Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    108s
  • max time network
    205s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/01/2025, 01:40 UTC

General

  • Target

    Order Details.exe

  • Size

    577KB

  • MD5

    84ec37e6dd30a7bcc2a4cb27d22b0b9e

  • SHA1

    528ffb74b6c63dfc5f8c59d93178427d1c917c22

  • SHA256

    f492c1a1588fcbc5b443be86bda985da061ee38a53ce1f47eb019d0b159600c8

  • SHA512

    4a69278cdc294b4c1ee5027e5548dac855ba1edd6eb9c951d31eccc1efa182348ec5aff8608096b804be76521e759116335c7b960e4b84e12294d366d21c6919

  • SSDEEP

    12288:ZbRKjP7neRjE8lHLrdnEX6nVTsYurrpLX9vXPgd:DKjP7eW8lHLrlEKJGrRs

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7492212361:AAF_J7Ggqch6d5jLanPykrhrRKGFyphjKVo/sendMessage?chat_id=7463064549

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

  • Snake Keylogger payload 1 IoCs
  • Snakekeylogger family
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Order Details.exe
    "C:\Users\Admin\AppData\Local\Temp\Order Details.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4412
    • C:\Users\Admin\AppData\Local\Temp\Order Details.exe
      "C:\Users\Admin\AppData\Local\Temp\Order Details.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:1032

Network

  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    checkip.dyndns.org
    Order Details.exe
    Remote address:
    8.8.8.8:53
    Request
    checkip.dyndns.org
    IN A
    Response
    checkip.dyndns.org
    IN CNAME
    checkip.dyndns.com
    checkip.dyndns.com
    IN A
    193.122.6.168
    checkip.dyndns.com
    IN A
    193.122.130.0
    checkip.dyndns.com
    IN A
    132.226.8.169
    checkip.dyndns.com
    IN A
    132.226.247.73
    checkip.dyndns.com
    IN A
    158.101.44.242
  • flag-us
    DNS
    180.129.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    180.129.81.91.in-addr.arpa
    IN PTR
    Response
  • flag-de
    GET
    http://checkip.dyndns.org/
    Order Details.exe
    Remote address:
    193.122.6.168:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Fri, 17 Jan 2025 01:41:04 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-de
    GET
    http://checkip.dyndns.org/
    Order Details.exe
    Remote address:
    193.122.6.168:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 17 Jan 2025 01:41:05 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-de
    GET
    http://checkip.dyndns.org/
    Order Details.exe
    Remote address:
    193.122.6.168:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 17 Jan 2025 01:41:06 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-de
    GET
    http://checkip.dyndns.org/
    Order Details.exe
    Remote address:
    193.122.6.168:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 17 Jan 2025 01:41:06 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-de
    GET
    http://checkip.dyndns.org/
    Order Details.exe
    Remote address:
    193.122.6.168:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 17 Jan 2025 01:41:06 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-de
    GET
    http://checkip.dyndns.org/
    Order Details.exe
    Remote address:
    193.122.6.168:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 17 Jan 2025 01:41:08 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-de
    GET
    http://checkip.dyndns.org/
    Order Details.exe
    Remote address:
    193.122.6.168:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 17 Jan 2025 01:41:10 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-de
    GET
    http://checkip.dyndns.org/
    Order Details.exe
    Remote address:
    193.122.6.168:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 17 Jan 2025 01:41:10 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-de
    GET
    http://checkip.dyndns.org/
    Order Details.exe
    Remote address:
    193.122.6.168:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 17 Jan 2025 01:41:10 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-us
    DNS
    168.6.122.193.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    168.6.122.193.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    138.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    138.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    reallyfreegeoip.org
    Order Details.exe
    Remote address:
    8.8.8.8:53
    Request
    reallyfreegeoip.org
    IN A
    Response
    reallyfreegeoip.org
    IN A
    104.21.16.1
    reallyfreegeoip.org
    IN A
    104.21.80.1
    reallyfreegeoip.org
    IN A
    104.21.64.1
    reallyfreegeoip.org
    IN A
    104.21.48.1
    reallyfreegeoip.org
    IN A
    104.21.96.1
    reallyfreegeoip.org
    IN A
    104.21.32.1
    reallyfreegeoip.org
    IN A
    104.21.112.1
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    Order Details.exe
    Remote address:
    104.21.16.1:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Fri, 17 Jan 2025 01:41:05 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 5565519
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WURDq8yNomW01FUFDegvPJ4ORPFwDKk09vmn8IhnRxMXdkwF%2FhH4aq7UWDrEy%2BA0kdjq6H%2FbaXwyKcpLcQrMADjjm9R6YZrzJU9xW8xkh0dH4tLjdWxZ%2BLkKE4DX20b272moot3c"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 9032a414d93c4911-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=51549&min_rtt=47013&rtt_var=16628&sent=5&recv=6&lost=0&retrans=0&sent_bytes=3008&recv_bytes=390&delivery_rate=77960&cwnd=253&unsent_bytes=0&cid=6846390979b201cd&ts=142&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    Order Details.exe
    Remote address:
    104.21.16.1:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 17 Jan 2025 01:41:06 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 5565520
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DSVGmi29muvnjT9iYoFuJhSGvpcxyxuGUKcZ7i6q6wK9WZLfmq8qAKlvEVu43%2BXIBIAuguoVFqyCS80bTwgoqeQ5Qx65IghqfVwG4bN6XmTlLtc9F4rs4i%2BS%2FOrG%2BnivvIQj%2FAdd"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 9032a41bea114911-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=56652&min_rtt=47013&rtt_var=22677&sent=6&recv=8&lost=0&retrans=0&sent_bytes=4279&recv_bytes=482&delivery_rate=77960&cwnd=254&unsent_bytes=0&cid=6846390979b201cd&ts=1273&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    Order Details.exe
    Remote address:
    104.21.16.1:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 17 Jan 2025 01:41:06 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 5565520
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A62VDESQnJhbMcJlxSqamMoPtwkw3jwYtUCf0UbLWL3xUUzlPPiszQC55UHGBjhC1buAZXEBwYoQ0FQESRbAqdvzvI%2BKu8fVSQ2yOoh4%2BZ6bCphYatK9vQqX4ZpkxxIA4bbGLaN%2F"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 9032a41cbb0a4911-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=62282&min_rtt=47013&rtt_var=28267&sent=7&recv=10&lost=0&retrans=0&sent_bytes=5553&recv_bytes=574&delivery_rate=77960&cwnd=255&unsent_bytes=0&cid=6846390979b201cd&ts=1400&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    Order Details.exe
    Remote address:
    104.21.16.1:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 17 Jan 2025 01:41:06 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 5565520
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BqVc7y51SGtnChgdJmh2vrR0KgYaVttX0CB5wwA5IWRWdcuVLZ2Iqz9LHZ%2F98yhZbZCggeF2Uim4zoiZAALQBRpbKdvOxAMb9pEx8lgQtDjeBWhju3dim14NYSnJd1Wcw5NWW2gZ"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 9032a41d7c014911-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=67026&min_rtt=47013&rtt_var=30690&sent=8&recv=12&lost=0&retrans=0&sent_bytes=6824&recv_bytes=666&delivery_rate=77960&cwnd=256&unsent_bytes=0&cid=6846390979b201cd&ts=1528&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    Order Details.exe
    Remote address:
    104.21.16.1:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 17 Jan 2025 01:41:08 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 5565522
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=m963Egf0Gjna%2FUTQ%2Fm6zc3pKb8VawduGEFaQ9MOnsskLdmcvkcThhT%2Fo%2BbHye3DX0VTmhsMW3S6YF%2FdF2ZUiA4XQr7PYk4b473ySWB%2FnJtUz0sbXeG0WJcZjGRyV6qtJYFNkQU4k"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 9032a42acc374911-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=70802&min_rtt=47013&rtt_var=30568&sent=9&recv=14&lost=0&retrans=0&sent_bytes=8091&recv_bytes=758&delivery_rate=77960&cwnd=257&unsent_bytes=0&cid=6846390979b201cd&ts=3669&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    Order Details.exe
    Remote address:
    104.21.16.1:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 17 Jan 2025 01:41:10 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 5565524
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yS7QO%2F1oagdKGpOBHSHi1CKSI3ZqzIrboHIdnjpBEn6XumxiY3bvJKogQP3EXxpWhOjbUV4wQxooINPylimGc9hCUnHlY2sdvxButQddeDItDIfwCOSiFoBs6SePER5HYYQNOh00"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 9032a431edef4911-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=74044&min_rtt=47013&rtt_var=29411&sent=10&recv=16&lost=0&retrans=0&sent_bytes=9368&recv_bytes=850&delivery_rate=77960&cwnd=257&unsent_bytes=0&cid=6846390979b201cd&ts=4796&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    Order Details.exe
    Remote address:
    104.21.16.1:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 17 Jan 2025 01:41:10 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 5565524
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TYXVPFDXc1DjXZ3vQB%2F1d9hswq3dvglV3UjKCUAhu54eECmcUiKuwq6fJD1dGFJdF355E2TqHAV1h65oYy2eIYrRjqNRtOEoBoo%2F60zi3XyHbW7usMgKvvAunDuWNLgx6X9ThVP2"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 9032a432cf644911-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=76698&min_rtt=47013&rtt_var=27367&sent=11&recv=18&lost=0&retrans=0&sent_bytes=10636&recv_bytes=942&delivery_rate=77960&cwnd=257&unsent_bytes=0&cid=6846390979b201cd&ts=4950&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    Order Details.exe
    Remote address:
    104.21.16.1:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 17 Jan 2025 01:41:10 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 5565524
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E9tMjBh3BM9U40BB1afM5BqEYvMvpXLrVazdrz%2FEWLnztZhYBFPhZFYBGITJrekOsjBxw22yw78xOU9kPjW5%2FM38mTx7EQLHUqTvdK22QyAGamXx9Fd%2FE6tvC887Dm%2FejvYAvZXS"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 9032a433a87c4911-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=79150&min_rtt=47013&rtt_var=25429&sent=12&recv=20&lost=0&retrans=0&sent_bytes=11907&recv_bytes=1034&delivery_rate=77960&cwnd=257&unsent_bytes=0&cid=6846390979b201cd&ts=5079&x=0"
  • flag-us
    DNS
    1.16.21.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    1.16.21.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    7.98.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    7.98.22.2.in-addr.arpa
    IN PTR
    Response
    7.98.22.2.in-addr.arpa
    IN PTR
    a2-22-98-7deploystaticakamaitechnologiescom
  • flag-us
    DNS
    133.211.185.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.211.185.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    212.20.149.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    212.20.149.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    182.129.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    182.129.81.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    8.153.16.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.153.16.2.in-addr.arpa
    IN PTR
    Response
    8.153.16.2.in-addr.arpa
    IN PTR
    a2-16-153-8deploystaticakamaitechnologiescom
  • flag-us
    DNS
    48.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    48.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 193.122.6.168:80
    http://checkip.dyndns.org/
    http
    Order Details.exe
    2.1kB
    3.2kB
    21
    19

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200
  • 104.21.16.1:443
    https://reallyfreegeoip.org/xml/181.215.176.83
    tls, http
    Order Details.exe
    2.0kB
    13.8kB
    23
    15

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200
  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    checkip.dyndns.org
    dns
    Order Details.exe
    64 B
    176 B
    1
    1

    DNS Request

    checkip.dyndns.org

    DNS Response

    193.122.6.168
    193.122.130.0
    132.226.8.169
    132.226.247.73
    158.101.44.242

  • 8.8.8.8:53
    180.129.81.91.in-addr.arpa
    dns
    72 B
    147 B
    1
    1

    DNS Request

    180.129.81.91.in-addr.arpa

  • 8.8.8.8:53
    168.6.122.193.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    168.6.122.193.in-addr.arpa

  • 8.8.8.8:53
    138.32.126.40.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    138.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    reallyfreegeoip.org
    dns
    Order Details.exe
    65 B
    177 B
    1
    1

    DNS Request

    reallyfreegeoip.org

    DNS Response

    104.21.16.1
    104.21.80.1
    104.21.64.1
    104.21.48.1
    104.21.96.1
    104.21.32.1
    104.21.112.1

  • 8.8.8.8:53
    1.16.21.104.in-addr.arpa
    dns
    70 B
    132 B
    1
    1

    DNS Request

    1.16.21.104.in-addr.arpa

  • 8.8.8.8:53
    7.98.22.2.in-addr.arpa
    dns
    68 B
    129 B
    1
    1

    DNS Request

    7.98.22.2.in-addr.arpa

  • 8.8.8.8:53
    133.211.185.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    133.211.185.52.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    140 B
    144 B
    2
    1

    DNS Request

    58.55.71.13.in-addr.arpa

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    212.20.149.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    212.20.149.52.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    182.129.81.91.in-addr.arpa
    dns
    72 B
    147 B
    1
    1

    DNS Request

    182.129.81.91.in-addr.arpa

  • 8.8.8.8:53
    8.153.16.2.in-addr.arpa
    dns
    69 B
    131 B
    1
    1

    DNS Request

    8.153.16.2.in-addr.arpa

  • 8.8.8.8:53
    48.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    48.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order Details.exe.log

    Filesize

    706B

    MD5

    2ef5ef69dadb8865b3d5b58c956077b8

    SHA1

    af2d869bac00685c745652bbd8b3fe82829a8998

    SHA256

    363502eb2a4e53ba02d2d85412b901fcf8e06de221736bdffa949799ef3d21e3

    SHA512

    66d4db5dd17d88e1d54ea0df3a7211a503dc4355de701259cefccc9f2e4e3ced9534b700099ffbb089a5a3acb082011c80b61801aa14aff76b379ce8f90d4fd3

  • memory/1032-13-0x0000000075330000-0x0000000075AE0000-memory.dmp

    Filesize

    7.7MB

  • memory/1032-12-0x0000000075330000-0x0000000075AE0000-memory.dmp

    Filesize

    7.7MB

  • memory/1032-17-0x0000000006C40000-0x0000000006C4A000-memory.dmp

    Filesize

    40KB

  • memory/1032-16-0x0000000006DD0000-0x0000000006F92000-memory.dmp

    Filesize

    1.8MB

  • memory/1032-15-0x0000000006BB0000-0x0000000006C00000-memory.dmp

    Filesize

    320KB

  • memory/1032-14-0x0000000075330000-0x0000000075AE0000-memory.dmp

    Filesize

    7.7MB

  • memory/1032-8-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/4412-11-0x0000000075330000-0x0000000075AE0000-memory.dmp

    Filesize

    7.7MB

  • memory/4412-1-0x0000000000FC0000-0x0000000001056000-memory.dmp

    Filesize

    600KB

  • memory/4412-2-0x00000000059C0000-0x0000000005A16000-memory.dmp

    Filesize

    344KB

  • memory/4412-6-0x0000000075330000-0x0000000075AE0000-memory.dmp

    Filesize

    7.7MB

  • memory/4412-0-0x000000007533E000-0x000000007533F000-memory.dmp

    Filesize

    4KB

  • memory/4412-7-0x0000000005AF0000-0x0000000005AF8000-memory.dmp

    Filesize

    32KB

  • memory/4412-5-0x0000000005C60000-0x0000000005CFC000-memory.dmp

    Filesize

    624KB

  • memory/4412-4-0x0000000005B20000-0x0000000005BB2000-memory.dmp

    Filesize

    584KB

  • memory/4412-3-0x0000000006010000-0x00000000065B4000-memory.dmp

    Filesize

    5.6MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.