Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    31/01/2025, 03:39 UTC

General

  • Target

    256b0ce3c9164315809fbcfbbdb1624d662b72cd5156bfcab0550abd88f83dca.exe

  • Size

    618KB

  • MD5

    931ed17fdcdb3ff5176c81d1bc35468b

  • SHA1

    8fe727064eca37e6823393e28580f70a2d01b182

  • SHA256

    256b0ce3c9164315809fbcfbbdb1624d662b72cd5156bfcab0550abd88f83dca

  • SHA512

    dab2149f9d127352ded6b0596ffd4b04d9cfe53b09772e61a5a1447891690520ac48d31a430038b3498244fab79efee35756c7922c208791039ae7712a74f560

  • SSDEEP

    12288:BKN3E8b4cgmzUODZda4IOhNm2SzuH2LH6j8q3QtoQP:MG44cgmzJdNI+mBC1L3HI

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    mail.aktagor-prom.by
  • Port:
    587
  • Username:
    office@aktagor-prom.by
  • Password:
    71z&rRC84

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

  • Snake Keylogger payload 5 IoCs
  • Snakekeylogger family
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\256b0ce3c9164315809fbcfbbdb1624d662b72cd5156bfcab0550abd88f83dca.exe
    "C:\Users\Admin\AppData\Local\Temp\256b0ce3c9164315809fbcfbbdb1624d662b72cd5156bfcab0550abd88f83dca.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2988
    • C:\Users\Admin\AppData\Local\Temp\256b0ce3c9164315809fbcfbbdb1624d662b72cd5156bfcab0550abd88f83dca.exe
      "C:\Users\Admin\AppData\Local\Temp\256b0ce3c9164315809fbcfbbdb1624d662b72cd5156bfcab0550abd88f83dca.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:2228

Network

  • flag-us
    DNS
    checkip.dyndns.org
    256b0ce3c9164315809fbcfbbdb1624d662b72cd5156bfcab0550abd88f83dca.exe
    Remote address:
    8.8.8.8:53
    Request
    checkip.dyndns.org
    IN A
    Response
    checkip.dyndns.org
    IN CNAME
    checkip.dyndns.com
    checkip.dyndns.com
    IN A
    158.101.44.242
    checkip.dyndns.com
    IN A
    132.226.8.169
    checkip.dyndns.com
    IN A
    132.226.247.73
    checkip.dyndns.com
    IN A
    193.122.130.0
    checkip.dyndns.com
    IN A
    193.122.6.168
  • flag-us
    GET
    http://checkip.dyndns.org/
    256b0ce3c9164315809fbcfbbdb1624d662b72cd5156bfcab0550abd88f83dca.exe
    Remote address:
    158.101.44.242:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Fri, 31 Jan 2025 03:39:26 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 4230729d1a457c08f3824287d6824f5f
  • flag-us
    GET
    http://checkip.dyndns.org/
    256b0ce3c9164315809fbcfbbdb1624d662b72cd5156bfcab0550abd88f83dca.exe
    Remote address:
    158.101.44.242:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 31 Jan 2025 03:39:29 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 9a481035b0abb7ff492cf9728ac7fc64
  • flag-us
    GET
    http://checkip.dyndns.org/
    256b0ce3c9164315809fbcfbbdb1624d662b72cd5156bfcab0550abd88f83dca.exe
    Remote address:
    158.101.44.242:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 31 Jan 2025 03:39:35 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 60ceafb6ce0d511c2203c4bdf35ebc3f
  • flag-us
    GET
    http://checkip.dyndns.org/
    256b0ce3c9164315809fbcfbbdb1624d662b72cd5156bfcab0550abd88f83dca.exe
    Remote address:
    158.101.44.242:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 31 Jan 2025 03:39:38 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: edc39d79d92195bf6ecd7a4d67aaf251
  • flag-us
    GET
    http://checkip.dyndns.org/
    256b0ce3c9164315809fbcfbbdb1624d662b72cd5156bfcab0550abd88f83dca.exe
    Remote address:
    158.101.44.242:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 31 Jan 2025 03:39:41 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: fa5fb295a0df23a88c8d1086f678d94f
  • flag-us
    GET
    http://checkip.dyndns.org/
    256b0ce3c9164315809fbcfbbdb1624d662b72cd5156bfcab0550abd88f83dca.exe
    Remote address:
    158.101.44.242:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 31 Jan 2025 03:39:43 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: e9d02f51d11be9c3d88291ba847d7e61
  • flag-us
    GET
    http://checkip.dyndns.org/
    256b0ce3c9164315809fbcfbbdb1624d662b72cd5156bfcab0550abd88f83dca.exe
    Remote address:
    158.101.44.242:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 31 Jan 2025 03:39:46 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 0952fc41c2aa1f0c2532fa85127d00be
  • flag-us
    GET
    http://checkip.dyndns.org/
    256b0ce3c9164315809fbcfbbdb1624d662b72cd5156bfcab0550abd88f83dca.exe
    Remote address:
    158.101.44.242:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 31 Jan 2025 03:39:49 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: f9d6840a301656a3706aac7d7a0b3ed5
  • flag-us
    GET
    http://checkip.dyndns.org/
    256b0ce3c9164315809fbcfbbdb1624d662b72cd5156bfcab0550abd88f83dca.exe
    Remote address:
    158.101.44.242:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 31 Jan 2025 03:39:52 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 08af19374f386c9ef337372e881389bc
  • flag-us
    DNS
    reallyfreegeoip.org
    256b0ce3c9164315809fbcfbbdb1624d662b72cd5156bfcab0550abd88f83dca.exe
    Remote address:
    8.8.8.8:53
    Request
    reallyfreegeoip.org
    IN A
    Response
    reallyfreegeoip.org
    IN A
    104.21.112.1
    reallyfreegeoip.org
    IN A
    104.21.64.1
    reallyfreegeoip.org
    IN A
    104.21.32.1
    reallyfreegeoip.org
    IN A
    104.21.48.1
    reallyfreegeoip.org
    IN A
    104.21.96.1
    reallyfreegeoip.org
    IN A
    104.21.16.1
    reallyfreegeoip.org
    IN A
    104.21.80.1
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    256b0ce3c9164315809fbcfbbdb1624d662b72cd5156bfcab0550abd88f83dca.exe
    Remote address:
    104.21.112.1:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Fri, 31 Jan 2025 03:39:32 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 6782226
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0aBeuyRr4xDZUoUyzH6OKEDCXZz9kViw6qj5031dUO%2Fg6AGG45%2FllywpzN1PyHTHi6D0nIaIuyLso4%2FvTdbw91qNgqSYK5hmk9WTMeWs1nglENpkNtH7RN54zKcC%2B2KZW%2Fg6oghZ"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 90a6acd70fea957d-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=54710&min_rtt=47114&rtt_var=24415&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2864&recv_bytes=374&delivery_rate=69586&cwnd=253&unsent_bytes=0&cid=adab97b806bdafff&ts=185&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    256b0ce3c9164315809fbcfbbdb1624d662b72cd5156bfcab0550abd88f83dca.exe
    Remote address:
    104.21.112.1:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 31 Jan 2025 03:39:35 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 6782229
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=opaCZ935UdVmzbIITxHpv9vTsOFuJiKvGkt%2FI2Tr1L%2FPcnsKZTyeX0a0eLJiTJGpkqVlsUPKv%2FBOhO3zGvSYPoNj90j4ATnjpd4wJGy1QwyZcX1Lw2rUqA54NwRg1%2FSS6kycPSZ4"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 90a6aceaa8d3957d-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=54710&min_rtt=47114&rtt_var=24415&sent=7&recv=9&lost=0&retrans=1&sent_bytes=5434&recv_bytes=475&delivery_rate=69586&cwnd=254&unsent_bytes=0&cid=adab97b806bdafff&ts=3312&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    256b0ce3c9164315809fbcfbbdb1624d662b72cd5156bfcab0550abd88f83dca.exe
    Remote address:
    104.21.112.1:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 31 Jan 2025 03:39:38 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 6782232
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=32KsHBfLIJkdZNtwzba8fDunVrWBK3pnB8FCDist96PaG3RHWRS0IollsQyGQLhbS7aookTj8eCai%2B3IaXodIPC41LijHE3fNtUUjXoDeat3KiNOtVNWe5hrRU0zDqDGGi%2BylJlt"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 90a6acfc882d957d-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=79389&min_rtt=47114&rtt_var=67669&sent=8&recv=11&lost=0&retrans=1&sent_bytes=6703&recv_bytes=576&delivery_rate=69586&cwnd=255&unsent_bytes=0&cid=adab97b806bdafff&ts=6168&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    256b0ce3c9164315809fbcfbbdb1624d662b72cd5156bfcab0550abd88f83dca.exe
    Remote address:
    104.21.112.1:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 31 Jan 2025 03:39:41 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 6782235
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mt6YUJh9XTlgSR86DIPQLu9vYRYKa5RyMu%2FvmdkeVR%2BTTtpx%2F%2FxFPBswLKuqo93JBYu%2FfwgFWohEzNEPSqM%2FmnQou4v4zNjeJPIdzvXAoZYrtHUXysfgQCJVpkQEsOFVz%2Ft6Mvqf"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 90a6ad0ea8bb957d-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=102690&min_rtt=47114&rtt_var=97354&sent=9&recv=13&lost=0&retrans=1&sent_bytes=7972&recv_bytes=677&delivery_rate=69586&cwnd=256&unsent_bytes=0&cid=adab97b806bdafff&ts=9062&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    256b0ce3c9164315809fbcfbbdb1624d662b72cd5156bfcab0550abd88f83dca.exe
    Remote address:
    104.21.112.1:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 31 Jan 2025 03:39:44 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 6782238
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ljLzHq4XM0PNPEjWREwcREUJ1j0g7YYEOQHiz2rr5%2BC1Qe3u3lrbJJNtgFzKeUpGRyBaB4%2F5NXa8XnrcPvydXCcV06DsvkM25JOd76KcEslUn6t5c36T8oBSdD29mJ1Dz6CWM%2BZD"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 90a6ad2099ad957d-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=122142&min_rtt=47114&rtt_var=111919&sent=10&recv=15&lost=0&retrans=1&sent_bytes=9257&recv_bytes=778&delivery_rate=69586&cwnd=256&unsent_bytes=0&cid=adab97b806bdafff&ts=11944&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    256b0ce3c9164315809fbcfbbdb1624d662b72cd5156bfcab0550abd88f83dca.exe
    Remote address:
    104.21.112.1:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 31 Jan 2025 03:39:46 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 6782240
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FlroPwWTN2ekp%2BYlQo4PnjelYUfSMCq%2Bi81owFafHN2foXgS6pkfQ3XlPINJZCjoO7EkTggN8QgHzAH54dlk9OXk%2BOw8LSe8jX02r09bJK%2BqOequqDIoEREZskXQvk1viR%2FxBKFD"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 90a6ad328953957d-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=137616&min_rtt=47114&rtt_var=114888&sent=11&recv=17&lost=0&retrans=1&sent_bytes=10542&recv_bytes=879&delivery_rate=69586&cwnd=256&unsent_bytes=0&cid=adab97b806bdafff&ts=14810&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    256b0ce3c9164315809fbcfbbdb1624d662b72cd5156bfcab0550abd88f83dca.exe
    Remote address:
    104.21.112.1:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 31 Jan 2025 03:39:49 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 6782243
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CtsSXfg%2BRw1a02ufsGPkMIl3AQQQNmuL%2FjdHUfjqTzUutFB0Ry1wO0wc5ouJ61WywiFfqphfKXmj5PQpKR1hMlnwHWfbD7ADoS91JvJ9m5DiYF5T%2FD%2BinY%2B7Hau%2BQQIxixKjTlKc"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 90a6ad447ff2957d-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=153726&min_rtt=47114&rtt_var=118387&sent=12&recv=19&lost=0&retrans=1&sent_bytes=11827&recv_bytes=980&delivery_rate=69586&cwnd=256&unsent_bytes=0&cid=adab97b806bdafff&ts=17681&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    256b0ce3c9164315809fbcfbbdb1624d662b72cd5156bfcab0550abd88f83dca.exe
    Remote address:
    104.21.112.1:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 31 Jan 2025 03:39:52 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cf-Ray: 90a6ad5658b0957d-LHR
    Server: cloudflare
    Cache-Control: max-age=31536000
    Cf-Cache-Status: HIT
    Age: 6782246
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YP1mF4l2%2BRj2ptejslGNcEf6bA%2BrSnoXli4BcuM6d9dYoOs5gY8i3cOg08ICTmr%2FofLGfPUusBEXPDVTk4qKbbVxQIPKSR6LS%2BsiLVdakY3O3wU2kTJbDkVE961hynR510XREMQ8"}],"group":"cf-nel","max_age":604800}
    Nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=165769&min_rtt=47114&rtt_var=112876&sent=13&recv=21&lost=0&retrans=1&sent_bytes=13112&recv_bytes=1081&delivery_rate=69586&cwnd=256&unsent_bytes=0&cid=adab97b806bdafff&ts=20545&x=0"
  • 158.101.44.242:80
    http://checkip.dyndns.org/
    http
    256b0ce3c9164315809fbcfbbdb1624d662b72cd5156bfcab0550abd88f83dca.exe
    2.1kB
    3.4kB
    22
    13

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200
  • 104.21.112.1:443
    https://reallyfreegeoip.org/xml/181.215.176.83
    tls, http
    256b0ce3c9164315809fbcfbbdb1624d662b72cd5156bfcab0550abd88f83dca.exe
    2.1kB
    15.0kB
    24
    16

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200
  • 8.8.8.8:53
    checkip.dyndns.org
    dns
    256b0ce3c9164315809fbcfbbdb1624d662b72cd5156bfcab0550abd88f83dca.exe
    64 B
    176 B
    1
    1

    DNS Request

    checkip.dyndns.org

    DNS Response

    158.101.44.242
    132.226.8.169
    132.226.247.73
    193.122.130.0
    193.122.6.168

  • 8.8.8.8:53
    reallyfreegeoip.org
    dns
    256b0ce3c9164315809fbcfbbdb1624d662b72cd5156bfcab0550abd88f83dca.exe
    65 B
    177 B
    1
    1

    DNS Request

    reallyfreegeoip.org

    DNS Response

    104.21.112.1
    104.21.64.1
    104.21.32.1
    104.21.48.1
    104.21.96.1
    104.21.16.1
    104.21.80.1

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2228-20-0x00000000741A0000-0x000000007488E000-memory.dmp

    Filesize

    6.9MB

  • memory/2228-17-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/2228-24-0x00000000741A0000-0x000000007488E000-memory.dmp

    Filesize

    6.9MB

  • memory/2228-23-0x00000000741A0000-0x000000007488E000-memory.dmp

    Filesize

    6.9MB

  • memory/2228-22-0x00000000741A0000-0x000000007488E000-memory.dmp

    Filesize

    6.9MB

  • memory/2228-15-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/2228-7-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/2228-11-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/2228-19-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/2228-9-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/2228-12-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/2228-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2988-5-0x00000000741A0000-0x000000007488E000-memory.dmp

    Filesize

    6.9MB

  • memory/2988-1-0x0000000000940000-0x00000000009E0000-memory.dmp

    Filesize

    640KB

  • memory/2988-6-0x00000000050A0000-0x000000000510C000-memory.dmp

    Filesize

    432KB

  • memory/2988-0-0x00000000741AE000-0x00000000741AF000-memory.dmp

    Filesize

    4KB

  • memory/2988-21-0x00000000741A0000-0x000000007488E000-memory.dmp

    Filesize

    6.9MB

  • memory/2988-4-0x00000000741AE000-0x00000000741AF000-memory.dmp

    Filesize

    4KB

  • memory/2988-3-0x00000000003F0000-0x000000000040E000-memory.dmp

    Filesize

    120KB

  • memory/2988-2-0x00000000741A0000-0x000000007488E000-memory.dmp

    Filesize

    6.9MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.