Analysis

  • max time kernel
    117s
  • max time network
    165s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-01-2025 06:44

General

  • Target

    20250103141459859.pdf_______________________________________________________________________________________________________.exe

  • Size

    775KB

  • MD5

    7c14dc5ef95870c931fcf8f09c96e888

  • SHA1

    35c351c8fb09dc1c5b799e125ab415106c28114c

  • SHA256

    d6168f5b1dbb8cd348064262e9f91f0d41d9f49e417d2ac13dc7de58c7d92968

  • SHA512

    43291be4ce5a26d137a6e2729532a55ae12414d09163ca6eea503381b9c523a41c041e511e6081323e1360b364e99103a5b82cce3fc2dea6f1b92d6172d92881

  • SSDEEP

    12288:JaLvWa+kbJSanAJ4fESIlpQrB9qpKUV0i/HnlYtk7ZnWU7WWFZLubgL3d6NlDXZr:/kmJ+4crB9g0GnTWUaWFJ7dOpXAO

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7784580930:AAGMCki8hBwu16UwwjATu3X8TvVLB-VhfaE/sendMessage?chat_id=5302361040

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Vipkeylogger family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\20250103141459859.pdf_______________________________________________________________________________________________________.exe
    "C:\Users\Admin\AppData\Local\Temp\20250103141459859.pdf_______________________________________________________________________________________________________.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\EjCHCEGQPyQ.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2700
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EjCHCEGQPyQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC1E8.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2800
    • C:\Users\Admin\AppData\Local\Temp\20250103141459859.pdf_______________________________________________________________________________________________________.exe
      "C:\Users\Admin\AppData\Local\Temp\20250103141459859.pdf_______________________________________________________________________________________________________.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:2456

Network

  • flag-us
    DNS
    checkip.dyndns.org
    20250103141459859.pdf_______________________________________________________________________________________________________.exe
    Remote address:
    8.8.8.8:53
    Request
    checkip.dyndns.org
    IN A
    Response
    checkip.dyndns.org
    IN CNAME
    checkip.dyndns.com
    checkip.dyndns.com
    IN A
    132.226.247.73
    checkip.dyndns.com
    IN A
    158.101.44.242
    checkip.dyndns.com
    IN A
    193.122.130.0
    checkip.dyndns.com
    IN A
    132.226.8.169
    checkip.dyndns.com
    IN A
    193.122.6.168
  • flag-br
    GET
    http://checkip.dyndns.org/
    20250103141459859.pdf_______________________________________________________________________________________________________.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Wed, 22 Jan 2025 06:44:41 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-br
    GET
    http://checkip.dyndns.org/
    20250103141459859.pdf_______________________________________________________________________________________________________.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 22 Jan 2025 06:44:44 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-br
    GET
    http://checkip.dyndns.org/
    20250103141459859.pdf_______________________________________________________________________________________________________.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 22 Jan 2025 06:44:49 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-br
    GET
    http://checkip.dyndns.org/
    20250103141459859.pdf_______________________________________________________________________________________________________.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 22 Jan 2025 06:44:52 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-br
    GET
    http://checkip.dyndns.org/
    20250103141459859.pdf_______________________________________________________________________________________________________.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 22 Jan 2025 06:44:55 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-br
    GET
    http://checkip.dyndns.org/
    20250103141459859.pdf_______________________________________________________________________________________________________.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 22 Jan 2025 06:44:58 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-br
    GET
    http://checkip.dyndns.org/
    20250103141459859.pdf_______________________________________________________________________________________________________.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 22 Jan 2025 06:45:03 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-br
    GET
    http://checkip.dyndns.org/
    20250103141459859.pdf_______________________________________________________________________________________________________.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 22 Jan 2025 06:45:14 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-br
    GET
    http://checkip.dyndns.org/
    20250103141459859.pdf_______________________________________________________________________________________________________.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 504 Gateway Time-out
    Date: Wed, 22 Jan 2025 06:45:23 GMT
    Content-Type: text/html
    Content-Length: 557
    Connection: keep-alive
  • flag-br
    GET
    http://checkip.dyndns.org/
    20250103141459859.pdf_______________________________________________________________________________________________________.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 22 Jan 2025 06:45:26 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-us
    DNS
    reallyfreegeoip.org
    20250103141459859.pdf_______________________________________________________________________________________________________.exe
    Remote address:
    8.8.8.8:53
    Request
    reallyfreegeoip.org
    IN A
    Response
    reallyfreegeoip.org
    IN A
    104.21.16.1
    reallyfreegeoip.org
    IN A
    104.21.96.1
    reallyfreegeoip.org
    IN A
    104.21.64.1
    reallyfreegeoip.org
    IN A
    104.21.32.1
    reallyfreegeoip.org
    IN A
    104.21.80.1
    reallyfreegeoip.org
    IN A
    104.21.112.1
    reallyfreegeoip.org
    IN A
    104.21.48.1
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    20250103141459859.pdf_______________________________________________________________________________________________________.exe
    Remote address:
    104.21.16.1:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Wed, 22 Jan 2025 06:44:46 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 6015740
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=shpl1p05C1Qwn177snJOINNkW95WXU4qVpRVTe1E94Ck6t3oc6rNl2tcFbbAao46DhkHgzGaSoKC1U4%2F0x4IG66UCO8dmyOEz7w%2BQJNLc0ZbZC%2Bq2hE24fEDzfIZerB8sL5At3OY"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 905d93d12ecd93db-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=31037&min_rtt=26522&rtt_var=13913&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2865&recv_bytes=374&delivery_rate=128224&cwnd=232&unsent_bytes=0&cid=2a7ecd7443f59cd8&ts=114&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    20250103141459859.pdf_______________________________________________________________________________________________________.exe
    Remote address:
    104.21.16.1:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 22 Jan 2025 06:44:49 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 6015743
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LQPbYwSLndHWdrtx9ei356VOcUCufaiTUb0tnx5plZsVeECi6ZCddAIV8Gbf6U64Cc2VdbcM1BLhpAPJGibPJCGOVkhMXeXBCG4AygnfpUbxQbRU0vpEps7fCs%2BWvD1eFjPLMDOx"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 905d93e348a693db-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=31037&min_rtt=26522&rtt_var=13913&sent=7&recv=8&lost=0&retrans=1&sent_bytes=5403&recv_bytes=475&delivery_rate=128224&cwnd=234&unsent_bytes=0&cid=2a7ecd7443f59cd8&ts=3001&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    20250103141459859.pdf_______________________________________________________________________________________________________.exe
    Remote address:
    104.21.16.1:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 22 Jan 2025 06:44:52 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 6015746
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w6gNqtwhYkptGp9Lmi%2FTAer4YLzPejxTqDRCwnxztDLSm8YyAhbsTmfC2QIGtn280lDtdF%2BBOitrlJGj2mc7lAOSt7Npsxgw7X7%2FaK9fFJsKm543GWKiJ8xM1u8dPIfPsODSBPta"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 905d93f52ed293db-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=31037&min_rtt=26522&rtt_var=13913&sent=9&recv=10&lost=0&retrans=2&sent_bytes=7941&recv_bytes=576&delivery_rate=128224&cwnd=236&unsent_bytes=0&cid=2a7ecd7443f59cd8&ts=5863&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    20250103141459859.pdf_______________________________________________________________________________________________________.exe
    Remote address:
    104.21.16.1:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 22 Jan 2025 06:44:55 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 6015749
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iGBDPX%2B4P3inPby3V1%2FAW%2FxS6B9QJ%2F6%2Fb6%2Fuj%2BmarsKiNHVnmtlO7n5JCzmkktW8L4NWOB%2BiJDkbArrF8RMk9TXrZGgta0zqXDx3lznrKTDgKhSCwyrSsNtOlMsuGWXdn7v%2B%2B8Yc"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 905d94074f9b93db-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=31037&min_rtt=26522&rtt_var=13913&sent=11&recv=12&lost=0&retrans=3&sent_bytes=10479&recv_bytes=677&delivery_rate=128224&cwnd=236&unsent_bytes=0&cid=2a7ecd7443f59cd8&ts=8764&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    20250103141459859.pdf_______________________________________________________________________________________________________.exe
    Remote address:
    104.21.16.1:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 22 Jan 2025 06:44:58 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 6015752
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BAEw2IX7Jf4cVVOQ%2Fn1rEjXqpO%2FiJAueGxG%2B4U%2BcmOzI9sJk4brpjPzFLKzsDzXdOdC1hsihmjq7LTHIpUAofeY08ta70kgqrZdhMQcjnQkhY26V6lNCpB7fVpyhCimRIcBEtcat"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 905d94197e7193db-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=31037&min_rtt=26522&rtt_var=13913&sent=14&recv=14&lost=0&retrans=5&sent_bytes=14334&recv_bytes=778&delivery_rate=128224&cwnd=236&unsent_bytes=0&cid=2a7ecd7443f59cd8&ts=11673&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    20250103141459859.pdf_______________________________________________________________________________________________________.exe
    Remote address:
    104.21.16.1:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 22 Jan 2025 06:45:03 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 6015757
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=duTgxee1btQgDrNmtUoxg7NHgfu2CTplQMlQpUyEHjcy3%2FM1ujZmECEpnVcUAFLYQ9ZvJbWuDLnMXX%2FCQ3FuDrgbRh%2FmBmJgbRtDcTmONZEqNmyOGjZ27qTQTydkVI68KcwDDEcd"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 905d94380fa893db-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=31037&min_rtt=26522&rtt_var=13913&sent=16&recv=17&lost=0&retrans=6&sent_bytes=16904&recv_bytes=879&delivery_rate=128224&cwnd=236&unsent_bytes=0&cid=2a7ecd7443f59cd8&ts=16571&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    20250103141459859.pdf_______________________________________________________________________________________________________.exe
    Remote address:
    104.21.16.1:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 22 Jan 2025 06:45:14 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 6015768
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MXIrqV%2BRev6fvV47ob1fKa2Jnql2Ejkw1YPiHb8iEaHbnkTkQQyEbtPtcDglOmu1GSlqTzH%2BGaU9R5ewZzGepu510Oe1%2F9du1xw7hDltGaEzA2MYjBW%2BWId5GUueSYJxmd4mQDcE"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 905d947e9d5e93db-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=31037&min_rtt=26522&rtt_var=13913&sent=19&recv=19&lost=0&retrans=8&sent_bytes=20759&recv_bytes=980&delivery_rate=128224&cwnd=236&unsent_bytes=0&cid=2a7ecd7443f59cd8&ts=27848&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    20250103141459859.pdf_______________________________________________________________________________________________________.exe
    Remote address:
    104.21.16.1:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 22 Jan 2025 06:45:27 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 6015781
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fw5Bc3pMKScIB7L3RUGuGHlHWBuzY5c4RL5pcuztUBZMkMaYVG%2FRPfgyUDbQJyW%2BVP%2FYU%2Bn67kUUz1zcVGuTEskx11PKYbQmjpLjzZKvyQ%2Bm09vx31lbKnodIwbT39tdMsUzQZmy"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 905d94cc0b6f93db-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=55161&min_rtt=26522&rtt_var=58684&sent=20&recv=21&lost=0&retrans=8&sent_bytes=22044&recv_bytes=1081&delivery_rate=128224&cwnd=236&unsent_bytes=0&cid=2a7ecd7443f59cd8&ts=40248&x=0"
  • flag-us
    DNS
    api.telegram.org
    20250103141459859.pdf_______________________________________________________________________________________________________.exe
    Remote address:
    8.8.8.8:53
    Request
    api.telegram.org
    IN A
    Response
    api.telegram.org
    IN A
    149.154.167.220
  • 132.226.247.73:80
    http://checkip.dyndns.org/
    http
    20250103141459859.pdf_______________________________________________________________________________________________________.exe
    2.5kB
    4.8kB
    27
    21

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    504

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200
  • 104.21.16.1:443
    https://reallyfreegeoip.org/xml/181.215.176.83
    tls, http
    20250103141459859.pdf_______________________________________________________________________________________________________.exe
    2.3kB
    23.0kB
    27
    22

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200
  • 149.154.167.220:443
    api.telegram.org
    tls
    20250103141459859.pdf_______________________________________________________________________________________________________.exe
    434 B
    219 B
    6
    5
  • 8.8.8.8:53
    checkip.dyndns.org
    dns
    20250103141459859.pdf_______________________________________________________________________________________________________.exe
    64 B
    176 B
    1
    1

    DNS Request

    checkip.dyndns.org

    DNS Response

    132.226.247.73
    158.101.44.242
    193.122.130.0
    132.226.8.169
    193.122.6.168

  • 8.8.8.8:53
    reallyfreegeoip.org
    dns
    20250103141459859.pdf_______________________________________________________________________________________________________.exe
    65 B
    177 B
    1
    1

    DNS Request

    reallyfreegeoip.org

    DNS Response

    104.21.16.1
    104.21.96.1
    104.21.64.1
    104.21.32.1
    104.21.80.1
    104.21.112.1
    104.21.48.1

  • 8.8.8.8:53
    api.telegram.org
    dns
    20250103141459859.pdf_______________________________________________________________________________________________________.exe
    62 B
    78 B
    1
    1

    DNS Request

    api.telegram.org

    DNS Response

    149.154.167.220

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpC1E8.tmp

    Filesize

    1KB

    MD5

    67a85d0ef4e4501867b837da8833001f

    SHA1

    0faed3f41b4f5bcad66a47a0c5d97d2a876c0986

    SHA256

    e50992afe8c6a4d4e517167acc16ecc705e6a32ce4d6eaeefb27fae4df7da980

    SHA512

    7cb6676e387684f034242e2994eca7667fa4e076d90bc02f2aec85d92744a935a4c2f82203bc652d2f6c55078915e34a65a204bf0c2c05e5e47cf18a8753e6ec

  • memory/2100-26-0x0000000074DD0000-0x00000000754BE000-memory.dmp

    Filesize

    6.9MB

  • memory/2100-1-0x0000000000E70000-0x0000000000F38000-memory.dmp

    Filesize

    800KB

  • memory/2100-2-0x0000000074DD0000-0x00000000754BE000-memory.dmp

    Filesize

    6.9MB

  • memory/2100-3-0x00000000005C0000-0x00000000005DE000-memory.dmp

    Filesize

    120KB

  • memory/2100-4-0x0000000074DDE000-0x0000000074DDF000-memory.dmp

    Filesize

    4KB

  • memory/2100-5-0x0000000074DD0000-0x00000000754BE000-memory.dmp

    Filesize

    6.9MB

  • memory/2100-6-0x0000000000AB0000-0x0000000000B3E000-memory.dmp

    Filesize

    568KB

  • memory/2100-0-0x0000000074DDE000-0x0000000074DDF000-memory.dmp

    Filesize

    4KB

  • memory/2456-14-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

  • memory/2456-24-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

  • memory/2456-25-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

  • memory/2456-23-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

  • memory/2456-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2456-20-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

  • memory/2456-18-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

  • memory/2456-16-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.