Overview

overview

10

Static

static

5

HTWP0987600.exe

windows7-x64

10

HTWP0987600.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    31/01/2025, 02:16 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HTWP0987600.exe

  • Size

    527KB

  • MD5

    3f48fc323c58106614bfe2719971411c

  • SHA1

    47b50ce885d36c013a43b0cc8c235608277caf7c

  • SHA256

    806c4451b1153f5453fdf0a09465a1f82018c3f01b3381a559564143f6d13796

  • SHA512

    a1e93d845b9007622f2d634d346754ff1721d4769ce9200ee2902f81e8e51d0d6450fa1105855b143f50567509b9aa43d64d8709ac71ed13575793490a816b27

  • SSDEEP

    12288:u6Wq4aaE6KwyF5L0Y2D1PqLQxnE3nmtzvF8wWVa:0thEVaPqLqnVy7a

Score
10/10
snakekeyloggercollectiondiscoverykeyloggerstealerupx

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    mail.daipro.com.mx
  • Port:
    587
  • Username:
    contabilidad@daipro.com.mx
  • Password:
    DAIpro123**
  • Email To:
    saleseuropower1@yandex.com
C2

https://scratchdreams.tk

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 4 IoCs
  • Snakekeylogger family
    snakekeylogger
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HTWP0987600.exe
    "C:\Users\Admin\AppData\Local\Temp\HTWP0987600.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\Users\Admin\AppData\Local\batchers\Milburr.exe
      "C:\Users\Admin\AppData\Local\Temp\HTWP0987600.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2220
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\HTWP0987600.exe"
        3⤵
        • Accesses Microsoft Outlook profiles
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:2688

Network

  • flag-us
    DNS
    checkip.dyndns.org
    RegSvcs.exe
    Remote address:
    8.8.8.8:53
    Request
    checkip.dyndns.org
    IN A
    Response
    checkip.dyndns.org
    IN CNAME
    checkip.dyndns.com
    checkip.dyndns.com
    IN A
    132.226.247.73
    checkip.dyndns.com
    IN A
    132.226.8.169
    checkip.dyndns.com
    IN A
    193.122.6.168
    checkip.dyndns.com
    IN A
    193.122.130.0
    checkip.dyndns.com
    IN A
    158.101.44.242
  • flag-br
    GET
    http://checkip.dyndns.org/
    RegSvcs.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Fri, 31 Jan 2025 02:16:13 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-br
    GET
    http://checkip.dyndns.org/
    RegSvcs.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 31 Jan 2025 02:16:16 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-br
    GET
    http://checkip.dyndns.org/
    RegSvcs.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 31 Jan 2025 02:16:22 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-br
    GET
    http://checkip.dyndns.org/
    RegSvcs.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 31 Jan 2025 02:16:25 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-br
    GET
    http://checkip.dyndns.org/
    RegSvcs.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 31 Jan 2025 02:16:28 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-br
    GET
    http://checkip.dyndns.org/
    RegSvcs.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 31 Jan 2025 02:16:30 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-br
    GET
    http://checkip.dyndns.org/
    RegSvcs.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 31 Jan 2025 02:16:33 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-br
    GET
    http://checkip.dyndns.org/
    RegSvcs.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 31 Jan 2025 02:16:36 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-br
    GET
    http://checkip.dyndns.org/
    RegSvcs.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 31 Jan 2025 02:16:39 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-us
    DNS
    reallyfreegeoip.org
    RegSvcs.exe
    Remote address:
    8.8.8.8:53
    Request
    reallyfreegeoip.org
    IN A
    Response
    reallyfreegeoip.org
    IN A
    104.21.96.1
    reallyfreegeoip.org
    IN A
    104.21.48.1
    reallyfreegeoip.org
    IN A
    104.21.16.1
    reallyfreegeoip.org
    IN A
    104.21.112.1
    reallyfreegeoip.org
    IN A
    104.21.32.1
    reallyfreegeoip.org
    IN A
    104.21.64.1
    reallyfreegeoip.org
    IN A
    104.21.80.1
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    RegSvcs.exe
    Remote address:
    104.21.96.1:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Fri, 31 Jan 2025 02:16:19 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 6777233
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uZ1Tygpn39TjOnGZw18meib61SZx1GMxyiqjGSHge8QhHww48Jb9l0%2BhduoldVG1%2FDNskbcq9NCKrWcOMLZaPGaWm%2F9RR4AQVB1fVVhKWRw1hkJFjYQoHfvYZVVROr0v%2FUNnEuc5"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 90a632f16a87ef1b-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=51151&min_rtt=46886&rtt_var=17902&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2865&recv_bytes=374&delivery_rate=74236&cwnd=252&unsent_bytes=0&cid=c89fef9f2ec62b18&ts=141&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    RegSvcs.exe
    Remote address:
    104.21.96.1:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 31 Jan 2025 02:16:22 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 6777236
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6o%2BL0upFB4MnAbkM%2FrWuR%2FlAQjj5FQB8BR2Xp4d%2Fja7eA7yynWyr9Ecw3F7INJ%2Fq2GcwItnnUguYa3zVhs739nVeCiTKp7e1wpD2R4e27YkUAAzxTfNgsM1EG%2B8ZV06au6aaYJd9"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 90a633036c03ef1b-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=51151&min_rtt=46886&rtt_var=17902&sent=7&recv=9&lost=0&retrans=1&sent_bytes=5403&recv_bytes=475&delivery_rate=74236&cwnd=253&unsent_bytes=0&cid=c89fef9f2ec62b18&ts=3024&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    RegSvcs.exe
    Remote address:
    104.21.96.1:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 31 Jan 2025 02:16:25 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 6777239
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IUVSjW%2FHPKUWjBDYUAJAd3OIb3JPmgkUTzfDLGzFUYi3wMZdMytOR%2BXSYYGlwAC%2B9NH12B6otSkVlIyF3pzfxSMwu%2FNb5jFRyPLWNlCLdHDuHW4AMozlaLVgcwuRrhrtVNkECD8v"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 90a63315cc6def1b-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=75385&min_rtt=46886&rtt_var=61893&sent=8&recv=11&lost=0&retrans=1&sent_bytes=6688&recv_bytes=576&delivery_rate=74236&cwnd=254&unsent_bytes=0&cid=c89fef9f2ec62b18&ts=5963&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    RegSvcs.exe
    Remote address:
    104.21.96.1:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 31 Jan 2025 02:16:28 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 6777242
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lb111IFtMOzaE%2FZcgNkIwql%2FzHaIN%2Fy2o%2FibRiBkSTYyLAget1Twuat6N9yn2hrgUeU2zN5HJ3lwpJqNo6%2Fa26Q8PsiSqFAO7y1HqyyUG4Q8A5iSJlVOr8220L2AQ9zO8hAHjry8"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 90a63328080fef1b-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=97744&min_rtt=46886&rtt_var=91138&sent=9&recv=13&lost=0&retrans=1&sent_bytes=7973&recv_bytes=677&delivery_rate=74236&cwnd=255&unsent_bytes=0&cid=c89fef9f2ec62b18&ts=8883&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    RegSvcs.exe
    Remote address:
    104.21.96.1:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 31 Jan 2025 02:16:31 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 6777245
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rNygHD3W%2Bwj5NtynWOW%2Bwr%2BFLA3J664lS7giC754oqpHNu3SLyLY2X%2BI8%2FdVPjI3QvVtyIukFtU%2BJ30shwC0GmvbpCkUN9n2snwGtZSYBQNaJvTify59g%2BB%2BK2pSGBf1UdQQHP8F"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 90a6333a18feef1b-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=116944&min_rtt=46886&rtt_var=106755&sent=10&recv=15&lost=0&retrans=1&sent_bytes=9258&recv_bytes=778&delivery_rate=74236&cwnd=255&unsent_bytes=0&cid=c89fef9f2ec62b18&ts=11774&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    RegSvcs.exe
    Remote address:
    104.21.96.1:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 31 Jan 2025 02:16:33 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 6777247
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SGkN0DDhuoPl49mJoRK%2B5Ei%2FqcfRd6LY%2BdLMWLcK9ZL1yXXCmIAsQW%2B6tcCxGMsZUvcN0%2BvfquJdgbf%2BO1Ta%2F2zuLnYKpekqSYaUgVDrmfNlli%2B9vK9hKyNVXMhHYbQOcc1lrUD0"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 90a6334c594eef1b-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=133181&min_rtt=46886&rtt_var=112538&sent=11&recv=17&lost=0&retrans=1&sent_bytes=10543&recv_bytes=879&delivery_rate=74236&cwnd=255&unsent_bytes=0&cid=c89fef9f2ec62b18&ts=14690&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    RegSvcs.exe
    Remote address:
    104.21.96.1:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 31 Jan 2025 02:16:36 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 6777250
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=k8f5YygfB3deZINDagcZb%2FIjdxrWx3pQxO88vMXHZdOhxTS0hMEtPncXacYEDtaIW2ciz1bQR59JMxIbBwpUhPEipMibEVZmtuc2L%2Fs939aoeGcZLkXgcAmRoRU1JBLb7wV1cJLD"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 90a6335e69f1ef1b-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=149486&min_rtt=46886&rtt_var=117016&sent=12&recv=19&lost=0&retrans=1&sent_bytes=11828&recv_bytes=980&delivery_rate=74236&cwnd=255&unsent_bytes=0&cid=c89fef9f2ec62b18&ts=17577&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    RegSvcs.exe
    Remote address:
    104.21.96.1:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 31 Jan 2025 02:16:39 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 6777253
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8D0A%2Bykfc%2FdqzFgeJ4FFQgEhkwlQixit9KasM3T2UBNVKLGS9KbeFtfsANgH4fn8x8fAjrZltgvih6isCM93gHUJ3bLWWdN%2F0AtjjiGnzsxpoxvBC3pIvGV3KW%2BmEbYIPEzRoZ6m"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 90a6337068baef1b-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=163614&min_rtt=46886&rtt_var=116016&sent=13&recv=21&lost=0&retrans=1&sent_bytes=13113&recv_bytes=1081&delivery_rate=74236&cwnd=255&unsent_bytes=0&cid=c89fef9f2ec62b18&ts=20461&x=0"
  • flag-us
    DNS
    scratchdreams.tk
    RegSvcs.exe
    Remote address:
    8.8.8.8:53
    Request
    scratchdreams.tk
    IN A
    Response
    scratchdreams.tk
    IN A
    104.21.27.85
    scratchdreams.tk
    IN A
    172.67.169.18
  • flag-us
    GET
    https://scratchdreams.tk/_send_.php?TS
    RegSvcs.exe
    Remote address:
    104.21.27.85:443
    Request
    GET /_send_.php?TS HTTP/1.1
    Host: scratchdreams.tk
    Connection: Keep-Alive
    Response
    HTTP/1.1 522
    Date: Fri, 31 Jan 2025 02:17:19 GMT
    Content-Type: text/plain; charset=UTF-8
    Content-Length: 15
    Connection: keep-alive
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tkRKL4nZrRHC7QzvfIToBqs422iaXq2V9iHvZ5S%2Fv8oeu%2FAq6YGvjHsSDrFdHQ82nxtpnBWbc3AG%2Fhhs1kmJgH5nkqOiquKUcXuMjSGJuPX6hx1zqSbWgjNiUNNqhJWni83V"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    X-Frame-Options: SAMEORIGIN
    Referrer-Policy: same-origin
    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Expires: Thu, 01 Jan 1970 00:00:01 GMT
    Server: cloudflare
    CF-RAY: 90a633722cca71e1-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=48926&min_rtt=47347&rtt_var=12770&sent=6&recv=6&lost=0&retrans=0&sent_bytes=2853&recv_bytes=392&delivery_rate=76812&cwnd=245&unsent_bytes=0&cid=fe363137c60da1a8&ts=39316&x=0"
  • 132.226.247.73:80
    http://checkip.dyndns.org/
    http
    RegSvcs.exe
    2.1kB
     3.1kB
     22
    15

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200
  • 104.21.96.1:443
    https://reallyfreegeoip.org/xml/181.215.176.83
    tls, http
    RegSvcs.exe
    2.1kB
     15.1kB
     24
    16

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200
  • 104.21.27.85:443
    https://scratchdreams.tk/_send_.php?TS
    tls, http
    RegSvcs.exe
    702 B
     4.2kB
     7
    8

    HTTP Request

    GET https://scratchdreams.tk/_send_.php?TS

    HTTP Response

    522
  • 8.8.8.8:53
    checkip.dyndns.org
    dns
    RegSvcs.exe
    64 B
     176 B
     1
    1

    DNS Request

    checkip.dyndns.org

    DNS Response

    132.226.247.73
    132.226.8.169
    193.122.6.168
    193.122.130.0
    158.101.44.242

  • 8.8.8.8:53
    reallyfreegeoip.org
    dns
    RegSvcs.exe
    65 B
     177 B
     1
    1

    DNS Request

    reallyfreegeoip.org

    DNS Response

    104.21.96.1
    104.21.48.1
    104.21.16.1
    104.21.112.1
    104.21.32.1
    104.21.64.1
    104.21.80.1

  • 8.8.8.8:53
    scratchdreams.tk
    dns
    RegSvcs.exe
    62 B
     94 B
     1
    1

    DNS Request

    scratchdreams.tk

    DNS Response

    104.21.27.85
    172.67.169.18

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\batchers\Milburr.exe
    Filesize

    527KB

    MD5

    3f48fc323c58106614bfe2719971411c

    SHA1

    47b50ce885d36c013a43b0cc8c235608277caf7c

    SHA256

    806c4451b1153f5453fdf0a09465a1f82018c3f01b3381a559564143f6d13796

    SHA512

    a1e93d845b9007622f2d634d346754ff1721d4769ce9200ee2902f81e8e51d0d6450fa1105855b143f50567509b9aa43d64d8709ac71ed13575793490a816b27

    Download Submit

  • memory/2220-38-0x0000000000400000-0x00000000004E6000-memory.dmp

    Filesize

    920KB

    Download

  • memory/2220-16-0x0000000000400000-0x00000000004E6000-memory.dmp

    Filesize

    920KB

    Download

  • memory/2220-25-0x00000000039E0000-0x0000000003BE0000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2516-7-0x0000000002D10000-0x0000000002F10000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2516-14-0x0000000003010000-0x00000000030F6000-memory.dmp

    Filesize

    920KB

    Download

  • memory/2516-13-0x0000000000400000-0x00000000004E6000-memory.dmp

    Filesize

    920KB

    Download

  • memory/2516-0-0x0000000000400000-0x00000000004E6000-memory.dmp

    Filesize

    920KB

    Download

  • memory/2516-41-0x0000000003010000-0x00000000030F6000-memory.dmp

    Filesize

    920KB

    Download

  • memory/2688-27-0x0000000000090000-0x00000000000B6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2688-36-0x0000000000090000-0x00000000000B6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2688-33-0x0000000000090000-0x00000000000B6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2688-39-0x0000000073C4E000-0x0000000073C4F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2688-40-0x0000000073C40000-0x000000007432E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2688-29-0x0000000000090000-0x00000000000B6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2688-42-0x0000000073C4E000-0x0000000073C4F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2688-43-0x0000000073C40000-0x000000007432E000-memory.dmp

    Filesize

    6.9MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.