_OTHER_CCLEANER=1736130281; Max-Age=172800; Expires=Wed, 08 Jan 2025 02:24:41 GMT; Secure; SameSite=None
Set-Cookie: ViewCounter_ccleaner_en-ww_toaster-campaigns_ccleaner-update_hi_variant-3-20211003=1736130281; Max-Age=691200; Expires=Tue, 14 Jan 2025 02:24:41 GMT; Secure; SameSite=None
Set-Cookie: ClientId=220920d6-ad00-4647-a3c9-ec74cfb5c212; Max-Age=63072000; Expires=Wed, 06 Jan 2027 02:24:41 GMT; Secure; SameSite=None
Via: 1.1 google
Alt-Svc: clear
GET

https://ip-info.ff.avast.com/v1/info

._cache_Synaptics.exe

Remote address:

34.111.175.102:443

Request

GET /v1/info HTTP/1.1
User-Agent: Mozilla/4.0 (CCleaner, 6.17.10746)
Host: ip-info.ff.avast.com
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

content-type: application/json
vary: origin, access-control-request-method, access-control-request-headers
vary: origin, access-control-request-method, access-control-request-headers
access-control-allow-credentials: true
x-gen-trace-id: b4ee9ad6-c438-4e01-b381-73fcb549fa76
Content-Length: 352
date: Mon, 06 Jan 2025 02:24:41 GMT
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
GET

https://ip-info.ff.avast.com/v1/info

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Remote address:

34.111.175.102:443

Request

GET /v1/info HTTP/1.1
User-Agent: Mozilla/4.0 (CCleaner, 6.17.10746)
Host: ip-info.ff.avast.com
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

content-type: application/json
vary: origin, access-control-request-method, access-control-request-headers
vary: origin, access-control-request-method, access-control-request-headers
access-control-allow-credentials: true
x-gen-trace-id: edefe0b8-7496-4d3b-8817-47c73229dbe8
Content-Length: 352
date: Mon, 06 Jan 2025 02:24:41 GMT
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
GET

https://www.ccleaner.com/go/app_cc_pro_trialkey

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Remote address:

104.96.174.89:443

Request

GET /go/app_cc_pro_trialkey HTTP/1.1
User-Agent: Mozilla/4.0 (CCleaner, 6.17.10746)
Host: www.ccleaner.com
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Content-Length: 24
Access-Control-Expose-Headers: Request-Context
Request-Context: appId=cid-v1:f596e2d8-53ab-4408-9336-8b048cfa7a07
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Cache-Control: max-age=527
Expires: Mon, 06 Jan 2025 02:33:28 GMT
Date: Mon, 06 Jan 2025 02:24:41 GMT
Connection: keep-alive
Server-Timing: cdn-cache; desc=HIT
Server-Timing: edge; dur=1
Permissions-Policy: interest-cohort=()
Server-Timing: ak_p; desc="1736130281563_1750123414_319768438_32_5369_27_160_-";dur=1
GET

https://www.ccleaner.com/auto?a=0&p=cc&v=6.17.10746&l=1033&lk=&mk=8XMV-Y7SM-MYU9-GW8M-T7HN-F5VJ-H6K2-4GXB-TFE5&o=10.0W6&au=2&mx=488DCA4C15F9A1D330AD312B391A804E00000000000000000000000000000000&gd=6c5699e1-6f7b-4658-8947-57c02a9fea05&isAdmin=1&isElevated=1

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Remote address:

104.96.174.89:443

Request

GET /auto?a=0&p=cc&v=6.17.10746&l=1033&lk=&mk=8XMV-Y7SM-MYU9-GW8M-T7HN-F5VJ-H6K2-4GXB-TFE5&o=10.0W6&au=2&mx=488DCA4C15F9A1D330AD312B391A804E00000000000000000000000000000000&gd=6c5699e1-6f7b-4658-8947-57c02a9fea05&isAdmin=1&isElevated=1 HTTP/1.1
User-Agent: Mozilla/4.0 (CCleaner, 6.17.10746)
Host: www.ccleaner.com
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Content-Type: text/plain; charset=utf-8
Request-Context: appId=cid-v1:8060531c-f181-428a-9692-6288f0702684
Server-Timing: cdn-cache; desc=MISS
Server-Timing: edge; dur=68
Server-Timing: origin; dur=318
Expires: Mon, 06 Jan 2025 02:24:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 06 Jan 2025 02:24:42 GMT
Content-Length: 62
Connection: keep-alive
Set-Cookie: _cc_langChoice=en-us; expires=Tue, 06-Jan-2026 02:24:42 GMT; path=/
Server-Timing: edge; dur=59
Server-Timing: origin; dur=465
Server-Timing: cdn-cache; desc=MISS
Permissions-Policy: interest-cohort=()
Server-Timing: ak_p; desc="1736130281563_1750123414_319768446_52347_7574_27_170_-";dur=1
GET

https://www.ccleaner.com/go/app_cc_pro_trialkey

._cache_Synaptics.exe

Remote address:

104.96.174.89:443

Request

GET /go/app_cc_pro_trialkey HTTP/1.1
User-Agent: Mozilla/4.0 (CCleaner, 6.17.10746)
Host: www.ccleaner.com
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Content-Length: 24
Access-Control-Expose-Headers: Request-Context
Request-Context: appId=cid-v1:f596e2d8-53ab-4408-9336-8b048cfa7a07
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Cache-Control: max-age=527
Expires: Mon, 06 Jan 2025 02:33:28 GMT
Date: Mon, 06 Jan 2025 02:24:41 GMT
Connection: keep-alive
Server-Timing: cdn-cache; desc=HIT
Server-Timing: edge; dur=1
Permissions-Policy: interest-cohort=()
Server-Timing: ak_p; desc="1736130281575_1750123414_319768485_959_6162_32_227_-";dur=1
GET

https://www.ccleaner.com/auto?a=0&p=cc&v=6.17.10746&l=1033&lk=&mk=8XMV-Y7SM-MYU9-GW8M-T7HN-F5VJ-H6K2-4GXB-TFE5&o=10.0W6&au=2&mx=488DCA4C15F9A1D330AD312B391A804E00000000000000000000000000000000&gd=6c5699e1-6f7b-4658-8947-57c02a9fea05&isAdmin=1&isElevated=1

._cache_Synaptics.exe

Remote address:

104.96.174.89:443

Request

GET /auto?a=0&p=cc&v=6.17.10746&l=1033&lk=&mk=8XMV-Y7SM-MYU9-GW8M-T7HN-F5VJ-H6K2-4GXB-TFE5&o=10.0W6&au=2&mx=488DCA4C15F9A1D330AD312B391A804E00000000000000000000000000000000&gd=6c5699e1-6f7b-4658-8947-57c02a9fea05&isAdmin=1&isElevated=1 HTTP/1.1
User-Agent: Mozilla/4.0 (CCleaner, 6.17.10746)
Host: www.ccleaner.com
Cache-Control: no-cache
Cookie: _cc_langChoice=en-us

Response

HTTP/1.1 200 OK

Content-Type: text/plain; charset=utf-8
Request-Context: appId=cid-v1:8060531c-f181-428a-9692-6288f0702684
Server-Timing: cdn-cache; desc=HIT
Server-Timing: edge; dur=1
Expires: Mon, 06 Jan 2025 02:25:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 06 Jan 2025 02:25:41 GMT
Content-Length: 62
Connection: keep-alive
Server-Timing: edge; dur=1
Server-Timing: origin; dur=99
Server-Timing: cdn-cache; desc=MISS
Permissions-Policy: interest-cohort=()
Server-Timing: ak_p; desc="1736130341681_1750123414_319768530_9923_7544_31_0_-";dur=1
DNS

c.pki.goog

._cache_Synaptics.exe

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.200.35
GET

http://c.pki.goog/r/r1.crl

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Remote address:

142.250.200.35:80

Request

GET /r/r1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 854
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Mon, 06 Jan 2025 02:09:18 GMT
Expires: Mon, 06 Jan 2025 02:59:18 GMT
Cache-Control: public, max-age=3000
Age: 923
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
GET

http://c.pki.goog/r/r1.crl

._cache_Synaptics.exe

Remote address:

142.250.200.35:80

Request

GET /r/r1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 854
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Mon, 06 Jan 2025 02:09:18 GMT
Expires: Mon, 06 Jan 2025 02:59:18 GMT
Cache-Control: public, max-age=3000
Age: 923
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
DNS

license-api.ccleaner.com

._cache_Synaptics.exe

Remote address:

8.8.8.8:53

Request

license-api.ccleaner.com

IN A

Response

license-api.ccleaner.com

IN CNAME

license-api.ccleaner.com.edgekey.net

license-api.ccleaner.com.edgekey.net

IN CNAME

e13363.dsca.akamaiedge.net

e13363.dsca.akamaiedge.net

IN A

104.96.174.89
GET

https://license-api.ccleaner.com/product/v1/verify?p=ccpro&c=cc&cv=6.17.10746&l=1033&lk=CJ9T-J7CU-SPNV-GWMB-WBEC&mk=8XMV-Y7SM-MYU9-GW8M-T7HN-F5VJ-H6K2-4GXB-TFE5&mx=488DCA4C15F9A1D330AD312B391A804E00000000000000000000000000000000&gd=6c5699e1-6f7b-4658-8947-57c02a9fea05

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Remote address:

104.96.174.89:443

Request

GET /product/v1/verify?p=ccpro&c=cc&cv=6.17.10746&l=1033&lk=CJ9T-J7CU-SPNV-GWMB-WBEC&mk=8XMV-Y7SM-MYU9-GW8M-T7HN-F5VJ-H6K2-4GXB-TFE5&mx=488DCA4C15F9A1D330AD312B391A804E00000000000000000000000000000000&gd=6c5699e1-6f7b-4658-8947-57c02a9fea05 HTTP/1.1
User-Agent: Mozilla/4.0 (CCleaner, 6.17.10746)
Host: license-api.ccleaner.com
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Content-Type: text/plain; charset=utf-8
Content-Length: 17
Expires: Mon, 06 Jan 2025 02:24:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 06 Jan 2025 02:24:41 GMT
Connection: keep-alive
Server-Timing: cdn-cache; desc=MISS
Server-Timing: edge; dur=3
Server-Timing: origin; dur=16
Server-Timing: ak_p; desc="1736130281871_1750123414_319768587_1901_1877_27_58_-";dur=1
DNS

o.pki.goog

Synaptics.exe

Remote address:

8.8.8.8:53

Request

o.pki.goog

IN A

Response

o.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.200.35
GET

https://license-api.ccleaner.com/product/v1/verify?p=ccpro&c=cc&cv=6.17.10746&l=1033&lk=CJ9T-J7CU-SPNV-GWMB-WBEC&mk=8XMV-Y7SM-MYU9-GW8M-T7HN-F5VJ-H6K2-4GXB-TFE5&mx=488DCA4C15F9A1D330AD312B391A804E00000000000000000000000000000000&gd=6c5699e1-6f7b-4658-8947-57c02a9fea05

._cache_Synaptics.exe

Remote address:

104.96.174.89:443

Request

GET /product/v1/verify?p=ccpro&c=cc&cv=6.17.10746&l=1033&lk=CJ9T-J7CU-SPNV-GWMB-WBEC&mk=8XMV-Y7SM-MYU9-GW8M-T7HN-F5VJ-H6K2-4GXB-TFE5&mx=488DCA4C15F9A1D330AD312B391A804E00000000000000000000000000000000&gd=6c5699e1-6f7b-4658-8947-57c02a9fea05 HTTP/1.1
User-Agent: Mozilla/4.0 (CCleaner, 6.17.10746)
Host: license-api.ccleaner.com
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Content-Type: text/plain; charset=utf-8
Content-Length: 17
Expires: Mon, 06 Jan 2025 02:24:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 06 Jan 2025 02:24:42 GMT
Connection: keep-alive
Server-Timing: cdn-cache; desc=MISS
Server-Timing: edge; dur=3
Server-Timing: origin; dur=14
Server-Timing: ak_p; desc="1736130281912_1750123414_319768616_1800_2159_26_56_-";dur=1
GET

http://o.pki.goog/s/wr3/R_4/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQSq0i5t2Pafi2Gw9uzwnc7KTctWgQUx4H1%2FY6I2QA8TWOiUDEkoM4j%2FiMCEEf%2BFZGpnvWuEEGk5mBYdOg%3D

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Remote address:

142.250.200.35:80

Request

GET /s/wr3/R_4/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQSq0i5t2Pafi2Gw9uzwnc7KTctWgQUx4H1%2FY6I2QA8TWOiUDEkoM4j%2FiMCEEf%2BFZGpnvWuEEGk5mBYdOg%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: o.pki.goog

Response

HTTP/1.1 200 OK

Content-Security-Policy-Report-Only: script-src 'none'; form-action 'none'; frame-src 'none'; report-uri https://csp.withgoogle.com/csp/scaffolding/sytroprc:52:0
Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to=coop_reporting
Report-To: {"group":"coop_reporting","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/scaffolding/sytroprc:52:0"}],}
Server: scaffolding on HTTPServer2
Content-Length: 471
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Date: Sun, 05 Jan 2025 22:37:15 GMT
Cache-Control: public, max-age=14400
Content-Type: application/ocsp-response
Age: 13646
GET

http://o.pki.goog/s/wr3/R_4/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQSq0i5t2Pafi2Gw9uzwnc7KTctWgQUx4H1%2FY6I2QA8TWOiUDEkoM4j%2FiMCEEf%2BFZGpnvWuEEGk5mBYdOg%3D

._cache_Synaptics.exe

Remote address:

142.250.200.35:80

Request

GET /s/wr3/R_4/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQSq0i5t2Pafi2Gw9uzwnc7KTctWgQUx4H1%2FY6I2QA8TWOiUDEkoM4j%2FiMCEEf%2BFZGpnvWuEEGk5mBYdOg%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: o.pki.goog

Response

HTTP/1.1 200 OK

Content-Security-Policy-Report-Only: script-src 'none'; form-action 'none'; frame-src 'none'; report-uri https://csp.withgoogle.com/csp/scaffolding/sytroprc:52:0
Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to=coop_reporting
Report-To: {"group":"coop_reporting","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/scaffolding/sytroprc:52:0"}],}
Server: scaffolding on HTTPServer2
Content-Length: 471
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Date: Sun, 05 Jan 2025 22:37:15 GMT
Cache-Control: public, max-age=14400
Content-Type: application/ocsp-response
Age: 13646
GET

http://o.pki.goog/s/wr3/u7Y/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQSq0i5t2Pafi2Gw9uzwnc7KTctWgQUx4H1%2FY6I2QA8TWOiUDEkoM4j%2FiMCEQC7tqiwmrg75ApyAYGAkqit

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Remote address:

142.250.200.35:80

Request

GET /s/wr3/u7Y/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQSq0i5t2Pafi2Gw9uzwnc7KTctWgQUx4H1%2FY6I2QA8TWOiUDEkoM4j%2FiMCEQC7tqiwmrg75ApyAYGAkqit HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: o.pki.goog

Response

HTTP/1.1 200 OK

Content-Security-Policy-Report-Only: script-src 'none'; form-action 'none'; frame-src 'none'; report-uri https://csp.withgoogle.com/csp/scaffolding/sytroprc:52:0
Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to=coop_reporting
Report-To: {"group":"coop_reporting","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/scaffolding/sytroprc:52:0"}],}
Server: scaffolding on HTTPServer2
Content-Length: 472
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Date: Mon, 06 Jan 2025 02:12:34 GMT
Cache-Control: public, max-age=14400
Content-Type: application/ocsp-response
Age: 727
DNS

28.176.160.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.176.160.34.in-addr.arpa

IN PTR

Response

28.176.160.34.in-addr.arpa

IN PTR

2817616034bcgoogleusercontentcom
DNS

1.24.111.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.24.111.34.in-addr.arpa

IN PTR

Response

1.24.111.34.in-addr.arpa

IN PTR

12411134bcgoogleusercontentcom
DNS

89.174.96.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

89.174.96.104.in-addr.arpa

IN PTR

Response

89.174.96.104.in-addr.arpa

IN PTR

a104-96-174-89deploystaticakamaitechnologiescom
DNS

102.175.111.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

102.175.111.34.in-addr.arpa

IN PTR

Response

102.175.111.34.in-addr.arpa

IN PTR

10217511134bcgoogleusercontentcom
DNS

35.200.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

35.200.250.142.in-addr.arpa

IN PTR

Response

35.200.250.142.in-addr.arpa

IN PTR

lhr48s30-in-f31e100net
DNS

197.87.175.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

197.87.175.4.in-addr.arpa

IN PTR

Response
DNS

241.42.69.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.42.69.40.in-addr.arpa

IN PTR

Response
DNS

133.130.81.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.130.81.91.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

docs.google.com

Synaptics.exe

Remote address:

8.8.8.8:53

Request

docs.google.com

IN A

Response

docs.google.com

IN A

142.250.179.238
DNS

docs.google.com

Synaptics.exe

Remote address:

8.8.8.8:53

Request

docs.google.com

IN A

Response

docs.google.com

IN A

142.250.179.238
GET

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Synaptics.exe

Remote address:

142.250.179.238:443

Request

GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: docs.google.com
Cache-Control: no-cache

Response

HTTP/1.1 303 See Other

Content-Type: application/binary
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Mon, 06 Jan 2025 02:25:33 GMT
Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'report-sample' 'nonce-Z4MLTuBinHT7Hox3-GGSvg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Cross-Origin-Opener-Policy: same-origin
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
GET

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Synaptics.exe

Remote address:

142.250.179.238:443

Request

GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: docs.google.com
Cache-Control: no-cache
Cookie: NID=520=OjqwmxgCIHsVsNCc8K6mIrfkOvXU_O4muSS2pLO2vUL0xWp9tsR6N-rI2hZ8kYIDwRXWmIzGc4727h-BnoS1H4mIHqlVfVPS2qO7uaiNiYemIHgxRj2G5yu-QPpT4N1hkHMMfUdp8h-6nHWXkEB9gkciIjL5EFFv7jifDrwfo-oXqSZg

Response

HTTP/1.1 303 See Other

Content-Type: application/binary
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Mon, 06 Jan 2025 02:25:34 GMT
Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: script-src 'report-sample' 'nonce-ulvsZju0mdUwkHaN39nGIA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Cross-Origin-Opener-Policy: same-origin
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
GET

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Synaptics.exe

Remote address:

142.250.179.238:443

Request

GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: docs.google.com
Cache-Control: no-cache
Cookie: NID=520=OjqwmxgCIHsVsNCc8K6mIrfkOvXU_O4muSS2pLO2vUL0xWp9tsR6N-rI2hZ8kYIDwRXWmIzGc4727h-BnoS1H4mIHqlVfVPS2qO7uaiNiYemIHgxRj2G5yu-QPpT4N1hkHMMfUdp8h-6nHWXkEB9gkciIjL5EFFv7jifDrwfo-oXqSZg

Response

HTTP/1.1 303 See Other

Content-Type: application/binary
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Mon, 06 Jan 2025 02:25:34 GMT
Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Strict-Transport-Security: max-age=31536000
Cross-Origin-Opener-Policy: same-origin
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'report-sample' 'nonce-MvcjeAaEFWoaDif2UEnHzg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
GET

http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQD8Elu9WzbqaxI7ClVJiEyf

Synaptics.exe

Remote address:

142.250.200.35:80

Request

GET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQD8Elu9WzbqaxI7ClVJiEyf HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: o.pki.goog

Response

HTTP/1.1 200 OK

Server: ocsp_responder
Content-Length: 472
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Date: Mon, 06 Jan 2025 02:00:16 GMT
Cache-Control: public, max-age=14400
Content-Type: application/ocsp-response
Age: 1517
GET

http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDkqhDvrMuENxBpWocUnIUC

Synaptics.exe

Remote address:

142.250.200.35:80

Request

GET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDkqhDvrMuENxBpWocUnIUC HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: o.pki.goog

Response

HTTP/1.1 200 OK

Server: ocsp_responder
Content-Length: 472
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Date: Mon, 06 Jan 2025 01:48:07 GMT
Cache-Control: public, max-age=14400
Content-Type: application/ocsp-response
Age: 2246
DNS

drive.usercontent.google.com

Synaptics.exe

Remote address:

8.8.8.8:53

Request

drive.usercontent.google.com

IN A

Response

drive.usercontent.google.com

IN A

216.58.212.193
DNS

drive.usercontent.google.com

Synaptics.exe

Remote address:

8.8.8.8:53

Request

drive.usercontent.google.com

IN A

Response

drive.usercontent.google.com

IN A

216.58.212.193
GET

https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Synaptics.exe

Remote address:

216.58.212.193:443

Request

GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Cache-Control: no-cache
Host: drive.usercontent.google.com
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

X-GUploader-UploadID: AFiumC7Ag_4sg9n_IXHOEAkzng9RW0KFZ-hhDDtxNOdxANrtpQJL613u1JzGuzTJ8dW29cboQAWv73A
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Mon, 06 Jan 2025 02:25:34 GMT
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'report-sample' 'nonce-LfEZvIrY5wI2NKCKxKkqww' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Cross-Origin-Opener-Policy: same-origin
Content-Length: 1652
Server: UploadServer
Set-Cookie: NID=520=OjqwmxgCIHsVsNCc8K6mIrfkOvXU_O4muSS2pLO2vUL0xWp9tsR6N-rI2hZ8kYIDwRXWmIzGc4727h-BnoS1H4mIHqlVfVPS2qO7uaiNiYemIHgxRj2G5yu-QPpT4N1hkHMMfUdp8h-6nHWXkEB9gkciIjL5EFFv7jifDrwfo-oXqSZg; expires=Tue, 08-Jul-2025 02:25:34 GMT; path=/; domain=.google.com; HttpOnly
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Content-Security-Policy: sandbox allow-scripts
GET

https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Synaptics.exe

Remote address:

216.58.212.193:443

Request

GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Cache-Control: no-cache
Host: drive.usercontent.google.com
Connection: Keep-Alive
Cookie: NID=520=OjqwmxgCIHsVsNCc8K6mIrfkOvXU_O4muSS2pLO2vUL0xWp9tsR6N-rI2hZ8kYIDwRXWmIzGc4727h-BnoS1H4mIHqlVfVPS2qO7uaiNiYemIHgxRj2G5yu-QPpT4N1hkHMMfUdp8h-6nHWXkEB9gkciIjL5EFFv7jifDrwfo-oXqSZg

Response

HTTP/1.1 404 Not Found

X-GUploader-UploadID: AFiumC5T5dGGXcxr6_fwawutLRswy_rKCLJ1eGJzjSSMaXmkszq7aJMLIoPce-PSVqzToTO0
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Mon, 06 Jan 2025 02:25:34 GMT
Cross-Origin-Opener-Policy: same-origin
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'report-sample' 'nonce-Gy12gcqhnBPLIk1ldgCbEg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Content-Length: 1652
Server: UploadServer
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Content-Security-Policy: sandbox allow-scripts
GET

https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Synaptics.exe

Remote address:

216.58.212.193:443

Request

GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Cache-Control: no-cache
Host: drive.usercontent.google.com
Connection: Keep-Alive
Cookie: NID=520=OjqwmxgCIHsVsNCc8K6mIrfkOvXU_O4muSS2pLO2vUL0xWp9tsR6N-rI2hZ8kYIDwRXWmIzGc4727h-BnoS1H4mIHqlVfVPS2qO7uaiNiYemIHgxRj2G5yu-QPpT4N1hkHMMfUdp8h-6nHWXkEB9gkciIjL5EFFv7jifDrwfo-oXqSZg

Response

HTTP/1.1 404 Not Found

X-GUploader-UploadID: AFiumC4BFPc6FpD5krfDzRMUiixwrycu25D73VF8xx4hTIIPtFr7pH9ANrYlCrcrvL8VZ80aMpVxwgE
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Mon, 06 Jan 2025 02:25:34 GMT
Content-Security-Policy: script-src 'report-sample' 'nonce-jpGjF3drsIwviBKSjZfTVw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Cross-Origin-Opener-Policy: same-origin
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Content-Length: 1652
Server: UploadServer
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Content-Security-Policy: sandbox allow-scripts
DNS

238.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

238.179.250.142.in-addr.arpa

IN PTR

Response

238.179.250.142.in-addr.arpa

IN PTR

lhr25s31-in-f141e100net
DNS

193.212.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

193.212.58.216.in-addr.arpa

IN PTR

Response

193.212.58.216.in-addr.arpa

IN PTR

ams16s21-in-f11e100net

193.212.58.216.in-addr.arpa

IN PTR

ams16s21-in-f193�H

193.212.58.216.in-addr.arpa

IN PTR

lhr25s27-in-f1�H
DNS

download.ccleaner.com

._cache_Synaptics.exe

Remote address:

8.8.8.8:53

Request

download.ccleaner.com

IN A

Response

download.ccleaner.com

IN CNAME

download2.ccleaner.com.edgekey.net

download2.ccleaner.com.edgekey.net

IN CNAME

e13363.dscd.akamaiedge.net

e13363.dscd.akamaiedge.net

IN A

95.100.245.152
DNS

download.ccleaner.com

._cache_Synaptics.exe

Remote address:

8.8.8.8:53

Request

download.ccleaner.com

IN A

Response

download.ccleaner.com

IN CNAME

download2.ccleaner.com.edgekey.net

download2.ccleaner.com.edgekey.net

IN CNAME

e13363.dscd.akamaiedge.net

e13363.dscd.akamaiedge.net

IN A

95.100.245.152
GET

https://download.ccleaner.com/update/ccleaner/ccupdate631_free.exe?HWID=488DCA4C15F9A1D330AD312B391A804E00000000000000000000000000000000

._cache_Synaptics.exe

Remote address:

95.100.245.152:443

Request

GET /update/ccleaner/ccupdate631_free.exe?HWID=488DCA4C15F9A1D330AD312B391A804E00000000000000000000000000000000 HTTP/1.1
User-Agent: Mozilla/4.0 (CCleaner, 6.17.10746)
Host: download.ccleaner.com
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Type: application/octet-stream
ETag: "e2c0ca91b83a1fbe962893cb26402701:1733914506.746485"
Last-Modified: Wed, 11 Dec 2024 10:55:14 GMT
Server: AkamaiNetStorage
Content-Length: 82710432
Cache-Control: max-age=3600
Expires: Mon, 06 Jan 2025 03:25:41 GMT
Date: Mon, 06 Jan 2025 02:25:41 GMT
Connection: keep-alive
DNS

152.245.100.95.in-addr.arpa

Remote address:

8.8.8.8:53

Request

152.245.100.95.in-addr.arpa

IN PTR

Response

152.245.100.95.in-addr.arpa

IN PTR

a95-100-245-152deploystaticakamaitechnologiescom
DNS

152.245.100.95.in-addr.arpa

Remote address:

8.8.8.8:53

Request

152.245.100.95.in-addr.arpa

IN PTR
DNS

152.245.100.95.in-addr.arpa

Remote address:

8.8.8.8:53

Request

152.245.100.95.in-addr.arpa

IN PTR
DNS

152.245.100.95.in-addr.arpa

Remote address:

8.8.8.8:53

Request

152.245.100.95.in-addr.arpa

IN PTR
DNS

152.245.100.95.in-addr.arpa

Remote address:

8.8.8.8:53

Request

152.245.100.95.in-addr.arpa

IN PTR
DNS

22.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.236.111.52.in-addr.arpa

IN PTR

Response

2.18.190.163:80

http://ncc.avast.com/ncc.txt

http

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

329 B
283 B
5
3

HTTP Request

GET http://ncc.avast.com/ncc.txt

HTTP Response

200
2.18.190.163:80

http://ncc.avast.com/ncc.txt

http

._cache_Synaptics.exe

375 B
323 B
6
4

HTTP Request

GET http://ncc.avast.com/ncc.txt

HTTP Response

200
69.42.215.252:80

http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

http

Synaptics.exe

752 B
415 B
13
4

HTTP Request

GET http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

HTTP Response

200
34.117.223.223:443

https://analytics.avcdn.net/receive3

tls, http

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

10.3kB
11.3kB
45
39

HTTP Request

POST https://analytics.avcdn.net/receive3

HTTP Response

200

HTTP Request

POST https://analytics.avcdn.net/receive3

HTTP Response

200

HTTP Request

POST https://analytics.avcdn.net/receive3

HTTP Response

200

HTTP Request

POST https://analytics.avcdn.net/receive3

HTTP Response

200

HTTP Request

POST https://analytics.avcdn.net/receive3

HTTP Response

200

HTTP Request

POST https://analytics.avcdn.net/receive3

HTTP Response

200

HTTP Request

POST https://analytics.avcdn.net/receive3

HTTP Response

200

HTTP Request

POST https://analytics.avcdn.net/receive3

HTTP Response

200

HTTP Request

POST https://analytics.avcdn.net/receive3

HTTP Response

200

HTTP Request

POST https://analytics.avcdn.net/receive3

HTTP Response

200

HTTP Request

POST https://analytics.avcdn.net/receive3

HTTP Response

200

HTTP Request

POST https://analytics.avcdn.net/receive3

HTTP Response

200

HTTP Request

POST https://analytics.avcdn.net/receive3

HTTP Response

200

HTTP Request

POST https://analytics.avcdn.net/receive3

HTTP Response

200

HTTP Request

POST https://analytics.avcdn.net/receive3

HTTP Response

200

HTTP Request

POST https://analytics.avcdn.net/receive3

HTTP Response

200
34.117.223.223:443

https://analytics.avcdn.net/receive3

tls, http

._cache_Synaptics.exe

12.5kB
12.7kB
52
46

HTTP Request

POST https://analytics.avcdn.net/receive3

HTTP Response

200

HTTP Request

POST https://analytics.avcdn.net/receive3

HTTP Response

200

HTTP Request

POST https://analytics.avcdn.net/receive3

HTTP Response

200

HTTP Request

POST https://analytics.avcdn.net/receive3

HTTP Response

200

HTTP Request

POST https://analytics.avcdn.net/receive3

HTTP Response

200

HTTP Request

POST https://analytics.avcdn.net/receive3

HTTP Response

200

HTTP Request

POST https://analytics.avcdn.net/receive3

HTTP Response

200

HTTP Request

POST https://analytics.avcdn.net/receive3

HTTP Response

200

HTTP Request

POST https://analytics.avcdn.net/receive3

HTTP Response

200

HTTP Request

POST https://analytics.avcdn.net/receive3

HTTP Response

200

HTTP Request

POST https://analytics.avcdn.net/receive3

HTTP Response

200

HTTP Request

POST https://analytics.avcdn.net/receive3

HTTP Response

200

HTTP Request

POST https://analytics.avcdn.net/receive3

HTTP Response

200

HTTP Request

POST https://analytics.avcdn.net/receive3

HTTP Response

200

HTTP Request

POST https://analytics.avcdn.net/receive3

HTTP Response

200

HTTP Request

POST https://analytics.avcdn.net/receive3

HTTP Response

200

HTTP Request

POST https://analytics.avcdn.net/receive3

HTTP Response

200

HTTP Request

POST https://analytics.avcdn.net/receive3

HTTP Response

200

HTTP Request

POST https://analytics.avcdn.net/receive3

HTTP Response

200
34.160.176.28:443

https://shepherd.ff.avast.com/?p_lng=en&p_lid=en-us&p_ads=1&p_devrsrch=1&p_thrdprt=0&p_thrdtr=0&p_midex=488DCA4C15F9A1D330AD312B391A804E00000000000000000000000000000000&p_hid=6c5699e1-6f7b-4658-8947-57c02a9fea05&p_ubs=50&p_trs=0&p_alp=0&p_jar=0&p_cclic=&p_chcc=0&p_bld=&p_pro=90&p_vep=6&p_ves=17&p_vbd=10746&p_osv=10.0&p_gksw=1&p_chr=0&p_sbi=0&p_scbu=0&p_tos=0&p_bau=0&p_dvt=3&p_bsls=0&p_gis=0&p_fds=20409&p_cco=0&p_ccgx=0&p_cce=1&p_cced=1&p_ccnsv=0&p_ccnu=0&p_ccna=0&p_ccnl=0&p_lit=0&p_age=0&p_tcy=0&p_pct=0&p_jct=0

tls, http

._cache_Synaptics.exe

1.6kB
7.7kB
16
13

HTTP Request

GET https://shepherd.ff.avast.com/?p_lng=en&p_lid=en-us&p_ads=1&p_devrsrch=1&p_thrdprt=0&p_thrdtr=0&p_midex=488DCA4C15F9A1D330AD312B391A804E00000000000000000000000000000000&p_hid=6c5699e1-6f7b-4658-8947-57c02a9fea05&p_ubs=50&p_trs=0&p_alp=0&p_jar=0&p_cclic=&p_chcc=0&p_bld=&p_pro=90&p_vep=6&p_ves=17&p_vbd=10746&p_osv=10.0&p_gksw=1&p_chr=0&p_sbi=0&p_scbu=0&p_tos=0&p_bau=0&p_dvt=3&p_bsls=0&p_gis=0&p_fds=20409&p_cco=0&p_ccgx=0&p_cce=1&p_cced=1&p_ccnsv=0&p_ccnu=0&p_ccna=0&p_ccnl=0&p_lit=0&p_age=0&p_tcy=0&p_pct=0&p_jct=0

HTTP Response

200
34.160.176.28:443

https://shepherd.ff.avast.com/?p_lng=en&p_lid=en-us&p_ads=1&p_devrsrch=1&p_thrdprt=0&p_thrdtr=0&p_midex=488DCA4C15F9A1D330AD312B391A804E00000000000000000000000000000000&p_hid=6c5699e1-6f7b-4658-8947-57c02a9fea05&p_ubs=50&p_trs=0&p_alp=0&p_jar=0&p_cclic=&p_chcc=0&p_bld=&p_pro=90&p_vep=6&p_ves=17&p_vbd=10746&p_osv=10.0&p_gksw=1&p_chr=0&p_sbi=0&p_scbu=0&p_tos=0&p_bau=0&p_dvt=3&p_bsls=0&p_gis=0&p_fds=20409&p_cco=0&p_ccgx=0&p_cce=1&p_cced=1&p_ccnsv=0&p_ccnu=0&p_ccna=0&p_ccnl=0&p_lit=0&p_age=0&p_tcy=0&p_pct=0&p_jct=0

tls, http

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

1.5kB
7.6kB
14
11

HTTP Request

GET https://shepherd.ff.avast.com/?p_lng=en&p_lid=en-us&p_ads=1&p_devrsrch=1&p_thrdprt=0&p_thrdtr=0&p_midex=488DCA4C15F9A1D330AD312B391A804E00000000000000000000000000000000&p_hid=6c5699e1-6f7b-4658-8947-57c02a9fea05&p_ubs=50&p_trs=0&p_alp=0&p_jar=0&p_cclic=&p_chcc=0&p_bld=&p_pro=90&p_vep=6&p_ves=17&p_vbd=10746&p_osv=10.0&p_gksw=1&p_chr=0&p_sbi=0&p_scbu=0&p_tos=0&p_bau=0&p_dvt=3&p_bsls=0&p_gis=0&p_fds=20409&p_cco=0&p_ccgx=0&p_cce=1&p_cced=1&p_ccnsv=0&p_ccnu=0&p_ccna=0&p_ccnl=0&p_lit=0&p_age=0&p_tcy=0&p_pct=0&p_jct=0

HTTP Response

200
34.111.24.1:443

https://ipm-provider.ff.avast.com/?action=1&p_elm=229&p_lng=en&p_lid=en-us&p_ads=1&p_devrsrch=1&p_thrdprt=0&p_thrdtr=0&p_midex=488DCA4C15F9A1D330AD312B391A804E00000000000000000000000000000000&p_hid=6c5699e1-6f7b-4658-8947-57c02a9fea05&p_ubs=50&p_trs=0&p_alp=0&p_jar=0&p_cclic=&p_chcc=0&p_bld=&p_pro=90&p_vep=6&p_ves=17&p_vbd=10746&p_osv=10.0&p_gksw=1&p_chr=0&p_sbi=0&p_scbu=0&p_tos=0&p_bau=0&p_dvt=3&p_bsls=0&p_gis=0&p_fds=20409&p_cco=0&p_ccgx=0&p_cce=1&p_cced=1&p_ccnsv=0&p_ccnu=0&p_ccna=0&p_ccnl=0&p_lit=0&p_age=0&p_tcy=0&p_pct=0&p_jct=0&p_lex=-1&p_pctn=0&p_iau=0&p_qcm=0&p_hcm=1&p_sum=1&p_ost=0&p_scr=1

tls, http

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

2.7kB
35.9kB
37
34

HTTP Request

GET https://ipm-provider.ff.avast.com/?action=1&p_elm=229&p_lng=en&p_lid=en-us&p_ads=1&p_devrsrch=1&p_thrdprt=0&p_thrdtr=0&p_midex=488DCA4C15F9A1D330AD312B391A804E00000000000000000000000000000000&p_hid=6c5699e1-6f7b-4658-8947-57c02a9fea05&p_ubs=50&p_trs=0&p_alp=0&p_jar=0&p_cclic=&p_chcc=0&p_bld=&p_pro=90&p_vep=6&p_ves=17&p_vbd=10746&p_osv=10.0&p_gksw=1&p_chr=0&p_sbi=0&p_scbu=0&p_tos=0&p_bau=0&p_dvt=3&p_bsls=0&p_gis=0&p_fds=20409&p_cco=0&p_ccgx=0&p_cce=1&p_cced=1&p_ccnsv=0&p_ccnu=0&p_ccna=0&p_ccnl=0&p_lit=0&p_age=0&p_tcy=0&p_pct=0&p_jct=0&p_lex=-1&p_pctn=0&p_iau=0&p_qcm=0&p_hcm=1&p_sum=1&p_ost=0&p_scr=1

HTTP Response

200
34.111.175.102:443

https://ip-info.ff.avast.com/v1/info

tls, http

._cache_Synaptics.exe

1.0kB
4.9kB
13
10

HTTP Request

GET https://ip-info.ff.avast.com/v1/info

HTTP Response

200
34.111.175.102:443

https://ip-info.ff.avast.com/v1/info

tls, http

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

975 B
4.9kB
12
9

HTTP Request

GET https://ip-info.ff.avast.com/v1/info

HTTP Response

200
104.96.174.89:443

https://www.ccleaner.com/go/app_cc_pro_trialkey

tls, http

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

1.3kB
5.8kB
13
9

HTTP Request

GET https://www.ccleaner.com/go/app_cc_pro_trialkey

HTTP Response

200
104.96.174.89:443

https://www.ccleaner.com/auto?a=0&p=cc&v=6.17.10746&l=1033&lk=&mk=8XMV-Y7SM-MYU9-GW8M-T7HN-F5VJ-H6K2-4GXB-TFE5&o=10.0W6&au=2&mx=488DCA4C15F9A1D330AD312B391A804E00000000000000000000000000000000&gd=6c5699e1-6f7b-4658-8947-57c02a9fea05&isAdmin=1&isElevated=1

tls, http

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

1.5kB
6.1kB
13
10

HTTP Request

GET https://www.ccleaner.com/auto?a=0&p=cc&v=6.17.10746&l=1033&lk=&mk=8XMV-Y7SM-MYU9-GW8M-T7HN-F5VJ-H6K2-4GXB-TFE5&o=10.0W6&au=2&mx=488DCA4C15F9A1D330AD312B391A804E00000000000000000000000000000000&gd=6c5699e1-6f7b-4658-8947-57c02a9fea05&isAdmin=1&isElevated=1

HTTP Response

200
104.96.174.89:443

https://www.ccleaner.com/auto?a=0&p=cc&v=6.17.10746&l=1033&lk=&mk=8XMV-Y7SM-MYU9-GW8M-T7HN-F5VJ-H6K2-4GXB-TFE5&o=10.0W6&au=2&mx=488DCA4C15F9A1D330AD312B391A804E00000000000000000000000000000000&gd=6c5699e1-6f7b-4658-8947-57c02a9fea05&isAdmin=1&isElevated=1

tls, http

._cache_Synaptics.exe

1.7kB
6.7kB
14
13

HTTP Request

GET https://www.ccleaner.com/go/app_cc_pro_trialkey

HTTP Response

200

HTTP Request

GET https://www.ccleaner.com/auto?a=0&p=cc&v=6.17.10746&l=1033&lk=&mk=8XMV-Y7SM-MYU9-GW8M-T7HN-F5VJ-H6K2-4GXB-TFE5&o=10.0W6&au=2&mx=488DCA4C15F9A1D330AD312B391A804E00000000000000000000000000000000&gd=6c5699e1-6f7b-4658-8947-57c02a9fea05&isAdmin=1&isElevated=1

HTTP Response

200
142.250.200.35:80

http://c.pki.goog/r/r1.crl

http

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

349 B
1.7kB
5
4

HTTP Request

GET http://c.pki.goog/r/r1.crl

HTTP Response

200
142.250.200.35:80

http://c.pki.goog/r/r1.crl

http

._cache_Synaptics.exe

395 B
1.8kB
6
5

HTTP Request

GET http://c.pki.goog/r/r1.crl

HTTP Response

200
104.96.174.89:443

https://license-api.ccleaner.com/product/v1/verify?p=ccpro&c=cc&cv=6.17.10746&l=1033&lk=CJ9T-J7CU-SPNV-GWMB-WBEC&mk=8XMV-Y7SM-MYU9-GW8M-T7HN-F5VJ-H6K2-4GXB-TFE5&mx=488DCA4C15F9A1D330AD312B391A804E00000000000000000000000000000000&gd=6c5699e1-6f7b-4658-8947-57c02a9fea05

tls, http

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

1.5kB
5.7kB
13
9

HTTP Request

GET https://license-api.ccleaner.com/product/v1/verify?p=ccpro&c=cc&cv=6.17.10746&l=1033&lk=CJ9T-J7CU-SPNV-GWMB-WBEC&mk=8XMV-Y7SM-MYU9-GW8M-T7HN-F5VJ-H6K2-4GXB-TFE5&mx=488DCA4C15F9A1D330AD312B391A804E00000000000000000000000000000000&gd=6c5699e1-6f7b-4658-8947-57c02a9fea05

HTTP Response

200
104.96.174.89:443

https://license-api.ccleaner.com/product/v1/verify?p=ccpro&c=cc&cv=6.17.10746&l=1033&lk=CJ9T-J7CU-SPNV-GWMB-WBEC&mk=8XMV-Y7SM-MYU9-GW8M-T7HN-F5VJ-H6K2-4GXB-TFE5&mx=488DCA4C15F9A1D330AD312B391A804E00000000000000000000000000000000&gd=6c5699e1-6f7b-4658-8947-57c02a9fea05

tls, http

._cache_Synaptics.exe

1.6kB
5.8kB
15
11

HTTP Request

GET https://license-api.ccleaner.com/product/v1/verify?p=ccpro&c=cc&cv=6.17.10746&l=1033&lk=CJ9T-J7CU-SPNV-GWMB-WBEC&mk=8XMV-Y7SM-MYU9-GW8M-T7HN-F5VJ-H6K2-4GXB-TFE5&mx=488DCA4C15F9A1D330AD312B391A804E00000000000000000000000000000000&gd=6c5699e1-6f7b-4658-8947-57c02a9fea05

HTTP Response

200
142.250.200.35:80

http://o.pki.goog/s/wr3/R_4/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQSq0i5t2Pafi2Gw9uzwnc7KTctWgQUx4H1%2FY6I2QA8TWOiUDEkoM4j%2FiMCEEf%2BFZGpnvWuEEGk5mBYdOg%3D

http

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

471 B
1.2kB
5
3

HTTP Request

GET http://o.pki.goog/s/wr3/R_4/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQSq0i5t2Pafi2Gw9uzwnc7KTctWgQUx4H1%2FY6I2QA8TWOiUDEkoM4j%2FiMCEEf%2BFZGpnvWuEEGk5mBYdOg%3D

HTTP Response

200
142.250.200.35:80

http://o.pki.goog/s/wr3/R_4/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQSq0i5t2Pafi2Gw9uzwnc7KTctWgQUx4H1%2FY6I2QA8TWOiUDEkoM4j%2FiMCEEf%2BFZGpnvWuEEGk5mBYdOg%3D

http

._cache_Synaptics.exe

517 B
1.3kB
6
4

HTTP Request

GET http://o.pki.goog/s/wr3/R_4/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQSq0i5t2Pafi2Gw9uzwnc7KTctWgQUx4H1%2FY6I2QA8TWOiUDEkoM4j%2FiMCEEf%2BFZGpnvWuEEGk5mBYdOg%3D

HTTP Response

200
142.250.200.35:80

http://o.pki.goog/s/wr3/u7Y/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQSq0i5t2Pafi2Gw9uzwnc7KTctWgQUx4H1%2FY6I2QA8TWOiUDEkoM4j%2FiMCEQC7tqiwmrg75ApyAYGAkqit

http

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

467 B
1.2kB
5
3

HTTP Request

GET http://o.pki.goog/s/wr3/u7Y/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQSq0i5t2Pafi2Gw9uzwnc7KTctWgQUx4H1%2FY6I2QA8TWOiUDEkoM4j%2FiMCEQC7tqiwmrg75ApyAYGAkqit

HTTP Response

200
142.250.179.238:443

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

tls, http

Synaptics.exe

1.9kB
11.3kB
16
14

HTTP Request

GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

HTTP Response

303

HTTP Request

GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

HTTP Response

303

HTTP Request

GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

HTTP Response

303
142.250.200.35:80

http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDkqhDvrMuENxBpWocUnIUC

http

Synaptics.exe

736 B
1.6kB
6
4

HTTP Request

GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQD8Elu9WzbqaxI7ClVJiEyf

HTTP Response

200

HTTP Request

GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDkqhDvrMuENxBpWocUnIUC

HTTP Response

200
216.58.212.193:443

https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

tls, http

Synaptics.exe

2.4kB
14.7kB
23
21

HTTP Request

GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

HTTP Response

404

HTTP Request

GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

HTTP Response

404

HTTP Request

GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

HTTP Response

404
95.100.245.152:443

https://download.ccleaner.com/update/ccleaner/ccupdate631_free.exe?HWID=488DCA4C15F9A1D330AD312B391A804E00000000000000000000000000000000

tls, http

._cache_Synaptics.exe

4.5MB
92.9MB
66598
66519

HTTP Request

GET https://download.ccleaner.com/update/ccleaner/ccupdate631_free.exe?HWID=488DCA4C15F9A1D330AD312B391A804E00000000000000000000000000000000

HTTP Response

200

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

4.159.190.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

4.159.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

ncc.avast.com

dns

._cache_Synaptics.exe

59 B
164 B
1
1

DNS Request

ncc.avast.com

DNS Response

2.18.190.163

2.18.190.168
8.8.8.8:53

163.190.18.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

163.190.18.2.in-addr.arpa
8.8.8.8:53

xred.mooo.com

dns

Synaptics.exe

59 B
118 B
1
1

DNS Request

xred.mooo.com
8.8.8.8:53

freedns.afraid.org

dns

Synaptics.exe

64 B
80 B
1
1

DNS Request

freedns.afraid.org

DNS Response

69.42.215.252
8.8.8.8:53

46.28.109.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

46.28.109.52.in-addr.arpa
8.8.8.8:53

31.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

31.243.111.52.in-addr.arpa
224.0.0.251:5353

57 B
1
8.8.8.8:53

95.16.208.104.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

95.16.208.104.in-addr.arpa
8.8.8.8:53

252.215.42.69.in-addr.arpa

dns

144 B
144 B
2
2

DNS Request

252.215.42.69.in-addr.arpa

DNS Request

252.215.42.69.in-addr.arpa
8.8.8.8:53

analytics.avcdn.net

dns

._cache_Synaptics.exe

65 B
150 B
1
1

DNS Request

analytics.avcdn.net

DNS Response

34.117.223.223
8.8.8.8:53

223.223.117.34.in-addr.arpa

dns

73 B
126 B
1
1

DNS Request

223.223.117.34.in-addr.arpa
8.8.8.8:53

13.86.106.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

13.86.106.20.in-addr.arpa
8.8.8.8:53

shepherd.ff.avast.com

dns

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

67 B
110 B
1
1

DNS Request

shepherd.ff.avast.com

DNS Response

34.160.176.28
8.8.8.8:53

ip-info.ff.avast.com

dns

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

66 B
108 B
1
1

DNS Request

ip-info.ff.avast.com

DNS Response

34.111.175.102
8.8.8.8:53

www.ccleaner.com

dns

._cache_Synaptics.exe

62 B
157 B
1
1

DNS Request

www.ccleaner.com

DNS Response

104.96.174.89
8.8.8.8:53

ipm-provider.ff.avast.com

dns

._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

71 B
114 B
1
1

DNS Request

ipm-provider.ff.avast.com

DNS Response

34.111.24.1
8.8.8.8:53

c.pki.goog

dns

._cache_Synaptics.exe

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.200.35
8.8.8.8:53

license-api.ccleaner.com

dns

._cache_Synaptics.exe

70 B
173 B
1
1

DNS Request

license-api.ccleaner.com

DNS Response

104.96.174.89
8.8.8.8:53

o.pki.goog

dns

Synaptics.exe

56 B
107 B
1
1

DNS Request

o.pki.goog

DNS Response

142.250.200.35
8.8.8.8:53

28.176.160.34.in-addr.arpa

dns

72 B
124 B
1
1

DNS Request

28.176.160.34.in-addr.arpa
8.8.8.8:53

1.24.111.34.in-addr.arpa

dns

70 B
120 B
1
1

DNS Request

1.24.111.34.in-addr.arpa
8.8.8.8:53

89.174.96.104.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

89.174.96.104.in-addr.arpa
8.8.8.8:53

102.175.111.34.in-addr.arpa

dns

73 B
126 B
1
1

DNS Request

102.175.111.34.in-addr.arpa
8.8.8.8:53

35.200.250.142.in-addr.arpa

dns

73 B
111 B
1
1

DNS Request

35.200.250.142.in-addr.arpa
8.8.8.8:53

197.87.175.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

197.87.175.4.in-addr.arpa
8.8.8.8:53

241.42.69.40.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

241.42.69.40.in-addr.arpa
8.8.8.8:53

133.130.81.91.in-addr.arpa

dns

72 B
147 B
1
1

DNS Request

133.130.81.91.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

docs.google.com

dns

Synaptics.exe

122 B
154 B
2
2

DNS Request

docs.google.com

DNS Request

docs.google.com

DNS Response

142.250.179.238

DNS Response

142.250.179.238
8.8.8.8:53

drive.usercontent.google.com

dns

Synaptics.exe

148 B
180 B
2
2

DNS Request

drive.usercontent.google.com

DNS Request

drive.usercontent.google.com

DNS Response

216.58.212.193

DNS Response

216.58.212.193
8.8.8.8:53

238.179.250.142.in-addr.arpa

dns

74 B
113 B
1
1

DNS Request

238.179.250.142.in-addr.arpa
8.8.8.8:53

193.212.58.216.in-addr.arpa

dns

73 B
171 B
1
1

DNS Request

193.212.58.216.in-addr.arpa
8.8.8.8:53

download.ccleaner.com

dns

._cache_Synaptics.exe

134 B
336 B
2
2

DNS Request

download.ccleaner.com

DNS Request

download.ccleaner.com

DNS Response

95.100.245.152

DNS Response

95.100.245.152
8.8.8.8:53

152.245.100.95.in-addr.arpa

dns

365 B
139 B
5
1

DNS Request

152.245.100.95.in-addr.arpa

DNS Request

152.245.100.95.in-addr.arpa

DNS Request

152.245.100.95.in-addr.arpa

DNS Request

152.245.100.95.in-addr.arpa

DNS Request

152.245.100.95.in-addr.arpa
8.8.8.8:53

22.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

22.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
34.7MB

MD5
253baf4a712d3bacc42c2c944c688feb

SHA1
9c54c6810b05ad51f31a14acd60131dca259716e

SHA256
35acdf1a5578a8605697cc8053509c51e8737921168f6f9917ba72d4e8bdc3ee

SHA512
3cc204d205fc509ebc6b0857de825b1e4fc4c5b0478fe44bb3a0e97d4bed95e67878ebee824e3e69d94b663c0abf7c21c2a31021d4e30e788c7e5451111c4d91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
1c3c3a439f6400df150a66b04100ab7b

SHA1
588b6fca2a794156f667893eb9547d7e0bfcfffa

SHA256
b4cb73b6230bd4737eeb672f6c982e2de6e9076ecdf0d2a19921b7f2f08f9772

SHA512
f4329ef97a8987ac9195ea89c3f48cf88635b2985f1eba6c6c5225c00e627ec422c03eaa112d5e3576109520be0bf4325e8d9976a8c191bfccb56f855c958f48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AFF4C9FF97737D462CF50EC898BC7191_BC43DAD391BCDC812EDD5190FB536EA5

Filesize
471B

MD5
b53693044134a8ca0c1ab6f8dafd76aa

SHA1
af860bf27f299483b0bb4897f29e93a9763415a5

SHA256
94f30126ccfc56044a5afb106537e69803723f015f3e0840dce93d56023808be

SHA512
af8877df4090daf59bbe16c29e406ffea159d7df8ccb56c1bf5e90188bc654b347eb76c9b4cff0874e5d619e0799734deccac99f0e773d6e4d1ac53646ca7848

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
928ef8af7c167e1a1f495ec32806d23c

SHA1
b89bfa0b58b353e6989e09e996291bd5caf23040

SHA256
df2ddf87cf4f09af856ae95bcc11ef25a1a24700f6d76a7281e0005f9e4c59e8

SHA512
06ed382a217cda42e96bb588540f17b706c05c122417a1fb8c60faf17fe586b6c9610b299a5fb264f47f2ea5eb42b34fd00ff27735a8cfee7b8d63a52365a1e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_AFB3BE9383420FBAFF24AD413EEA555E

Filesize
471B

MD5
2be0d2e5e52fe2fa24ffe155f3a0dd43

SHA1
d49f72d71ba4ad6263aa62458a4aa7dd967657a6

SHA256
552c7807b616aacb076347e44af70f044acf7baf4839831c44f12b490734b257

SHA512
4bc19353bac1f82cc542ab1fdc6d65d5bbd3a18cd6588625d355eb45d255dc9bd9cef4886f2648f094230ca8d03b3c1a978b6dac1c6e54055931974f0f24f9bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
afed79916c76a20b9f3be9de4f63a0b3

SHA1
6c8b6bb0532c1bd82ddf4fc43800988001d962aa

SHA256
275a964b01716a73e470216942a9c8ea40df58f29fa7d06e5847111166be46f3

SHA512
36c78862ac5a7dc12bb8ae3b97a61a1e0d63954a70af13bce645083dbfa1e9cc44eb6975a3a6a02e846dff5ecf58c2654b6fecf6a79e291f35b465128657c48f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
894bb1f497d6af8ad463615479a06fd4

SHA1
d5507945bc9b11dd65f40cfdeec4ee8cbd0ec2cf

SHA256
7861b2f2955190aa87c0ace43fb1a636badd5f8ed3fbea18723e0c9a2da2bca3

SHA512
04fecb01cc6d4c7ca770bef3f564d27b7647a04bf4438a2c48bd48ed1512e9c77b98c9b739abb08086ec213769eaf3c838fb0f81eca86488a57c56e885fbe093

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
00047fdbc218898842240e2d2c2e105d

SHA1
3ec709b2c267c60a1fa0cf16246355a4c4aa87c3

SHA256
d65e4816e3c1659ba1dd4aa38a8c31e5e17d2f3118760f1bb028bbfb6f255233

SHA512
635850e264a95469cad9da67f9927b213a60a3e6054e8d51ffb773399c424674eb4120bfea8c33aae3cca381a038e62a7443e0c93c2ed14fe6cf5520591dfd34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AFF4C9FF97737D462CF50EC898BC7191_BC43DAD391BCDC812EDD5190FB536EA5

Filesize
414B

MD5
b72abadb4f5960f1401361ea1fb238c3

SHA1
9cb753c9794607eabf962fa8b7ae69cecebd8609

SHA256
4933fc76077e5d290a4dffc74c4a57f693affa8e70938d72e09891ca2e1d51c3

SHA512
cd369d03a30085c3613c37390cfee50b165fc5430750854a8b3c107030f267b2d21a088f023685b26df2bc0e8812d8fe5e49590099769d68d1707ab6bf7daee7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
2875de4ee72f439bdeaba21692390667

SHA1
880cad8fed9beec490dc960e38987c2d1c7fa354

SHA256
ef6e1fd781ebc905ce849c9b300cfb33bc69de3d8140b806fcf46338d489d710

SHA512
1c5883a4cd7d343ccd611628387827084fe3e0b7619bc46add388bc20ff7dab518eb2029eec4cf7f354737558590302038ee8803a89d6c8c1cad1b792c431c2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_AFB3BE9383420FBAFF24AD413EEA555E

Filesize
404B

MD5
f8d7e2933dab55ca465ab6843611eb69

SHA1
d29a42dd35105c7c3633a2e05c4120b3f6201087

SHA256
453243f703cd236e768450b32c2acc23266a3b104dd370727a5fb5f473dd9669

SHA512
ed2a3ae053016e619dc8b0081383b63d474dd3c3bf740cddb30996eded7cae642fc9a9554ac1649771989bfadb721204f61c3dc6f305d2f9d8bcd07673800a97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk

Filesize
8KB

MD5
e54c5dc41d98688d0a317bbc45d2142e

SHA1
60b83b012758c271ef3c0a81a4e56f51e32dd6f8

SHA256
0723fb3eca33edd1dea01fa86b127b13f0b25dee255702a3b54fbc1659e56b44

SHA512
541769557b88ccfb3cad08cc6a092d59af232380435b62232c281997a6ec30a325dc8233c149057746cac9351dfe131d162cd167e5d89ae64ea4cd288a47002c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
444ecdaebf4ac4142e3d49f89a477b71

SHA1
488aaa0312256ed53c3274abfab3eef0fac27860

SHA256
1804e8dc9994e88ec7f37fea7e1e4673f4263cf2845b675ea50a504a66567f01

SHA512
82388333b5a56beb3f32c2baf2007806485e6df95677a75f8c919e6509cf850b2ef7f2006868978ad0c0a3ea7a2fdc364e7e7dac9fd28b62df36105f9fc5ed2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
84b470feee70025d205a0948119314e8

SHA1
be1936b6357b98de0d21c6610f4d15db947ceae4

SHA256
8defc1922ee90b8dd14ed303bd129304a1d13f21855658db117332063b5f3075

SHA512
c424d2e03cc929a2d33fb3290f358ce9b8da83d98ac51b37d0d76326e5cde2a4b1803ef505238f7a0c2ce7f69deefd33b8d5a112137b68e84fff35d75cb9e7fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V0100003.log

Filesize
512KB

MD5
0b2d7ddfd883c98aec72bcc94016b15a

SHA1
a2649316db1f4cb2062e517470ce467a2f97fa01

SHA256
e46b66846fd2e73a640a3bb32df8e6f35e1464dc44f318f8f55515fa58b80cac

SHA512
0c2612d4008d571025ff9ebba1d0f62bcf52c963614346de332c2a93ce28c872f663ff439bc43a51f5f5a4d78049e132a65fc622635308f3f7542c7afaceaa5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
481a736233a5005934c302fa622ba4bd

SHA1
8105575bc539345f5e36f41c8f0d30b0140013e4

SHA256
03db63fc0f6b720ec767d1cf81a90362920f4b27c3e54d1689f1f01559f41129

SHA512
18b08e4348e8996ef78753d9250e402a66ef07bfc35771cf5486e7f04368d385224ab0cb62581b99afb33acb1add1c3e6dbeef1ce6fc752e77d160317be39621

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
0e56d964b9e4357d9c060762450491df

SHA1
987a16099a9608454484e01275adda4bcf9b2c2c

SHA256
a55e0abcc94392e2a14cbf8196a6837c1efcfce50d1ff0d6a0599efb1bb837c0

SHA512
be778458fe7ee7d25197634771404998496c809dec4bc0b281c2e80083c78ed5b4db488dc02a6a97a25c51b7851afd7ecb86ac0365581c62985aca4ee5a01006

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

Filesize
16KB

MD5
544b2f2841a77ee73ea816fe33734190

SHA1
e29d37995866558ba807d092449b72bd1070e00b

SHA256
5747eae5fc26f87595c50c32210e09e12b8354fd13cb5a4e28785e268e1d6dbc

SHA512
d165f0a8a078ce637a28ae5b9e8835982fc4a2b479560e30f3cb8e87c90e068f1096c4d957c6de09a0a4380a9e1afbb5e868b12707ed32ba1e3ea3e109d3b426

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Filesize
34.0MB

MD5
06eadb849e2ee12b9420341705924c02

SHA1
10b23245275539577fd38669bfa0084a0579ee4d

SHA256
9267b511128b7a95c767f018a7954f80ace1d3e5df3682e691b38f83bd65fc28

SHA512
ebaefdc61c81c9f5870c6867cceb7ddbd9ff320a5dd9a950fb513142b433e741ee96f104aaa247968acf56db831b974e51f2bc7c9a1f7a01718622ea701e1aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\81B75E00

Filesize
22KB

MD5
5779d432119de40fb68c3a00cfce7035

SHA1
b43501802ddb9d4a20c26f7f383c10d288dd0cf0

SHA256
13737ef840856de73a195cb3ef164c47b127d18077724215939da60b307e1dd6

SHA512
28938a5ad326adfb98efc32df685ad4c735f2f663be98e82eb1eae3965dadd154fe3f2fcc60cbcdbc6359e676dff8231e241c5e99da2baee0407d33af57821e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup\config.def

Filesize
48B

MD5
a7aae01415beba879259774ff60e4e07

SHA1
a169b7b90824154893ef8ca3ceb68483e794c118

SHA256
f79e0c02b2b3cfa15324e66531a4045c465ef3dcbd739a04b3e62d7977834479

SHA512
0539a6751bd2143906fda9c9aa89a09d9d448821512b719deecbe132921f4b190f6d1165176dd907d0a0157f85573f3a5726cb6d72e717aeeb101449f9cdf6d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThGtTrWW.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi_17361302753544.dll

Filesize
600KB

MD5
f637d5d3c3a60fddb5dd397556fe9b1d

SHA1
66f0c4f137870a9927400ea00facc00193ef21e3

SHA256
641b843cb6ee7538ec267212694c9ef0616b9ac9ab14a0abd7cf020678d50b02

SHA512
e96984f2f9c6858e989f10fd8e71b09a8a640c9be2fb87ac1692d9bca7107d7a837f8fbdcc46c01a6107dd9020994c5a6f975b7e16434e9b2bf1c43b1f0d8b31

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-us\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/740-267-0x0000000000400000-0x00000000026C6000-memory.dmp

Filesize
34.8MB

Download
memory/3536-136-0x0000000000400000-0x00000000026C6000-memory.dmp

Filesize
34.8MB

Download
memory/3536-0-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/3544-121-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/3544-72-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/3544-73-0x0000000000040000-0x0000000000041000-memory.dmp

Filesize
4KB

Download
memory/3544-122-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/3544-282-0x000000000D0F0000-0x000000000D100000-memory.dmp

Filesize
64KB

Download
memory/3544-288-0x000000000D330000-0x000000000D340000-memory.dmp

Filesize
64KB

Download
memory/3544-71-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3544-70-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/3544-123-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/3544-124-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/3720-198-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3720-205-0x0000000000040000-0x0000000000041000-memory.dmp

Filesize
4KB

Download
memory/3720-197-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/3720-209-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/3720-208-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/3720-207-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/3720-206-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/3720-200-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/4424-199-0x00007FF97BC50000-0x00007FF97BC60000-memory.dmp

Filesize
64KB

Download
memory/4424-203-0x00007FF97BC50000-0x00007FF97BC60000-memory.dmp

Filesize
64KB

Download
memory/4424-204-0x00007FF97BC50000-0x00007FF97BC60000-memory.dmp

Filesize
64KB

Download
memory/4424-215-0x00007FF979500000-0x00007FF979510000-memory.dmp

Filesize
64KB

Download
memory/4424-202-0x00007FF97BC50000-0x00007FF97BC60000-memory.dmp

Filesize
64KB

Download
memory/4424-201-0x00007FF97BC50000-0x00007FF97BC60000-memory.dmp

Filesize
64KB

Download
memory/4424-214-0x00007FF979500000-0x00007FF979510000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response