Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

getw7.exe

windows7-x64

7

getw7.exe

windows10-2004-x64

8

$PLUGINSDIR/INetC.dll

windows7-x64

3

$PLUGINSDIR/INetC.dll

windows10-2004-x64

3

Resubmissions

08/07/2024, 15:24 UTC

240708-stbxbsvgmr 8

08/07/2024, 15:22 UTC

240708-sr53dsxgka 8

Analysis

  • max time kernel
    99s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/07/2024, 15:22 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    getw7.exe

  • Size

    208KB

  • MD5

    d424fe464b05746c6ab7bc7d9bd1fd7b

  • SHA1

    1978f00747e528cccb46edf037110f2db69a991b

  • SHA256

    8283eea39bb977af03a560164cf1f165ce516e48b74cb27e1517de020c56521a

  • SHA512

    f8cdbf364444cd0d01e1c2b5d26b7f11aa35d248714b8f32d83fdfe7ebaf88495f281e46024ee82b86cd17603d6b02777a20f47408d8f42741939749c6d25b9c

  • SSDEEP

    3072:Wfr3k+o5buDC1cub0AXj5iNyPpT4bG2akv4uFf2FNFhkvb0AXj5iNyPpT4bG2o4:WfY+on0AXjiU4bzx4uFfYyoAXjiU4bzL

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

Processes

  • C:\Users\Admin\AppData\Local\Temp\getw7.exe
    "C:\Users\Admin\AppData\Local\Temp\getw7.exe"
    1⤵
    • Loads dropped DLL
    PID:1088

Network

  • flag-us
    DNS
    r8p.teknixstuff.com
    getw7.exe
    Remote address:
    8.8.8.8:53
    Request
    r8p.teknixstuff.com
    IN A
    Response
    r8p.teknixstuff.com
    IN A
    104.21.83.210
    r8p.teknixstuff.com
    IN A
    172.67.181.243
  • flag-us
    GET
    http://r8p.teknixstuff.com/files/r8p.php
    getw7.exe
    Remote address:
    104.21.83.210:80
    Request
    GET /files/r8p.php HTTP/1.1
    User-Agent: NSIS_Inetc (Mozilla)
    Host: r8p.teknixstuff.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 302 Found
    Date: Mon, 08 Jul 2024 15:23:23 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: User-Agent
    Location: https://github.com/teknixstuff/revert8plus/releases/latest/download/r8p.exe
    X-Powered-By: NetroHost v2024.03.03
    X-Frame-Options: SAMEORIGIN
    Content-Security-Policy: upgrade-insecure-requests frame-ancestors script-src connect-src img-src style-src base-uri form-action 'r8p.teknixstuff.com'
    X-XSS-Protection: 0
    X-Content-Type-Options: nosniff
    Permissions-Policy: geolocation=(),midi=(),sync-xhr=(),microphone=(self),camera=(self),magnetometer=(),gyroscope=(self),fullscreen=(self),payment=()
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d79oV2wi6xcYtYp%2Ba%2BzOdTU4DehOkv%2BVWPa9Xmd2ij3pRa5%2B6MmgV5At7ibR5g7VnlUAa3z%2B3MP1NpUQJxFCvmY9V%2Byf5SWGndpYcQi6jfIsVFp%2FdQXd31XCRUwfph6P2EfcOEx6"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8a0113415d329553-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    github.com
    getw7.exe
    Remote address:
    8.8.8.8:53
    Request
    github.com
    IN A
    Response
    github.com
    IN A
    20.26.156.215
  • flag-gb
    GET
    https://github.com/teknixstuff/revert8plus/releases/latest/download/r8p.exe
    getw7.exe
    Remote address:
    20.26.156.215:443
    Request
    GET /teknixstuff/revert8plus/releases/latest/download/r8p.exe HTTP/1.1
    User-Agent: NSIS_Inetc (Mozilla)
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: github.com
    Response
    HTTP/1.1 302 Found
    Server: GitHub.com
    Date: Mon, 08 Jul 2024 15:23:24 GMT
    Content-Type: text/html; charset=utf-8
    Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
    Location: https://github.com/teknixstuff/revert8plus/releases/download/3.3.4/r8p.exe
    Cache-Control: no-cache
    Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
    X-Frame-Options: deny
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 0
    Referrer-Policy: no-referrer-when-downgrade
    Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com api.githubcopilot.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com/v1/engines/github-completion/completions *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/
    Set-Cookie: _gh_sess=A%2FMJP0Ug9JTJBxVWnQwO%2FD1Ybb8Mbzj5iKqCmEXLtdkhTurtqnFNd%2B6jpcXuoMBWflQ37QCL4y8sYfLPsMPONmzXsXsPhnB7mwv%2FpaUFFeeJP2JIdq7hGRSiALEfhTG3ju%2FsADRocmrtj9PH%2F0L%2BNh0tBHr7Vi7nntRXkWzPH2jXgluXlm8S47KTJc5pyQU0pYrly4Dof18IIcXx29ssVecRFqvnY%2B%2F8KpZt9VVnmtRzu9s5inSZi41KqEZseaweJHgnpk5Rqn8AuE%2FldOqwkQ%3D%3D--bmK9%2FK44DSBN1tg0--MqVTeI065V%2FvqN2wb3AdkQ%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
    Set-Cookie: _octo=GH1.1.1238341742.1720452205; Path=/; Domain=github.com; Expires=Tue, 08 Jul 2025 15:23:25 GMT; Secure; SameSite=Lax
    Set-Cookie: logged_in=no; Path=/; Domain=github.com; Expires=Tue, 08 Jul 2025 15:23:25 GMT; HttpOnly; Secure; SameSite=Lax
    Content-Length: 0
    X-GitHub-Request-Id: DDCC:39089F:19F2300:1D67D4F:668C046C
  • flag-gb
    GET
    https://github.com/teknixstuff/revert8plus/releases/download/3.3.4/r8p.exe
    getw7.exe
    Remote address:
    20.26.156.215:443
    Request
    GET /teknixstuff/revert8plus/releases/download/3.3.4/r8p.exe HTTP/1.1
    User-Agent: NSIS_Inetc (Mozilla)
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: github.com
    Cookie: _gh_sess=A%2FMJP0Ug9JTJBxVWnQwO%2FD1Ybb8Mbzj5iKqCmEXLtdkhTurtqnFNd%2B6jpcXuoMBWflQ37QCL4y8sYfLPsMPONmzXsXsPhnB7mwv%2FpaUFFeeJP2JIdq7hGRSiALEfhTG3ju%2FsADRocmrtj9PH%2F0L%2BNh0tBHr7Vi7nntRXkWzPH2jXgluXlm8S47KTJc5pyQU0pYrly4Dof18IIcXx29ssVecRFqvnY%2B%2F8KpZt9VVnmtRzu9s5inSZi41KqEZseaweJHgnpk5Rqn8AuE%2FldOqwkQ%3D%3D--bmK9%2FK44DSBN1tg0--MqVTeI065V%2FvqN2wb3AdkQ%3D%3D; _octo=GH1.1.1238341742.1720452205; logged_in=no
    Response
    HTTP/1.1 302 Found
    Server: GitHub.com
    Date: Mon, 08 Jul 2024 15:23:24 GMT
    Content-Type: text/html; charset=utf-8
    Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
    Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/802553797/4124c2ec-6e65-43d0-a1c6-a7ef194874f7?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240708%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240708T152324Z&X-Amz-Expires=300&X-Amz-Signature=dd826f3253046b9104900bae7279f81aa423e34f7a82264a7ffbb36168c761c0&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=802553797&response-content-disposition=attachment%3B%20filename%3Dr8p.exe&response-content-type=application%2Foctet-stream
    Cache-Control: no-cache
    Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
    X-Frame-Options: deny
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 0
    Referrer-Policy: no-referrer-when-downgrade
    Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com api.githubcopilot.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com/v1/engines/github-completion/completions *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/
    Content-Length: 0
    X-GitHub-Request-Id: DDCC:39089F:19F230C:1D67D64:668C046D
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d6f4374cb7904f109ea52c62a6edbfb9&localId=w:47FD159F-0ED5-C0FD-B22C-182F37EEDDEB&deviceId=6896204026049569&anid=
    Remote address:
    13.107.21.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d6f4374cb7904f109ea52c62a6edbfb9&localId=w:47FD159F-0ED5-C0FD-B22C-182F37EEDDEB&deviceId=6896204026049569&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=2BDFD738382E62903BC2C38E39CE63DA; domain=.bing.com; expires=Sat, 02-Aug-2025 15:23:24 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 3D10A6813D044ED396068FB607003F86 Ref B: LON04EDGE1011 Ref C: 2024-07-08T15:23:24Z
    date: Mon, 08 Jul 2024 15:23:23 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d6f4374cb7904f109ea52c62a6edbfb9&localId=w:47FD159F-0ED5-C0FD-B22C-182F37EEDDEB&deviceId=6896204026049569&anid=
    Remote address:
    13.107.21.237:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d6f4374cb7904f109ea52c62a6edbfb9&localId=w:47FD159F-0ED5-C0FD-B22C-182F37EEDDEB&deviceId=6896204026049569&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=2BDFD738382E62903BC2C38E39CE63DA
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=bzBL1YtkbklLJNlrF0MojVhakBC7nDQOiBqXzCEIHw0; domain=.bing.com; expires=Sat, 02-Aug-2025 15:23:24 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 687316BC815746D9B1189996933C256E Ref B: LON04EDGE1011 Ref C: 2024-07-08T15:23:24Z
    date: Mon, 08 Jul 2024 15:23:23 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d6f4374cb7904f109ea52c62a6edbfb9&localId=w:47FD159F-0ED5-C0FD-B22C-182F37EEDDEB&deviceId=6896204026049569&anid=
    Remote address:
    13.107.21.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d6f4374cb7904f109ea52c62a6edbfb9&localId=w:47FD159F-0ED5-C0FD-B22C-182F37EEDDEB&deviceId=6896204026049569&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=2BDFD738382E62903BC2C38E39CE63DA; MSPTC=bzBL1YtkbklLJNlrF0MojVhakBC7nDQOiBqXzCEIHw0
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 79FAA7255A85499BBACD609F501A6FEF Ref B: LON04EDGE1011 Ref C: 2024-07-08T15:23:24Z
    date: Mon, 08 Jul 2024 15:23:23 GMT
  • flag-us
    DNS
    210.83.21.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    210.83.21.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    136.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    136.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    215.156.26.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    215.156.26.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    0.205.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.205.248.87.in-addr.arpa
    IN PTR
    Response
    0.205.248.87.in-addr.arpa
    IN PTR
    https-87-248-205-0lgwllnwnet
  • flag-us
    DNS
    237.21.107.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.21.107.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    233.38.18.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    233.38.18.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    23.149.64.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.149.64.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    objects.githubusercontent.com
    getw7.exe
    Remote address:
    8.8.8.8:53
    Request
    objects.githubusercontent.com
    IN A
    Response
    objects.githubusercontent.com
    IN A
    185.199.109.133
    objects.githubusercontent.com
    IN A
    185.199.110.133
    objects.githubusercontent.com
    IN A
    185.199.108.133
    objects.githubusercontent.com
    IN A
    185.199.111.133
  • flag-us
    GET
    https://objects.githubusercontent.com/github-production-release-asset-2e65be/802553797/4124c2ec-6e65-43d0-a1c6-a7ef194874f7?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240708%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240708T152324Z&X-Amz-Expires=300&X-Amz-Signature=dd826f3253046b9104900bae7279f81aa423e34f7a82264a7ffbb36168c761c0&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=802553797&response-content-disposition=attachment%3B%20filename%3Dr8p.exe&response-content-type=application%2Foctet-stream
    getw7.exe
    Remote address:
    185.199.109.133:443
    Request
    GET /github-production-release-asset-2e65be/802553797/4124c2ec-6e65-43d0-a1c6-a7ef194874f7?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240708%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240708T152324Z&X-Amz-Expires=300&X-Amz-Signature=dd826f3253046b9104900bae7279f81aa423e34f7a82264a7ffbb36168c761c0&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=802553797&response-content-disposition=attachment%3B%20filename%3Dr8p.exe&response-content-type=application%2Foctet-stream HTTP/1.1
    User-Agent: NSIS_Inetc (Mozilla)
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: objects.githubusercontent.com
    Response
    HTTP/1.1 200 OK
    Connection: keep-alive
    Content-Length: 859802428
    Content-Type: application/octet-stream
    Last-Modified: Sun, 07 Jul 2024 17:22:44 GMT
    ETag: "0x8DC9EA969FAEFC7"
    Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    x-ms-request-id: 17b96ec2-101e-0044-3c9a-d06b6a000000
    x-ms-version: 2020-10-02
    x-ms-creation-time: Sun, 07 Jul 2024 17:22:44 GMT
    x-ms-lease-status: unlocked
    x-ms-lease-state: available
    x-ms-blob-type: BlockBlob
    Content-Disposition: attachment; filename=r8p.exe
    x-ms-server-encrypted: true
    Via: 1.1 varnish, 1.1 varnish
    Accept-Ranges: bytes
    Age: 0
    Date: Mon, 08 Jul 2024 15:23:25 GMT
    X-Served-By: cache-iad-kcgs7200170-IAD, cache-lon420122-LON
    X-Cache: HIT, MISS
    X-Cache-Hits: 114, 0
    X-Timer: S1720452206.549538,VS0,VE389
  • flag-us
    DNS
    133.109.199.185.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.109.199.185.in-addr.arpa
    IN PTR
    Response
    133.109.199.185.in-addr.arpa
    IN PTR
    cdn-185-199-109-133githubcom
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    203.33.253.131.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    203.33.253.131.in-addr.arpa
    IN PTR
    Response
    203.33.253.131.in-addr.arpa
    IN PTR
    a-0003 dc-msedgenet
  • flag-us
    DNS
    81.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    81.144.22.2.in-addr.arpa
    IN PTR
    Response
    81.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-81deploystaticakamaitechnologiescom
  • flag-us
    DNS
    22.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.236.111.52.in-addr.arpa
    IN PTR
    Response
  • 104.21.83.210:80
    http://r8p.teknixstuff.com/files/r8p.php
    http
    getw7.exe
    325 B
     1.3kB
     4
    3

    HTTP Request

    GET http://r8p.teknixstuff.com/files/r8p.php

    HTTP Response

    302
  • 20.26.156.215:443
    https://github.com/teknixstuff/revert8plus/releases/download/3.3.4/r8p.exe
    tls, http
    getw7.exe
    2.1kB
     12.4kB
     22
    15

    HTTP Request

    GET https://github.com/teknixstuff/revert8plus/releases/latest/download/r8p.exe

    HTTP Response

    302

    HTTP Request

    GET https://github.com/teknixstuff/revert8plus/releases/download/3.3.4/r8p.exe

    HTTP Response

    302
  • 13.107.21.237:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d6f4374cb7904f109ea52c62a6edbfb9&localId=w:47FD159F-0ED5-C0FD-B22C-182F37EEDDEB&deviceId=6896204026049569&anid=
    tls, http2
    2.0kB
     9.3kB
     22
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d6f4374cb7904f109ea52c62a6edbfb9&localId=w:47FD159F-0ED5-C0FD-B22C-182F37EEDDEB&deviceId=6896204026049569&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d6f4374cb7904f109ea52c62a6edbfb9&localId=w:47FD159F-0ED5-C0FD-B22C-182F37EEDDEB&deviceId=6896204026049569&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d6f4374cb7904f109ea52c62a6edbfb9&localId=w:47FD159F-0ED5-C0FD-B22C-182F37EEDDEB&deviceId=6896204026049569&anid=

    HTTP Response

    204
  • 185.199.109.133:443
    https://objects.githubusercontent.com/github-production-release-asset-2e65be/802553797/4124c2ec-6e65-43d0-a1c6-a7ef194874f7?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240708%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240708T152324Z&X-Amz-Expires=300&X-Amz-Signature=dd826f3253046b9104900bae7279f81aa423e34f7a82264a7ffbb36168c761c0&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=802553797&response-content-disposition=attachment%3B%20filename%3Dr8p.exe&response-content-type=application%2Foctet-stream
    tls, http
    getw7.exe
    12.9MB
     389.2MB
     278616
    278575

    HTTP Request

    GET https://objects.githubusercontent.com/github-production-release-asset-2e65be/802553797/4124c2ec-6e65-43d0-a1c6-a7ef194874f7?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240708%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240708T152324Z&X-Amz-Expires=300&X-Amz-Signature=dd826f3253046b9104900bae7279f81aa423e34f7a82264a7ffbb36168c761c0&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=802553797&response-content-disposition=attachment%3B%20filename%3Dr8p.exe&response-content-type=application%2Foctet-stream

    HTTP Response

    200
  • 8.8.8.8:53
    r8p.teknixstuff.com
    dns
    getw7.exe
    65 B
     97 B
     1
    1

    DNS Request

    r8p.teknixstuff.com

    DNS Response

    104.21.83.210
    172.67.181.243

  • 8.8.8.8:53
    github.com
    dns
    getw7.exe
    56 B
     72 B
     1
    1

    DNS Request

    github.com

    DNS Response

    20.26.156.215

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     151 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    13.107.21.237
    204.79.197.237

  • 8.8.8.8:53
    210.83.21.104.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    210.83.21.104.in-addr.arpa

  • 8.8.8.8:53
    136.32.126.40.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    136.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    215.156.26.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    215.156.26.20.in-addr.arpa

  • 8.8.8.8:53
    0.205.248.87.in-addr.arpa
    dns
    71 B
     116 B
     1
    1

    DNS Request

    0.205.248.87.in-addr.arpa

  • 8.8.8.8:53
    237.21.107.13.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    237.21.107.13.in-addr.arpa

  • 8.8.8.8:53
    233.38.18.104.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    233.38.18.104.in-addr.arpa

  • 8.8.8.8:53
    26.35.223.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    26.35.223.20.in-addr.arpa

  • 8.8.8.8:53
    23.149.64.172.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    23.149.64.172.in-addr.arpa

  • 8.8.8.8:53
    objects.githubusercontent.com
    dns
    getw7.exe
    75 B
     139 B
     1
    1

    DNS Request

    objects.githubusercontent.com

    DNS Response

    185.199.109.133
    185.199.110.133
    185.199.108.133
    185.199.111.133

  • 8.8.8.8:53
    133.109.199.185.in-addr.arpa
    dns
    74 B
     118 B
     1
    1

    DNS Request

    133.109.199.185.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    296 B
     128 B
     4
    1

    DNS Request

    172.214.232.199.in-addr.arpa

    DNS Request

    172.214.232.199.in-addr.arpa

    DNS Request

    172.214.232.199.in-addr.arpa

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    203.33.253.131.in-addr.arpa
    dns
    73 B
     107 B
     1
    1

    DNS Request

    203.33.253.131.in-addr.arpa

  • 8.8.8.8:53
    81.144.22.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    81.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    22.236.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    22.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsqE09D.tmp\INetC.dll
    Filesize

    98KB

    MD5

    0a46716b8c65faa8614ef64375fde0da

    SHA1

    45dd620fabc1583f1529c567e28ea5698d65e537

    SHA256

    04cd5643be7e9f1678ccfed3da67f781344a60880f4ae5a91cce530f6168ca33

    SHA512

    7b4d7b0d57209c7fffc426a718850003eed565c56d39461ee2fab19da0f83ad8856294d2d574aef7e498fa946fd88a9dc59d131c875f8dffce9abe4cdb7066ad

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.