File name:

539ee7af02fcbd28659831dd774581f76ee66ca6238d12af286158f2f343f3b8

Full analysis: https://app.any.run/tasks/38920947-9b27-4208-8d8a-9239503a08e6
Verdict: Malicious activity
Threats:

A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.

Analysis date: January 10, 2025, 19:01:16
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
snake
keylogger
evasion
putty
tool
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

022DBAA1DF24D488B03ECB058A521613

SHA1:

9F12948C741B6B27CCE58D4CD804A2F988FEDDF2

SHA256:

539EE7AF02FCBD28659831DD774581F76EE66CA6238D12AF286158F2F343F3B8

SSDEEP:

98304:BlgJbksMDOSlOX7gWkoYg5CLoKNfSNEFwD4iYwRFjKmGc6i53:C7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • SNAKEKEYLOGGER has been detected (SURICATA)

      • RegSvcs.exe (PID: 6792)
    • Create files in the Startup directory

      • caulds.exe (PID: 6276)
  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 539ee7af02fcbd28659831dd774581f76ee66ca6238d12af286158f2f343f3b8.exe (PID: 4908)
      • RegSvcs.exe (PID: 6792)
    • Executable content was dropped or overwritten

      • 539ee7af02fcbd28659831dd774581f76ee66ca6238d12af286158f2f343f3b8.exe (PID: 4908)
      • EmbeddedExe1.exe (PID: 6164)
    • Reads the date of Windows installation

      • 539ee7af02fcbd28659831dd774581f76ee66ca6238d12af286158f2f343f3b8.exe (PID: 4908)
    • PUTTY has been detected

      • EmbeddedExe2.exe (PID: 6188)
    • Starts itself from another location

      • EmbeddedExe1.exe (PID: 6164)
    • Checks for external IP

      • RegSvcs.exe (PID: 6792)
      • svchost.exe (PID: 2192)
    • Starts CMD.EXE for commands execution

      • RegSvcs.exe (PID: 6792)
    • Deletes system .NET executable

      • cmd.exe (PID: 6908)
  • INFO

    • Reads the computer name

      • 539ee7af02fcbd28659831dd774581f76ee66ca6238d12af286158f2f343f3b8.exe (PID: 4908)
      • EmbeddedExe2.exe (PID: 6188)
      • RegSvcs.exe (PID: 6792)
    • The process uses the downloaded file

      • 539ee7af02fcbd28659831dd774581f76ee66ca6238d12af286158f2f343f3b8.exe (PID: 4908)
      • RegSvcs.exe (PID: 6792)
    • Checks supported languages

      • 539ee7af02fcbd28659831dd774581f76ee66ca6238d12af286158f2f343f3b8.exe (PID: 4908)
      • EmbeddedExe2.exe (PID: 6188)
      • EmbeddedExe1.exe (PID: 6164)
      • caulds.exe (PID: 6276)
      • RegSvcs.exe (PID: 6792)
    • Process checks computer location settings

      • 539ee7af02fcbd28659831dd774581f76ee66ca6238d12af286158f2f343f3b8.exe (PID: 4908)
      • RegSvcs.exe (PID: 6792)
    • The sample compiled with english language support

      • 539ee7af02fcbd28659831dd774581f76ee66ca6238d12af286158f2f343f3b8.exe (PID: 4908)
      • EmbeddedExe1.exe (PID: 6164)
    • Reads mouse settings

      • EmbeddedExe1.exe (PID: 6164)
      • caulds.exe (PID: 6276)
    • Creates files or folders in the user directory

      • EmbeddedExe1.exe (PID: 6164)
      • caulds.exe (PID: 6276)
    • Create files in a temporary directory

      • EmbeddedExe1.exe (PID: 6164)
      • caulds.exe (PID: 6276)
    • Reads the machine GUID from the registry

      • EmbeddedExe1.exe (PID: 6164)
      • RegSvcs.exe (PID: 6792)
    • Disables trace logs

      • RegSvcs.exe (PID: 6792)
    • Reads the software policy settings

      • RegSvcs.exe (PID: 6792)
    • Checks proxy server information

      • RegSvcs.exe (PID: 6792)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (32.4)
.exe | InstallShield setup (19)
.exe | Win64 Executable (generic) (12.2)
.exe | UPX compressed Win32 Executable (11.9)
.exe | Win32 EXE Yoda's Crypter (11.7)

EXIF

EXE

AssemblyVersion: 0.0.0.0
ProductVersion: 0.0.0.0
OriginalFileName: PURCHASE DOCUMENTS.exe
LegalCopyright:
InternalName: PURCHASE DOCUMENTS.exe
FileVersion: 0.0.0.0
FileDescription:
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 0.0.0.0
FileVersionNumber: 0.0.0.0
Subsystem: Windows command line
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x220cce
UninitializedDataSize: -
InitializedDataSize: 2048
CodeSize: 2223616
LinkerVersion: 11
PEType: PE32
ImageFileCharacteristics: Executable, 32-bit
TimeStamp: 2024:12:06 00:32:21+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
10
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 539ee7af02fcbd28659831dd774581f76ee66ca6238d12af286158f2f343f3b8.exe conhost.exe no specs embeddedexe1.exe THREAT embeddedexe2.exe no specs caulds.exe #SNAKEKEYLOGGER regsvcs.exe svchost.exe cmd.exe no specs conhost.exe no specs choice.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4908"C:\Users\admin\AppData\Local\Temp\539ee7af02fcbd28659831dd774581f76ee66ca6238d12af286158f2f343f3b8.exe" C:\Users\admin\AppData\Local\Temp\539ee7af02fcbd28659831dd774581f76ee66ca6238d12af286158f2f343f3b8.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
0.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\539ee7af02fcbd28659831dd774581f76ee66ca6238d12af286158f2f343f3b8.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
4704\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe539ee7af02fcbd28659831dd774581f76ee66ca6238d12af286158f2f343f3b8.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6164"C:\Users\admin\AppData\Local\Temp\EmbeddedExe1.exe" C:\Users\admin\AppData\Local\Temp\EmbeddedExe1.exe
539ee7af02fcbd28659831dd774581f76ee66ca6238d12af286158f2f343f3b8.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\embeddedexe1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6188"C:\Users\admin\AppData\Local\Temp\EmbeddedExe2.exe" C:\Users\admin\AppData\Local\Temp\EmbeddedExe2.exe
539ee7af02fcbd28659831dd774581f76ee66ca6238d12af286158f2f343f3b8.exe
User:
admin
Company:
Simon Tatham
Integrity Level:
MEDIUM
Description:
SSH, Telnet, Rlogin, and SUPDUP client
Version:
Release 0.81 (with embedded help)
Modules
Images
c:\users\admin\appdata\local\temp\embeddedexe2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6276"C:\Users\admin\AppData\Local\Temp\EmbeddedExe1.exe" C:\Users\admin\AppData\Local\poufs\caulds.exe
EmbeddedExe1.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\poufs\caulds.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6792"C:\Users\admin\AppData\Local\Temp\EmbeddedExe1.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
caulds.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Exit code:
1
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6908"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\SysWOW64\cmd.exeRegSvcs.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6920\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6972choice /C Y /N /D Y /T 3 C:\Windows\SysWOW64\choice.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Offers the user a choice
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\choice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
2 258
Read events
2 244
Write events
14
Delete events
0

Modification events

(PID) Process:(6792) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6792) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6792) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6792) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(6792) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(6792) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(6792) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(6792) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6792) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6792) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
3
Suspicious files
4
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6164EmbeddedExe1.exeC:\Users\admin\AppData\Local\Temp\vitraillistbinary
MD5:674D3B46E4B1C0960A436E5B4B3F50DC
SHA256:224B7426C2FF4C7DA5EA10B3DE8D5319CB8F5C5B8A0D6CF7138BAF11581A0FD0
4908539ee7af02fcbd28659831dd774581f76ee66ca6238d12af286158f2f343f3b8.exeC:\Users\admin\AppData\Local\Temp\EmbeddedExe2.exeexecutable
MD5:5EFEF6CC9CD24BAEEED71C1107FC32DF
SHA256:E61B8F44AB92CF0F9CB1101347967D31E1839979142A4114A7DD02AA237BA021
6276caulds.exeC:\Users\admin\AppData\Local\Temp\aut92EC.tmpbinary
MD5:0A1DC59B5A2342A040748B933B272286
SHA256:4DF324595FE5DBDE0BD08A591D4CFC8B09EF04A017CAF85A303B7A61C9F30C21
6276caulds.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\caulds.vbsbinary
MD5:0495F90412908DC0A6CEC3FE4414D85F
SHA256:A6CE3CEDB96AF7290D674E4D7A0BA527C10D749A71DAC697B14B9230EDEEF044
6164EmbeddedExe1.exeC:\Users\admin\AppData\Local\Temp\aut8214.tmpbinary
MD5:0A1DC59B5A2342A040748B933B272286
SHA256:4DF324595FE5DBDE0BD08A591D4CFC8B09EF04A017CAF85A303B7A61C9F30C21
4908539ee7af02fcbd28659831dd774581f76ee66ca6238d12af286158f2f343f3b8.exeC:\Users\admin\AppData\Local\Temp\EmbeddedExe1.exeexecutable
MD5:47310E2D76477F79641F8703027A60B0
SHA256:54F08D458C3A9B5B6553E6BC6810FD9071D7BC2A517576D4DCC45B1CA0A47D1F
6164EmbeddedExe1.exeC:\Users\admin\AppData\Local\poufs\caulds.exeexecutable
MD5:47310E2D76477F79641F8703027A60B0
SHA256:54F08D458C3A9B5B6553E6BC6810FD9071D7BC2A517576D4DCC45B1CA0A47D1F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
34
DNS requests
21
Threats
14

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6792
RegSvcs.exe
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
malicious
6792
RegSvcs.exe
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
malicious
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6792
RegSvcs.exe
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
malicious
6792
RegSvcs.exe
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
malicious
6792
RegSvcs.exe
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
malicious
6792
RegSvcs.exe
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
2.23.227.208:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5448
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1176
svchost.exe
40.126.31.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.23.227.208
  • 2.23.227.215
whitelisted
google.com
  • 142.250.185.238
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.72
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 2.23.246.101
whitelisted
login.live.com
  • 40.126.31.67
  • 20.190.159.71
  • 40.126.31.73
  • 20.190.159.2
  • 20.190.159.4
  • 20.190.159.68
  • 20.190.159.0
  • 40.126.31.71
whitelisted
go.microsoft.com
  • 2.23.242.9
whitelisted
checkip.dyndns.org
  • 132.226.8.169
  • 193.122.6.168
  • 193.122.130.0
  • 132.226.247.73
  • 158.101.44.242
shared
reallyfreegeoip.org
  • 104.21.16.1
  • 104.21.112.1
  • 104.21.80.1
  • 104.21.96.1
  • 104.21.32.1
  • 104.21.64.1
  • 104.21.48.1
malicious
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted

Threats

PID
Process
Class
Message
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
Device Retrieving External IP Address Detected
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Address Lookup Domain (reallyfreegeoip .org)
Misc activity
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
Misc activity
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
No debug info