Analysis

  • max time kernel
    118s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23-10-2024 01:12

General

  • Target

    2385bc1316c82968a13b95bb465c19f7675a6d3504fc3b8c028c00d7acbdc022.exe

  • Size

    910KB

  • MD5

    d70ae089068975f5c914ba70c40c3527

  • SHA1

    b0a81c280689f14bfa4d499955c80155e045e662

  • SHA256

    2385bc1316c82968a13b95bb465c19f7675a6d3504fc3b8c028c00d7acbdc022

  • SHA512

    532dd387f2a6757185aa6da0983d71277c2a7d9774482f27ba6d55478a7035df8b911457523569151be68e45ca6ee0e3a1f3cbff1eaab7d8126454a204532697

  • SSDEEP

    12288:rLkcoxg7v3qnC11ErwIhh0F4qwUgUny5QLlYQbt2C5QgjUPlNn/pPkJ6GPGC:ffmMv6Ckr7Mny5QLlZbL2gQPl1mJXP5

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot8129252196:AAFb_vUYwennKVolbwpXf3vnDfT_yhozHns/sendMessage?chat_id=7004340450

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

  • Snake Keylogger payload 4 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2385bc1316c82968a13b95bb465c19f7675a6d3504fc3b8c028c00d7acbdc022.exe
    "C:\Users\Admin\AppData\Local\Temp\2385bc1316c82968a13b95bb465c19f7675a6d3504fc3b8c028c00d7acbdc022.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\2385bc1316c82968a13b95bb465c19f7675a6d3504fc3b8c028c00d7acbdc022.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:880

Network

  • flag-us
    DNS
    checkip.dyndns.org
    RegSvcs.exe
    Remote address:
    8.8.8.8:53
    Request
    checkip.dyndns.org
    IN A
    Response
    checkip.dyndns.org
    IN CNAME
    checkip.dyndns.com
    checkip.dyndns.com
    IN A
    193.122.130.0
    checkip.dyndns.com
    IN A
    132.226.247.73
    checkip.dyndns.com
    IN A
    132.226.8.169
    checkip.dyndns.com
    IN A
    158.101.44.242
    checkip.dyndns.com
    IN A
    193.122.6.168
  • flag-us
    GET
    http://checkip.dyndns.org/
    RegSvcs.exe
    Remote address:
    193.122.130.0:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Wed, 23 Oct 2024 01:12:39 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: f8426ff3208e6e70648e952fe7ea4cd7
  • flag-us
    GET
    http://checkip.dyndns.org/
    RegSvcs.exe
    Remote address:
    193.122.130.0:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 23 Oct 2024 01:12:44 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 7e0297bed24cc9921efacbff28bd3265
  • flag-us
    GET
    http://checkip.dyndns.org/
    RegSvcs.exe
    Remote address:
    193.122.130.0:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 23 Oct 2024 01:12:49 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: fe0add6561b2a90658dd066237c8f129
  • flag-us
    GET
    http://checkip.dyndns.org/
    RegSvcs.exe
    Remote address:
    193.122.130.0:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 23 Oct 2024 01:12:54 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 995836bab21727153837da7b369e9411
  • flag-us
    GET
    http://checkip.dyndns.org/
    RegSvcs.exe
    Remote address:
    193.122.130.0:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 23 Oct 2024 01:12:57 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 9cc8abfc1b1b4aa4afec68cec83c3fab
  • flag-us
    GET
    http://checkip.dyndns.org/
    RegSvcs.exe
    Remote address:
    193.122.130.0:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 23 Oct 2024 01:12:59 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 06daa3f5943ee36c3a88ad40de5a28d4
  • flag-us
    GET
    http://checkip.dyndns.org/
    RegSvcs.exe
    Remote address:
    193.122.130.0:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 23 Oct 2024 01:13:02 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 001d504b1ad55e5f0b033539fc4a3f58
  • flag-us
    GET
    http://checkip.dyndns.org/
    RegSvcs.exe
    Remote address:
    193.122.130.0:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 23 Oct 2024 01:13:05 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 948631dac34fd5eec9a14eee1e407d74
  • flag-us
    GET
    http://checkip.dyndns.org/
    RegSvcs.exe
    Remote address:
    193.122.130.0:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 23 Oct 2024 01:13:08 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 1ee50cc9abb48f34c53b0bf8ea20fa62
  • flag-us
    DNS
    reallyfreegeoip.org
    RegSvcs.exe
    Remote address:
    8.8.8.8:53
    Request
    reallyfreegeoip.org
    IN A
    Response
    reallyfreegeoip.org
    IN A
    104.21.67.152
    reallyfreegeoip.org
    IN A
    172.67.177.134
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/138.199.29.44
    RegSvcs.exe
    Remote address:
    104.21.67.152:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: reallyfreegeoip.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Wed, 23 Oct 2024 01:12:47 GMT
    Content-Type: application/xml
    Transfer-Encoding: chunked
    Connection: keep-alive
    access-control-allow-origin: *
    vary: Accept-Encoding
    Cache-Control: max-age=86400
    CF-Cache-Status: HIT
    Age: 73192
    Last-Modified: Tue, 22 Oct 2024 04:52:55 GMT
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tCLtnR1gYj6Ci7UP0%2BJ%2F3wo846Vkm%2BFyJAxbntI%2B7dZqv2qKbCrhABVHGXo6ImFswJ0LhtYa%2F7oiwlDcCcQmY8owCAf0gYayYfdDCJ3ICwJVKztrJb9%2FkKPUGhkbyq7iYAujNXUX"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8d6ddc5e5ef3beb6-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=48461&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2866&recv_bytes=374&delivery_rate=85112&cwnd=253&unsent_bytes=0&cid=f3fae67626d0f714&ts=142&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/138.199.29.44
    RegSvcs.exe
    Remote address:
    104.21.67.152:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 23 Oct 2024 01:12:50 GMT
    Content-Type: application/xml
    Transfer-Encoding: chunked
    Connection: keep-alive
    access-control-allow-origin: *
    vary: Accept-Encoding
    Cache-Control: max-age=86400
    CF-Cache-Status: HIT
    Age: 73195
    Last-Modified: Tue, 22 Oct 2024 04:52:55 GMT
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uCFN%2BovTmfSQnjCwMF97z0sJPO11N6u7a1L%2Fr21AcJRUfwhzBH1IQ%2BIBw4oVapAkwjfeLS%2BhnuLndh04jxMO2yv9uhPoSWewaKIrGXotmSxGHmY5qY3HItHmilxCIS4ebjVV5Kix"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8d6ddc70fa70beb6-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=47620&sent=7&recv=8&lost=0&retrans=0&sent_bytes=4156&recv_bytes=475&delivery_rate=85112&cwnd=255&unsent_bytes=0&cid=f3fae67626d0f714&ts=3122&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/138.199.29.44
    RegSvcs.exe
    Remote address:
    104.21.67.152:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 23 Oct 2024 01:12:54 GMT
    Content-Type: application/xml
    Transfer-Encoding: chunked
    Connection: keep-alive
    access-control-allow-origin: *
    vary: Accept-Encoding
    Cache-Control: max-age=86400
    CF-Cache-Status: HIT
    Age: 73199
    Last-Modified: Tue, 22 Oct 2024 04:52:55 GMT
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xLhqoA0bODF8lwX6A0ZKH9y3WUAvZ8ncXNL5Ie4NoazfspsfNDxLspve1u79Q3AbqVN8HkJdpIH4sJDz%2F9zkLQlNQ9CKo2o2tcHB%2FnmfT1Xgg9lLKTyIDdJ9LmlEY0l5Cr0Wk%2FIQ"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8d6ddc8b8da8beb6-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=47104&sent=9&recv=10&lost=0&retrans=0&sent_bytes=5446&recv_bytes=576&delivery_rate=85112&cwnd=257&unsent_bytes=0&cid=f3fae67626d0f714&ts=7368&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/138.199.29.44
    RegSvcs.exe
    Remote address:
    104.21.67.152:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 23 Oct 2024 01:12:57 GMT
    Content-Type: application/xml
    Transfer-Encoding: chunked
    Connection: keep-alive
    access-control-allow-origin: *
    vary: Accept-Encoding
    Cache-Control: max-age=86400
    CF-Cache-Status: HIT
    Age: 73202
    Last-Modified: Tue, 22 Oct 2024 04:52:55 GMT
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Inrd2LtK1%2FjmtjDSRu5tkR84PuvIlx1g2mGBufEhZNKz4M4IypsEZnh6LFfSmlJaNWBCqE4UYexcJu%2F5QWRud9CHaNswsI%2B%2BHDcGndRHbycxfkyMm3PynF1tZFRgTd%2FJ%2FhgJix%2BQ"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8d6ddc9cea12beb6-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=47666&sent=11&recv=12&lost=0&retrans=0&sent_bytes=6736&recv_bytes=677&delivery_rate=85112&cwnd=257&unsent_bytes=0&cid=f3fae67626d0f714&ts=10153&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/138.199.29.44
    RegSvcs.exe
    Remote address:
    104.21.67.152:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 23 Oct 2024 01:12:59 GMT
    Content-Type: application/xml
    Transfer-Encoding: chunked
    Connection: keep-alive
    access-control-allow-origin: *
    vary: Accept-Encoding
    Cache-Control: max-age=86400
    CF-Cache-Status: HIT
    Age: 73204
    Last-Modified: Tue, 22 Oct 2024 04:52:55 GMT
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=l3FBhS1ERotkBzC7mYOI4idB8B9hF6AW69asm7homv8b%2FAtE%2FhM5aA%2BLXyxi0BGVs9ie94OHBe7iPu0odoEzE4k3tWsKLcU35fk5lBd93hlBjH4DtNRVPjQslhzBjj3675GreM47"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8d6ddcae7fbebeb6-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=47120&sent=13&recv=14&lost=0&retrans=0&sent_bytes=8026&recv_bytes=778&delivery_rate=85112&cwnd=257&unsent_bytes=0&cid=f3fae67626d0f714&ts=12961&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/138.199.29.44
    RegSvcs.exe
    Remote address:
    104.21.67.152:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 23 Oct 2024 01:13:02 GMT
    Content-Type: application/xml
    Transfer-Encoding: chunked
    Connection: keep-alive
    access-control-allow-origin: *
    vary: Accept-Encoding
    Cache-Control: max-age=86400
    CF-Cache-Status: HIT
    Age: 73207
    Last-Modified: Tue, 22 Oct 2024 04:52:55 GMT
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z0RUHLJHD1wu1N9DNldmsFDvTmE1mku5VM6yyNKNB0ggXXfLhqaLpoub9CKmQoSKH1EQb5gsNCECD3F%2FoK2rYwLMSRWwBvT85m2tdrP9wt98p9ml1VQpVvt%2FaOo%2B0wx65M8WMzw%2F"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8d6ddcbfe9e9beb6-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=46485&sent=15&recv=16&lost=0&retrans=0&sent_bytes=9316&recv_bytes=879&delivery_rate=85112&cwnd=257&unsent_bytes=0&cid=f3fae67626d0f714&ts=15750&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/138.199.29.44
    RegSvcs.exe
    Remote address:
    104.21.67.152:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 23 Oct 2024 01:13:05 GMT
    Content-Type: application/xml
    Transfer-Encoding: chunked
    Connection: keep-alive
    access-control-allow-origin: *
    vary: Accept-Encoding
    Cache-Control: max-age=86400
    CF-Cache-Status: HIT
    Age: 73210
    Last-Modified: Tue, 22 Oct 2024 04:52:55 GMT
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HhwMoXEVhefFEIuWG3oDivpiriWY1qgSYkRBVdERMnGGY6A%2FU5kMQgZCRtMmmGeDrPb05QS7GQkg8RclNmIbqWOfn8F29%2BnZd3SMpalURfvMdeZYFpYzVhMZ1FUjo7zzh9qVIGL2"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8d6ddcd15c2bbeb6-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=46715&sent=17&recv=18&lost=0&retrans=0&sent_bytes=10606&recv_bytes=980&delivery_rate=85112&cwnd=257&unsent_bytes=0&cid=f3fae67626d0f714&ts=18543&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/138.199.29.44
    RegSvcs.exe
    Remote address:
    104.21.67.152:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 23 Oct 2024 01:13:08 GMT
    Content-Type: application/xml
    Transfer-Encoding: chunked
    Connection: keep-alive
    access-control-allow-origin: *
    vary: Accept-Encoding
    Cache-Control: max-age=86400
    CF-Cache-Status: HIT
    Age: 73213
    Last-Modified: Tue, 22 Oct 2024 04:52:55 GMT
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6wSoF4Cc4ZiUCDRJr%2BK0Z%2FpcLGge5f%2BNlxmMbj6A2LWJSlSzaBlwAkZEnouRiaA9%2Fsb%2FkCHL8DwIsI1Np777wQUHtUk%2FSxFR%2F62oB3rftUXA%2BZTe6Kp%2B%2BTDC0ur91JuTQsfyO8Rc"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8d6ddce2dde3beb6-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=46147&sent=19&recv=20&lost=0&retrans=0&sent_bytes=11896&recv_bytes=1081&delivery_rate=85112&cwnd=257&unsent_bytes=0&cid=f3fae67626d0f714&ts=21334&x=0"
  • 193.122.130.0:80
    http://checkip.dyndns.org/
    http
    RegSvcs.exe
    2.1kB
    3.6kB
    22
    17

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200
  • 104.21.67.152:443
    https://reallyfreegeoip.org/xml/138.199.29.44
    tls, http
    RegSvcs.exe
    2.1kB
    14.1kB
    23
    23

    HTTP Request

    GET https://reallyfreegeoip.org/xml/138.199.29.44

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/138.199.29.44

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/138.199.29.44

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/138.199.29.44

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/138.199.29.44

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/138.199.29.44

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/138.199.29.44

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/138.199.29.44

    HTTP Response

    200
  • 8.8.8.8:53
    checkip.dyndns.org
    dns
    RegSvcs.exe
    64 B
    176 B
    1
    1

    DNS Request

    checkip.dyndns.org

    DNS Response

    193.122.130.0
    132.226.247.73
    132.226.8.169
    158.101.44.242
    193.122.6.168

  • 8.8.8.8:53
    reallyfreegeoip.org
    dns
    RegSvcs.exe
    65 B
    97 B
    1
    1

    DNS Request

    reallyfreegeoip.org

    DNS Response

    104.21.67.152
    172.67.177.134

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/880-3-0x0000000000090000-0x00000000000B6000-memory.dmp

    Filesize

    152KB

  • memory/880-6-0x0000000000090000-0x00000000000B6000-memory.dmp

    Filesize

    152KB

  • memory/880-12-0x0000000000090000-0x00000000000B6000-memory.dmp

    Filesize

    152KB

  • memory/880-9-0x0000000000090000-0x00000000000B6000-memory.dmp

    Filesize

    152KB

  • memory/880-13-0x000000007437E000-0x000000007437F000-memory.dmp

    Filesize

    4KB

  • memory/880-14-0x0000000074370000-0x0000000074A5E000-memory.dmp

    Filesize

    6.9MB

  • memory/880-15-0x000000007437E000-0x000000007437F000-memory.dmp

    Filesize

    4KB

  • memory/880-16-0x0000000074370000-0x0000000074A5E000-memory.dmp

    Filesize

    6.9MB

  • memory/2520-2-0x0000000003A70000-0x0000000003C70000-memory.dmp

    Filesize

    2.0MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.