38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

20/04/2025, 00:10 UTC

250420-agcc8axyax 10

16/04/2025, 11:04 UTC

250416-m58gsaz1ay 10

15/04/2025, 17:34 UTC

250415-v5ylksypw9 10

15/04/2025, 06:16 UTC

250415-g1p7ras1dw 10

14/04/2025, 08:06 UTC

250414-jzpwpstxhx 10

14/04/2025, 07:59 UTC

250414-jvg1assky4 10

14/04/2025, 07:22 UTC

250414-h7g1dss1h1 10

14/04/2025, 07:16 UTC

250414-h3xv2s1nv6 10

Analysis

max time kernel
149s
max time network
128s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
15/04/2025, 06:16 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Archive.zip__ccacaxs2tbz2t6ob3e.exe
Size

430KB
MD5

a3cab1a43ff58b41f61f8ea32319386b
SHA1

94689e1a9e1503f1082b23e6d5984d4587f3b9ec
SHA256

005d3b2b78fa134092a43e53112e5c8518f14cf66e57e6a3cc723219120baba6
SHA512

8f084a866c608833c3bf95b528927d9c05e8d4afcd8a52c3434d45c8ba8220c25d2f09e00aade708bbbc83b4edea60baf826750c529e8e9e05b1242c56d0198d
SSDEEP

6144:vU9Q9tD5WuDQa4t3BMgLkzvCOnYxcEaSAOPou8BWinO8DR:8Q9tD5WyQlBBVAnYxRhr8DR

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3404	8E07.tmp.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	iplogger.org
3	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Archive.zip__ccacaxs2tbz2t6ob3e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8E07.tmp.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4480	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4568 wrote to memory of 3404	4568	Archive.zip__ccacaxs2tbz2t6ob3e.exe	78
PID 4568 wrote to memory of 3404	4568	Archive.zip__ccacaxs2tbz2t6ob3e.exe	78
PID 4568 wrote to memory of 3404	4568	Archive.zip__ccacaxs2tbz2t6ob3e.exe	78

C:\Users\Admin\AppData\Local\Temp\Archive.zip__ccacaxs2tbz2t6ob3e.exe
"C:\Users\Admin\AppData\Local\Temp\Archive.zip__ccacaxs2tbz2t6ob3e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Users\Admin\AppData\Local\Temp\8E07.tmp.exe
  C:\Users\Admin\AppData\Local\Temp\8E07.tmp.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3404

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4480

Network

DNS

domainht6.ml

Archive.zip__ccacaxs2tbz2t6ob3e.exe

Remote address:

8.8.8.8:53

Request

domainht6.ml

IN A

Response
DNS

iplogger.org

Archive.zip__ccacaxs2tbz2t6ob3e.exe

Remote address:

8.8.8.8:53

Request

iplogger.org

IN A

Response

iplogger.org

IN A

104.26.2.46

iplogger.org

IN A

172.67.74.161

iplogger.org

IN A

104.26.3.46
DNS

ctldl.windowsupdate.com

Archive.zip__ccacaxs2tbz2t6ob3e.exe

Remote address:

8.8.8.8:53

Request

ctldl.windowsupdate.com

IN A

Response

ctldl.windowsupdate.com

IN CNAME

ctldl.windowsupdate.com.delivery.microsoft.com

ctldl.windowsupdate.com.delivery.microsoft.com

IN CNAME

wu-b-net.trafficmanager.net

wu-b-net.trafficmanager.net

IN CNAME

bg.microsoft.map.fastly.net

bg.microsoft.map.fastly.net

IN A

199.232.210.172

bg.microsoft.map.fastly.net

IN A

199.232.214.172
DNS

c.pki.goog

Archive.zip__ccacaxs2tbz2t6ob3e.exe

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.180.3
DNS

8.8.8.8.in-addr.arpa

Archive.zip__ccacaxs2tbz2t6ob3e.exe

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

ip-api.com

Archive.zip__ccacaxs2tbz2t6ob3e.exe

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
DNS

osdsoft.com

Archive.zip__ccacaxs2tbz2t6ob3e.exe

Remote address:

8.8.8.8:53

Request

osdsoft.com

IN A

Response

osdsoft.com

IN A

103.224.182.253
DNS

o.ss2.us

Archive.zip__ccacaxs2tbz2t6ob3e.exe

Remote address:

8.8.8.8:53

Request

o.ss2.us

IN A

Response

o.ss2.us

IN A

18.245.200.133

o.ss2.us

IN A

18.245.200.26

o.ss2.us

IN A

18.245.200.154

o.ss2.us

IN A

18.245.200.5
DNS

250.229.92.52.in-addr.arpa

Archive.zip__ccacaxs2tbz2t6ob3e.exe

Remote address:

8.8.8.8:53

Request

250.229.92.52.in-addr.arpa

IN PTR

Response
DNS

install.portmdfmoon.com

Archive.zip__ccacaxs2tbz2t6ob3e.exe

Remote address:

8.8.8.8:53

Request

install.portmdfmoon.com

IN A

Response
DNS

31.243.111.52.in-addr.arpa

Archive.zip__ccacaxs2tbz2t6ob3e.exe

Remote address:

8.8.8.8:53

Request

31.243.111.52.in-addr.arpa

IN PTR

Response
GET

http://iplogger.org/1Wnwe7

Archive.zip__ccacaxs2tbz2t6ob3e.exe

Remote address:

104.26.2.46:80

Request

GET /1Wnwe7 HTTP/1.1
Content-Type: text/html
Khsopeyrkdmva: hoemckleka
User-Agent: krldn
Host: iplogger.org
Cache-Control: no-cache

Response

HTTP/1.1 301 Moved Permanently

Date: Tue, 15 Apr 2025 06:18:32 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Location: https://iplogger.org/1Wnwe7#80
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rbHYMcxtdAksKajNMbMYmT%2FKP%2FpNfe9k9tJIYkzKpPWNtCn07AFSFNCfrMvMBlJd10o2xpHTXdZfOwR12iQ2JyUSVvFFtwhR0Suulvf34jQqXOKQB8NOZ%2FdYK2ovgak%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 930953836c7493da-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=47190&min_rtt=47190&rtt_var=23595&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=140&delivery_rate=0&cwnd=203&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
GET

https://iplogger.org/1Wnwe7

Archive.zip__ccacaxs2tbz2t6ob3e.exe

Remote address:

104.26.2.46:443

Request

GET /1Wnwe7 HTTP/1.1
Khsopeyrkdmva: hoemckleka
User-Agent: krldn
Cache-Control: no-cache
Host: iplogger.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 15 Apr 2025 06:18:33 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
Server: cloudflare
Nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Cf-Ray: 93095388cfce03b9-LHR
Memory: 0.475830078125
Expires: Tue, 15 Apr 2025 06:18:33 +0000
Cache-Control: no-store, no-cache, must-revalidate
Strict-Transport-Security: max-age=31536000
X-Frame-Options: SAMEORIGIN
Cf-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BCDjldmFwYQXyF1UUzdKIZQ6UrOcWn3O%2FVFy1RzSlg3MC2wMw%2BtXlv0Cy1y5uSFWhKJ1tF4lZh5Zgz89JNpUwc7cSfq%2FhgdJ%2BeBYlMSdFm%2BpKGiQjz9wEZ%2BNuyhGF%2BM%3D"}],"group":"cf-nel","max_age":604800}
Set-Cookie: 170542143050811435=2; HttpOnly; SameSite=Strict; Secure; Path=/; Max-Age=31536000; Expires=Wed, 15 Apr 2026 06:18:33 GMT
Set-Cookie: clhf03028ja=181.215.176.43; HttpOnly; SameSite=Strict; Secure; Path=/; Max-Age=31536000; Expires=Wed, 15 Apr 2026 06:18:33 GMT
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=47382&min_rtt=47001&rtt_var=7795&sent=6&recv=9&lost=0&retrans=0&sent_bytes=3277&recv_bytes=529&delivery_rate=84677&cwnd=225&unsent_bytes=0&cid=c9fe616ae9282050&ts=758&x=0"
GET

http://c.pki.goog/r/gsr1.crl

Archive.zip__ccacaxs2tbz2t6ob3e.exe

Remote address:

142.250.180.3:80

Request

GET /r/gsr1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 1739
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Tue, 15 Apr 2025 06:11:46 GMT
Expires: Tue, 15 Apr 2025 07:01:46 GMT
Cache-Control: public, max-age=3000
Age: 407
Last-Modified: Mon, 07 Apr 2025 13:58:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
GET

http://c.pki.goog/r/r4.crl

Archive.zip__ccacaxs2tbz2t6ob3e.exe

Remote address:

142.250.180.3:80

Request

GET /r/r4.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 530
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Tue, 15 Apr 2025 05:51:50 GMT
Expires: Tue, 15 Apr 2025 06:41:50 GMT
Cache-Control: public, max-age=3000
Age: 1603
Last-Modified: Thu, 03 Apr 2025 14:18:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
GET

http://ip-api.com/xml

Archive.zip__ccacaxs2tbz2t6ob3e.exe

Remote address:

208.95.112.1:80

Request

GET /xml HTTP/1.1
Content-Type: text/html
Khsopeyrkdmva: hoemckleka
User-Agent: krldn
Host: ip-api.com
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 15 Apr 2025 06:18:33 GMT
Content-Type: application/xml; charset=utf-8
Content-Length: 451
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
POST

http://google-analytics.com/collect

Archive.zip__ccacaxs2tbz2t6ob3e.exe

Remote address:

172.217.169.68:80

Request

POST /collect HTTP/1.1
Content-Type: text/html
Gkjfdshfkjjd: dsdjdsjdhv
User-Agent: jdlnb
Host: google-analytics.com
Content-Length: 98
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *
Date: Tue, 15 Apr 2025 06:18:34 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Last-Modified: Sun, 17 May 1998 03:00:00 GMT
X-Content-Type-Options: nosniff
Content-Type: image/gif
Cross-Origin-Resource-Policy: cross-origin
Content-Security-Policy-Report-Only: script-src 'none'; form-action 'none'; frame-src 'none'; report-uri https://csp.withgoogle.com/csp/scaffolding/ascnsrsgac:163:0
Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to=ascnsrsgac:163:0
Report-To: {"group":"ascnsrsgac:163:0","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/scaffolding/ascnsrsgac:163:0"}],}
Server: Golfe2
Content-Length: 35
POST

http://google-analytics.com/collect

Archive.zip__ccacaxs2tbz2t6ob3e.exe

Remote address:

172.217.169.68:80

Request

POST /collect HTTP/1.1
Content-Type: text/html
Gkjfdshfkjjd: dsdjdsjdhv
User-Agent: jdlnb
Host: google-analytics.com
Content-Length: 91
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *
Date: Tue, 15 Apr 2025 06:18:35 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Last-Modified: Sun, 17 May 1998 03:00:00 GMT
X-Content-Type-Options: nosniff
Content-Type: image/gif
Cross-Origin-Resource-Policy: cross-origin
Content-Security-Policy-Report-Only: script-src 'none'; form-action 'none'; frame-src 'none'; report-uri https://csp.withgoogle.com/csp/scaffolding/ascnsrsgac:163:0
Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to=ascnsrsgac:163:0
Report-To: {"group":"ascnsrsgac:163:0","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/scaffolding/ascnsrsgac:163:0"}],}
Server: Golfe2
Content-Length: 35
GET

http://osdsoft.com/20190118/things.xml

Archive.zip__ccacaxs2tbz2t6ob3e.exe

Remote address:

103.224.182.253:80

Request

GET /20190118/things.xml HTTP/1.1
Content-Type: text/html
Khsopeyrkdmva: hoemckleka
User-Agent: krldn
Host: osdsoft.com
Cache-Control: no-cache

Response

HTTP/1.1 302 Found

date: Tue, 15 Apr 2025 06:18:34 GMT
server: Apache
set-cookie: __tad=1744697914.6000879; expires=Fri, 13-Apr-2035 06:18:34 GMT; Max-Age=315360000
location: http://ww38.osdsoft.com/20190118/things.xml
content-length: 2
content-type: text/html; charset=UTF-8
connection: close
GET

http://ww38.osdsoft.com/20190118/things.xml

Archive.zip__ccacaxs2tbz2t6ob3e.exe

Remote address:

76.223.26.96:80

Request

GET /20190118/things.xml HTTP/1.1
Khsopeyrkdmva: hoemckleka
User-Agent: krldn
Cache-Control: no-cache
Host: ww38.osdsoft.com
Connection: Keep-Alive
Cookie: __tad=1744697914.6000879

Response

HTTP/1.1 200 OK

Accept-Ch: viewport-width
Accept-Ch: dpr
Accept-Ch: device-memory
Accept-Ch: rtt
Accept-Ch: downlink
Accept-Ch: ect
Accept-Ch: ua
Accept-Ch: ua-full-version
Accept-Ch: ua-platform
Accept-Ch: ua-platform-version
Accept-Ch: ua-arch
Accept-Ch: ua-model
Accept-Ch: ua-mobile
Accept-Ch-Lifetime: 30
Content-Type: text/html; charset=UTF-8
Date: Tue, 15 Apr 2025 06:18:35 GMT
Server: Caddy
Server: nginx
Vary: Accept-Encoding
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_g/5eci+3ZqFjyQa9R7jEoAkh3eKd9EG8CZPmuyoh+GAffdjf8d6BEnidEATz5OVLEloYY65lROuFnrAcTO3ZqQ==
X-Buckets: bucket011,bucket105,bucket099,bucket088
X-Domain: osdsoft.com
X-Language: english
X-Pcrew-Blocked-Reason: hosting network
X-Pcrew-Ip-Organization: Cogent Communications
X-Redirect: skenzo
X-Subdomain: ww38
X-Template: tpl_CleanPeppermintBlack_twoclick
Transfer-Encoding: chunked
GET

http://ocsp.r2m01.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBShdVEFnSEQ0gG5CBtzM48cPMe9XwQUgbgOY4qJEhjl%2Bjs7UJWf5uWQE4UCEAJNEsjEFyF3MA%2FSmY4HUQE%3D

Archive.zip__ccacaxs2tbz2t6ob3e.exe

Remote address:

13.249.8.192:80

Request

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBShdVEFnSEQ0gG5CBtzM48cPMe9XwQUgbgOY4qJEhjl%2Bjs7UJWf5uWQE4UCEAJNEsjEFyF3MA%2FSmY4HUQE%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: ocsp.r2m01.amazontrust.com

Response

HTTP/1.1 200 OK

Content-Type: application/ocsp-response
Content-Length: 471
Connection: keep-alive
Cache-Control: max-age=7140
Expires: Tue, 15 Apr 2025 07:08:10 GMT
Date: Tue, 15 Apr 2025 05:09:10 GMT
Server-Timing: cdn-cache; desc=HIT
Server-Timing: edge; dur=6
Server-Timing: origin; dur=0
Akamai-GRN: 0.4b1e1202.1744693750.5c962c53
X-Cache: Hit from cloudfront
Via: 1.1 ae1b2f64d909bc787f8b2cb1e91446cc.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: CDG53-C1
X-Amz-Cf-Id: zA4wFHIeqHmuH_uWWhj6T__P6C_Zd_CLMb8qaO5kCJjmELQG_5Ut3w==
Age: 4166
POST

http://google-analytics.com/collect

8E07.tmp.exe

Remote address:

172.217.169.68:80

Request

POST /collect HTTP/1.1
Content-Type: text/html
Gkjfdshfkjjd: dsdjdsjdhv
User-Agent: jdlnb
Host: google-analytics.com
Content-Length: 96
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *
Date: Tue, 15 Apr 2025 06:18:37 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Last-Modified: Sun, 17 May 1998 03:00:00 GMT
X-Content-Type-Options: nosniff
Content-Type: image/gif
Cross-Origin-Resource-Policy: cross-origin
Content-Security-Policy-Report-Only: script-src 'none'; form-action 'none'; frame-src 'none'; report-uri https://csp.withgoogle.com/csp/scaffolding/ascnsrsgac:163:0
Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to=ascnsrsgac:163:0
Report-To: {"group":"ascnsrsgac:163:0","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/scaffolding/ascnsrsgac:163:0"}],}
Server: Golfe2
Content-Length: 35
GET

http://c.pki.goog/r/r1.crl

Remote address:

142.250.180.3:80

Request

GET /r/r1.crl HTTP/1.1
Cache-Control: max-age = 3000
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 03 Apr 2025 14:18:00 GMT
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 304 Not Modified

Date: Tue, 15 Apr 2025 05:32:38 GMT
Expires: Tue, 15 Apr 2025 06:22:38 GMT
Age: 2816
Last-Modified: Thu, 03 Apr 2025 14:18:00 GMT
Cache-Control: public, max-age=3000
Vary: Accept-Encoding

104.26.2.46:80

http://iplogger.org/1Wnwe7

http

Archive.zip__ccacaxs2tbz2t6ob3e.exe

462 B
1.3kB
7
5

HTTP Request

GET http://iplogger.org/1Wnwe7

HTTP Response

301
104.26.2.46:443

https://iplogger.org/1Wnwe7

tls, http

Archive.zip__ccacaxs2tbz2t6ob3e.exe

1.2kB
5.2kB
14
11

HTTP Request

GET https://iplogger.org/1Wnwe7

HTTP Response

200
142.250.180.3:80

http://c.pki.goog/r/r4.crl

http

Archive.zip__ccacaxs2tbz2t6ob3e.exe

602 B
3.9kB
8
6

HTTP Request

GET http://c.pki.goog/r/gsr1.crl

HTTP Response

200

HTTP Request

GET http://c.pki.goog/r/r4.crl

HTTP Response

200
208.95.112.1:80

http://ip-api.com/xml

http

Archive.zip__ccacaxs2tbz2t6ob3e.exe

411 B
839 B
6
5

HTTP Request

GET http://ip-api.com/xml

HTTP Response

200
172.217.169.68:80

http://google-analytics.com/collect

http

Archive.zip__ccacaxs2tbz2t6ob3e.exe

889 B
1.9kB
8
6

HTTP Request

POST http://google-analytics.com/collect

HTTP Response

200

HTTP Request

POST http://google-analytics.com/collect

HTTP Response

200
103.224.182.253:80

http://osdsoft.com/20190118/things.xml

http

Archive.zip__ccacaxs2tbz2t6ob3e.exe

428 B
518 B
6
5

HTTP Request

GET http://osdsoft.com/20190118/things.xml

HTTP Response

302
76.223.26.96:80

http://ww38.osdsoft.com/20190118/things.xml

http

Archive.zip__ccacaxs2tbz2t6ob3e.exe

840 B
9.4kB
14
12

HTTP Request

GET http://ww38.osdsoft.com/20190118/things.xml

HTTP Response

200
52.92.229.250:443

linkury.s3-us-west-2.amazonaws.com

tls

Archive.zip__ccacaxs2tbz2t6ob3e.exe

6.9kB
164.8kB
136
133
13.249.8.192:80

http://ocsp.r2m01.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBShdVEFnSEQ0gG5CBtzM48cPMe9XwQUgbgOY4qJEhjl%2Bjs7UJWf5uWQE4UCEAJNEsjEFyF3MA%2FSmY4HUQE%3D

http

Archive.zip__ccacaxs2tbz2t6ob3e.exe

521 B
1.2kB
6
5

HTTP Request

GET http://ocsp.r2m01.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBShdVEFnSEQ0gG5CBtzM48cPMe9XwQUgbgOY4qJEhjl%2Bjs7UJWf5uWQE4UCEAJNEsjEFyF3MA%2FSmY4HUQE%3D

HTTP Response

200
172.217.169.68:80

http://google-analytics.com/collect

http

8E07.tmp.exe

495 B
950 B
5
3

HTTP Request

POST http://google-analytics.com/collect

HTTP Response

200
142.250.180.3:80

http://c.pki.goog/r/r1.crl

http

528 B
658 B
7
5

HTTP Request

GET http://c.pki.goog/r/r1.crl

HTTP Response

304

8.8.8.8:53

domainht6.ml

dns

Archive.zip__ccacaxs2tbz2t6ob3e.exe

687 B
1.4kB
11
11

DNS Request

domainht6.ml

DNS Request

iplogger.org

DNS Response

104.26.2.46

172.67.74.161

104.26.3.46

DNS Request

ctldl.windowsupdate.com

DNS Response

199.232.210.172

199.232.214.172

DNS Request

c.pki.goog

DNS Response

142.250.180.3

DNS Request

8.8.8.8.in-addr.arpa

DNS Request

ip-api.com

DNS Response

208.95.112.1

DNS Request

osdsoft.com

DNS Response

103.224.182.253

DNS Request

o.ss2.us

DNS Response

18.245.200.133

18.245.200.26

18.245.200.154

18.245.200.5

DNS Request

250.229.92.52.in-addr.arpa

DNS Request

install.portmdfmoon.com

DNS Request

31.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
23KB

MD5
42443383f62b4750f5e4077aaddacb6e

SHA1
c3311fdca3d0fad525f1f3bdf2816e8b2d9e0241

SHA256
b4f6bed52b8b56e5480846fb48fc25b03e024bdb96888e9b1e2b5c2bd56cad06

SHA512
2e4a12c65c46a6c24cc1bbd5c91ed96acbd1a5b47661bec32b7fe556cb52084ecb3122f079768dfabc75c2738b0c1f9a600c40c3e00c304d66223a2403892643

Download Submit
C:\Users\Admin\AppData\Local\Temp\8E07.tmp.exe

Filesize
149KB

MD5
060404f288040959694844afbd102966

SHA1
e0525e9ef6713fd7f269a669335ce3ddaab4b6a1

SHA256
40517e822f3442a2f389a50e905f40a6a2c4930077c865e3ea7b1929405f760a

SHA512
ddf8c53e1e1888084fa5422f297cc3ba9d97f7576c36f6b633ce67ca789127f7e259e9fb374fcbced66f883dadde0717d81ecce9776770bf07d8cf3b94b1a43f

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.