Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2024, 01:49 UTC

General

  • Target

    c108c9f1c3c725b221c947df56589449e367a112cc443b4fca8f1b53ec7412c3.exe

  • Size

    1.0MB

  • MD5

    64250fbc0c8194727c46f0a4ab569139

  • SHA1

    9f08f52161a6870763b7beae581524f41e4260cb

  • SHA256

    c108c9f1c3c725b221c947df56589449e367a112cc443b4fca8f1b53ec7412c3

  • SHA512

    55f534333a39b36b5e99f551c286282bba7ce346c91014cd42b520471f86dcc5cb4c2681ce6a0e02224f2ae6970fa5d32294ee63839b4a6521914ced8dba0ee4

  • SSDEEP

    24576:o5EmXFtKaL4/oFe5T9yyXYfP1ijXdamU3JupouR+:oPVt/LZeJbInQRam9

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.skagenships.com
  • Port:
    587
  • Username:
    hr@skagenships.com
  • Password:
    XAqEAz@4

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

  • Snake Keylogger payload 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c108c9f1c3c725b221c947df56589449e367a112cc443b4fca8f1b53ec7412c3.exe
    "C:\Users\Admin\AppData\Local\Temp\c108c9f1c3c725b221c947df56589449e367a112cc443b4fca8f1b53ec7412c3.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2984
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\c108c9f1c3c725b221c947df56589449e367a112cc443b4fca8f1b53ec7412c3.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3412
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4976
        • C:\Windows\SysWOW64\choice.exe
          choice /C Y /N /D Y /T 3
          4⤵
          • System Location Discovery: System Language Discovery
          PID:5104
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 696
      2⤵
      • Program crash
      PID:4960
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2984 -ip 2984
    1⤵
      PID:4268

    Network

    • flag-us
      DNS
      checkip.dyndns.org
      RegSvcs.exe
      Remote address:
      8.8.8.8:53
      Request
      checkip.dyndns.org
      IN A
      Response
      checkip.dyndns.org
      IN CNAME
      checkip.dyndns.com
      checkip.dyndns.com
      IN A
      193.122.6.168
      checkip.dyndns.com
      IN A
      132.226.247.73
      checkip.dyndns.com
      IN A
      132.226.8.169
      checkip.dyndns.com
      IN A
      158.101.44.242
      checkip.dyndns.com
      IN A
      193.122.130.0
    • flag-de
      GET
      http://checkip.dyndns.org/
      RegSvcs.exe
      Remote address:
      193.122.6.168:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Sat, 12 Oct 2024 01:49:08 GMT
      Content-Type: text/html
      Content-Length: 105
      Connection: keep-alive
      Cache-Control: no-cache
      Pragma: no-cache
      X-Request-ID: 3f7164a06d39643b3aefb69c573f7888
    • flag-de
      GET
      http://checkip.dyndns.org/
      RegSvcs.exe
      Remote address:
      193.122.6.168:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Response
      HTTP/1.1 200 OK
      Date: Sat, 12 Oct 2024 01:49:08 GMT
      Content-Type: text/html
      Content-Length: 105
      Connection: keep-alive
      Cache-Control: no-cache
      Pragma: no-cache
      X-Request-ID: f887291c9875ac89455321ec1d9e550c
    • flag-de
      GET
      http://checkip.dyndns.org/
      RegSvcs.exe
      Remote address:
      193.122.6.168:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Response
      HTTP/1.1 200 OK
      Date: Sat, 12 Oct 2024 01:49:08 GMT
      Content-Type: text/html
      Content-Length: 105
      Connection: keep-alive
      Cache-Control: no-cache
      Pragma: no-cache
      X-Request-ID: e031ddd7a2e24c43ae99bf829aeb8f9b
    • flag-de
      GET
      http://checkip.dyndns.org/
      RegSvcs.exe
      Remote address:
      193.122.6.168:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Response
      HTTP/1.1 200 OK
      Date: Sat, 12 Oct 2024 01:49:08 GMT
      Content-Type: text/html
      Content-Length: 105
      Connection: keep-alive
      Cache-Control: no-cache
      Pragma: no-cache
      X-Request-ID: f6980f77622f02639fb19730f51d1cd5
    • flag-de
      GET
      http://checkip.dyndns.org/
      RegSvcs.exe
      Remote address:
      193.122.6.168:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Response
      HTTP/1.1 200 OK
      Date: Sat, 12 Oct 2024 01:49:08 GMT
      Content-Type: text/html
      Content-Length: 105
      Connection: keep-alive
      Cache-Control: no-cache
      Pragma: no-cache
      X-Request-ID: 09671aaf839c73a591074e6371195718
    • flag-de
      GET
      http://checkip.dyndns.org/
      RegSvcs.exe
      Remote address:
      193.122.6.168:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Response
      HTTP/1.1 200 OK
      Date: Sat, 12 Oct 2024 01:49:09 GMT
      Content-Type: text/html
      Content-Length: 105
      Connection: keep-alive
      Cache-Control: no-cache
      Pragma: no-cache
      X-Request-ID: 647f7824bdd35909d53583ad4b39fef6
    • flag-de
      GET
      http://checkip.dyndns.org/
      RegSvcs.exe
      Remote address:
      193.122.6.168:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Response
      HTTP/1.1 200 OK
      Date: Sat, 12 Oct 2024 01:49:09 GMT
      Content-Type: text/html
      Content-Length: 105
      Connection: keep-alive
      Cache-Control: no-cache
      Pragma: no-cache
      X-Request-ID: 6d45b71712ea751b238615c0e1819e41
    • flag-de
      GET
      http://checkip.dyndns.org/
      RegSvcs.exe
      Remote address:
      193.122.6.168:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Response
      HTTP/1.1 200 OK
      Date: Sat, 12 Oct 2024 01:49:09 GMT
      Content-Type: text/html
      Content-Length: 105
      Connection: keep-alive
      Cache-Control: no-cache
      Pragma: no-cache
      X-Request-ID: b17cce2d2d154ed48e177fccab57ddaf
    • flag-de
      GET
      http://checkip.dyndns.org/
      RegSvcs.exe
      Remote address:
      193.122.6.168:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Response
      HTTP/1.1 200 OK
      Date: Sat, 12 Oct 2024 01:49:09 GMT
      Content-Type: text/html
      Content-Length: 105
      Connection: keep-alive
      Cache-Control: no-cache
      Pragma: no-cache
      X-Request-ID: b580d47e6c3ad9c0390bcde7812e1095
    • flag-us
      DNS
      83.210.23.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      83.210.23.2.in-addr.arpa
      IN PTR
      Response
      83.210.23.2.in-addr.arpa
      IN PTR
      a2-23-210-83deploystaticakamaitechnologiescom
    • flag-us
      DNS
      20.160.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      20.160.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      reallyfreegeoip.org
      RegSvcs.exe
      Remote address:
      8.8.8.8:53
      Request
      reallyfreegeoip.org
      IN A
      Response
      reallyfreegeoip.org
      IN A
      104.21.67.152
      reallyfreegeoip.org
      IN A
      172.67.177.134
    • flag-us
      GET
      https://reallyfreegeoip.org/xml/138.199.29.44
      RegSvcs.exe
      Remote address:
      104.21.67.152:443
      Request
      GET /xml/138.199.29.44 HTTP/1.1
      Host: reallyfreegeoip.org
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Sat, 12 Oct 2024 01:49:08 GMT
      Content-Type: application/xml
      Transfer-Encoding: chunked
      Connection: keep-alive
      access-control-allow-origin: *
      vary: Accept-Encoding
      Cache-Control: max-age=86400
      CF-Cache-Status: HIT
      Age: 2858
      Last-Modified: Sat, 12 Oct 2024 01:01:30 GMT
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sdkCQkiORJ5ugN%2BIG0WTrK1Y2KVLp0%2FZP9Ng0SFYrp1CHNCBr8rUAiv8pJBfgqBqMqFLQZX%2BnZlHGWPsdKegHx78Eqh4%2FOy2ggPUmRsBcOlFd%2B5frI8IkMYkxJ1FJlxToxpJBxOw"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8d136e8169e43da9-LHR
      alt-svc: h3=":443"; ma=86400
    • flag-us
      GET
      https://reallyfreegeoip.org/xml/138.199.29.44
      RegSvcs.exe
      Remote address:
      104.21.67.152:443
      Request
      GET /xml/138.199.29.44 HTTP/1.1
      Host: reallyfreegeoip.org
      Response
      HTTP/1.1 200 OK
      Date: Sat, 12 Oct 2024 01:49:08 GMT
      Content-Type: application/xml
      Transfer-Encoding: chunked
      Connection: keep-alive
      access-control-allow-origin: *
      vary: Accept-Encoding
      Cache-Control: max-age=86400
      CF-Cache-Status: HIT
      Age: 2858
      Last-Modified: Sat, 12 Oct 2024 01:01:30 GMT
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SZZKPdDb2%2BkQrfa%2BiGzankPKLxzl%2FOa5WpFcji2eFzosgyJy3iNXtgeITKTpPZMtCg%2FYRiWVBeoSo8kl8oZLyh9%2BnsPP%2BAKn2fSJSEzRI1XpO8fe7dBkV533PFI8ICVXlWEkHyuz"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8d136e822a353da9-LHR
      alt-svc: h3=":443"; ma=86400
    • flag-us
      GET
      https://reallyfreegeoip.org/xml/138.199.29.44
      RegSvcs.exe
      Remote address:
      104.21.67.152:443
      Request
      GET /xml/138.199.29.44 HTTP/1.1
      Host: reallyfreegeoip.org
      Response
      HTTP/1.1 200 OK
      Date: Sat, 12 Oct 2024 01:49:08 GMT
      Content-Type: application/xml
      Transfer-Encoding: chunked
      Connection: keep-alive
      access-control-allow-origin: *
      vary: Accept-Encoding
      Cache-Control: max-age=86400
      CF-Cache-Status: HIT
      Age: 2858
      Last-Modified: Sat, 12 Oct 2024 01:01:30 GMT
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OTZwY%2BO2ASi21tbomVXyJQ57YEA4ygN5fwmDWC9jDncal5Jfa%2B%2BsWjUFOMln9TLYaWNK2F%2FFgLVx09HsFbUCm4%2FU2WOu%2ForKDryHWaw%2FcBf2V7RDHZim69JQxEnnaqchfrUo5MQJ"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8d136e82ca943da9-LHR
      alt-svc: h3=":443"; ma=86400
    • flag-us
      GET
      https://reallyfreegeoip.org/xml/138.199.29.44
      RegSvcs.exe
      Remote address:
      104.21.67.152:443
      Request
      GET /xml/138.199.29.44 HTTP/1.1
      Host: reallyfreegeoip.org
      Response
      HTTP/1.1 200 OK
      Date: Sat, 12 Oct 2024 01:49:09 GMT
      Content-Type: application/xml
      Transfer-Encoding: chunked
      Connection: keep-alive
      access-control-allow-origin: *
      vary: Accept-Encoding
      Cache-Control: max-age=86400
      CF-Cache-Status: HIT
      Age: 2859
      Last-Modified: Sat, 12 Oct 2024 01:01:30 GMT
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WsnOj%2BULEHMhei1wHzm99c4svsAbrixZzJdk1%2BAzsQawAXH5IJXd%2Bdl7Y9WRVXRQ6wFFHUoahRfanPF%2BQHplBXPMB%2FQpyl38jMU2CrA4hdSSvTP0E5nuwi3reG8tHyDlqsnjqwIg"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8d136e837adb3da9-LHR
      alt-svc: h3=":443"; ma=86400
    • flag-us
      GET
      https://reallyfreegeoip.org/xml/138.199.29.44
      RegSvcs.exe
      Remote address:
      104.21.67.152:443
      Request
      GET /xml/138.199.29.44 HTTP/1.1
      Host: reallyfreegeoip.org
      Response
      HTTP/1.1 200 OK
      Date: Sat, 12 Oct 2024 01:49:09 GMT
      Content-Type: application/xml
      Transfer-Encoding: chunked
      Connection: keep-alive
      access-control-allow-origin: *
      vary: Accept-Encoding
      Cache-Control: max-age=86400
      CF-Cache-Status: HIT
      Age: 2859
      Last-Modified: Sat, 12 Oct 2024 01:01:30 GMT
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FIp2oiGulKzHAX7tclcnRPGcFI5%2FXEx80AHQ4C477x6UvNOvYhAo%2FeB8F2tFIMReZ3C4OjbVoQeyN1zj%2BfIzbJJuK%2B6gD6T%2BSeAu4D18idH3tKsaBiHymNlYgTJSvALurF2i02aS"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8d136e843b323da9-LHR
      alt-svc: h3=":443"; ma=86400
    • flag-us
      GET
      https://reallyfreegeoip.org/xml/138.199.29.44
      RegSvcs.exe
      Remote address:
      104.21.67.152:443
      Request
      GET /xml/138.199.29.44 HTTP/1.1
      Host: reallyfreegeoip.org
      Response
      HTTP/1.1 200 OK
      Date: Sat, 12 Oct 2024 01:49:09 GMT
      Content-Type: application/xml
      Transfer-Encoding: chunked
      Connection: keep-alive
      access-control-allow-origin: *
      vary: Accept-Encoding
      Cache-Control: max-age=86400
      CF-Cache-Status: HIT
      Age: 2859
      Last-Modified: Sat, 12 Oct 2024 01:01:30 GMT
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5zXDkkD6ubljTVgKkOd4exzvCfQ%2BGrBh7SSeJbGpkG3p8YHrVkGrv6WVJEuj%2BQcYUaX%2FODf%2BaLOeved%2F9cmuOorrGBrhpEw3f0VEtVjFIsRJcdn3skY3BtndH5%2FRUXrIrycCSUNy"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8d136e84db9d3da9-LHR
      alt-svc: h3=":443"; ma=86400
    • flag-us
      GET
      https://reallyfreegeoip.org/xml/138.199.29.44
      RegSvcs.exe
      Remote address:
      104.21.67.152:443
      Request
      GET /xml/138.199.29.44 HTTP/1.1
      Host: reallyfreegeoip.org
      Response
      HTTP/1.1 200 OK
      Date: Sat, 12 Oct 2024 01:49:09 GMT
      Content-Type: application/xml
      Transfer-Encoding: chunked
      Connection: keep-alive
      access-control-allow-origin: *
      vary: Accept-Encoding
      Cache-Control: max-age=86400
      CF-Cache-Status: HIT
      Age: 2859
      Last-Modified: Sat, 12 Oct 2024 01:01:30 GMT
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zIjX%2FQBPjJM9fAjaruzkVZuGgCV7fUzDNFkSaJu1M4%2BNyZvjrdaR75%2FbjoSpXyXRjHgm9L%2FruYjOTlIGJ4yzL6p94f%2FBWFWGJLCKqww%2F0pZRkariMYEvoNTPwYXcAQOw5Mvhv%2BiW"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8d136e858be43da9-LHR
      alt-svc: h3=":443"; ma=86400
    • flag-us
      GET
      https://reallyfreegeoip.org/xml/138.199.29.44
      RegSvcs.exe
      Remote address:
      104.21.67.152:443
      Request
      GET /xml/138.199.29.44 HTTP/1.1
      Host: reallyfreegeoip.org
      Response
      HTTP/1.1 200 OK
      Date: Sat, 12 Oct 2024 01:49:09 GMT
      Content-Type: application/xml
      Transfer-Encoding: chunked
      Connection: keep-alive
      access-control-allow-origin: *
      vary: Accept-Encoding
      Cache-Control: max-age=86400
      CF-Cache-Status: HIT
      Age: 2859
      Last-Modified: Sat, 12 Oct 2024 01:01:30 GMT
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1meeMGEd6vLvvBsnVtuTQD2%2BFZXsTnDhfBhWpy2qroyWossPhwYjK7VOjeFzsPObLt8z%2FnvvWZwEvQKiyHNcyw579a2iR%2Frq%2B8XgGgAXcq5LwbiYk5Lu2ietByqekGGNUjgFlvYS"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8d136e863c333da9-LHR
      alt-svc: h3=":443"; ma=86400
    • flag-us
      DNS
      168.6.122.193.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      168.6.122.193.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      152.67.21.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      152.67.21.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      50.23.12.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      50.23.12.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      18.31.95.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.31.95.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      75.117.19.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      75.117.19.2.in-addr.arpa
      IN PTR
      Response
      75.117.19.2.in-addr.arpa
      IN PTR
      a2-19-117-75deploystaticakamaitechnologiescom
    • flag-us
      DNS
      172.214.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.214.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      22.236.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      22.236.111.52.in-addr.arpa
      IN PTR
      Response
    • 193.122.6.168:80
      http://checkip.dyndns.org/
      http
      RegSvcs.exe
      2.0kB
      3.4kB
      20
      11

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200
    • 104.21.67.152:443
      https://reallyfreegeoip.org/xml/138.199.29.44
      tls, http
      RegSvcs.exe
      2.0kB
      12.6kB
      22
      22

      HTTP Request

      GET https://reallyfreegeoip.org/xml/138.199.29.44

      HTTP Response

      200

      HTTP Request

      GET https://reallyfreegeoip.org/xml/138.199.29.44

      HTTP Response

      200

      HTTP Request

      GET https://reallyfreegeoip.org/xml/138.199.29.44

      HTTP Response

      200

      HTTP Request

      GET https://reallyfreegeoip.org/xml/138.199.29.44

      HTTP Response

      200

      HTTP Request

      GET https://reallyfreegeoip.org/xml/138.199.29.44

      HTTP Response

      200

      HTTP Request

      GET https://reallyfreegeoip.org/xml/138.199.29.44

      HTTP Response

      200

      HTTP Request

      GET https://reallyfreegeoip.org/xml/138.199.29.44

      HTTP Response

      200

      HTTP Request

      GET https://reallyfreegeoip.org/xml/138.199.29.44

      HTTP Response

      200
    • 8.8.8.8:53
      checkip.dyndns.org
      dns
      RegSvcs.exe
      64 B
      176 B
      1
      1

      DNS Request

      checkip.dyndns.org

      DNS Response

      193.122.6.168
      132.226.247.73
      132.226.8.169
      158.101.44.242
      193.122.130.0

    • 8.8.8.8:53
      83.210.23.2.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      83.210.23.2.in-addr.arpa

    • 8.8.8.8:53
      20.160.190.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      20.160.190.20.in-addr.arpa

    • 8.8.8.8:53
      reallyfreegeoip.org
      dns
      RegSvcs.exe
      65 B
      97 B
      1
      1

      DNS Request

      reallyfreegeoip.org

      DNS Response

      104.21.67.152
      172.67.177.134

    • 8.8.8.8:53
      168.6.122.193.in-addr.arpa
      dns
      72 B
      146 B
      1
      1

      DNS Request

      168.6.122.193.in-addr.arpa

    • 8.8.8.8:53
      152.67.21.104.in-addr.arpa
      dns
      72 B
      134 B
      1
      1

      DNS Request

      152.67.21.104.in-addr.arpa

    • 8.8.8.8:53
      50.23.12.20.in-addr.arpa
      dns
      70 B
      156 B
      1
      1

      DNS Request

      50.23.12.20.in-addr.arpa

    • 8.8.8.8:53
      18.31.95.13.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      18.31.95.13.in-addr.arpa

    • 8.8.8.8:53
      75.117.19.2.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      75.117.19.2.in-addr.arpa

    • 8.8.8.8:53
      172.214.232.199.in-addr.arpa
      dns
      74 B
      128 B
      1
      1

      DNS Request

      172.214.232.199.in-addr.arpa

    • 8.8.8.8:53
      22.236.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      22.236.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2984-6-0x0000000000A80000-0x0000000000E80000-memory.dmp

      Filesize

      4.0MB

    • memory/3412-7-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

    • memory/3412-8-0x0000000073B9E000-0x0000000073B9F000-memory.dmp

      Filesize

      4KB

    • memory/3412-9-0x0000000005EB0000-0x0000000006454000-memory.dmp

      Filesize

      5.6MB

    • memory/3412-10-0x0000000005820000-0x00000000058BC000-memory.dmp

      Filesize

      624KB

    • memory/3412-11-0x0000000073B90000-0x0000000074340000-memory.dmp

      Filesize

      7.7MB

    • memory/3412-13-0x0000000073B90000-0x0000000074340000-memory.dmp

      Filesize

      7.7MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.