Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

9eaadec2a7...de.exe

windows7-x64

10

9eaadec2a7...de.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/08/2024, 00:57 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9eaadec2a7136e083b2c927a02f60ec0ac3b1e1fe369da75004f9fa83c8feede.exe

  • Size

    1.1MB

  • MD5

    50acdf6a9799addae234514aee5b085b

  • SHA1

    d7d2e01847391814ec8d7fdf971c6547edd43123

  • SHA256

    9eaadec2a7136e083b2c927a02f60ec0ac3b1e1fe369da75004f9fa83c8feede

  • SHA512

    a3e6941c9f4dd4c15d8b5f9591b25759865702b96cb7a9910c274ac21101811ea2f6c04f9cd71e62b3e7f6d22b08c626d79b4b9ff93ea62e319cff2d7753d098

  • SSDEEP

    24576:AhntGx9yVf41ob4s6ABttGZOATIZXTnR1e:otGZ1oEEbG8xXje

Score
10/10
hawkeyecollectioncredential_accessdiscoverykeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.zoho.com
  • Port:
    587
  • Username:
    bigdollar99@zoho.com
  • Password:
    Diego1986

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Detected Nirsoft tools 9 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 6 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 6 IoCs

    Password recovery tool for various web browsers

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9eaadec2a7136e083b2c927a02f60ec0ac3b1e1fe369da75004f9fa83c8feede.exe
    "C:\Users\Admin\AppData\Local\Temp\9eaadec2a7136e083b2c927a02f60ec0ac3b1e1fe369da75004f9fa83c8feede.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3300
    • C:\Users\Admin\Music\magert.exe
      "C:\Users\Admin\Music\magert.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3856
      • C:\Users\Admin\Music\magert.exe
        "C:\Users\Admin\Music\magert.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2432
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
          4⤵
          • Accesses Microsoft Outlook accounts
          • System Location Discovery: System Language Discovery
          PID:3236
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1396

Network

  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    55.36.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    55.36.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    103.169.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.169.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    whatismyipaddress.com
    magert.exe
    Remote address:
    8.8.8.8:53
    Request
    whatismyipaddress.com
    IN A
    Response
    whatismyipaddress.com
    IN A
    104.19.223.79
    whatismyipaddress.com
    IN A
    104.19.222.79
  • flag-us
    GET
    http://whatismyipaddress.com/
    magert.exe
    Remote address:
    104.19.223.79:80
    Request
    GET / HTTP/1.1
    Host: whatismyipaddress.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Fri, 30 Aug 2024 00:58:47 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Fri, 30 Aug 2024 01:58:47 GMT
    Location: https://whatismyipaddress.com/
    Set-Cookie: __cf_bm=lzGnUgVjcU0hcxP.B3AYx7qCjhcpR8WxAqjaWCltziw-1724979527-1.0.1.1-WdQJck4O_qKLY9S9Ft_pAF2f9T8EtgEmALM6VwwPSuxGQKTgn2gvbXn9Fsv050zQAr.WiI6axrZnEO1B968IAQ; path=/; expires=Fri, 30-Aug-24 01:28:47 GMT; domain=.whatismyipaddress.com; HttpOnly
    X-Frame-Options: deny
    Server: cloudflare
    CF-RAY: 8bb0d59ce959768b-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    GET
    https://whatismyipaddress.com/
    magert.exe
    Remote address:
    104.19.223.79:443
    Request
    GET / HTTP/1.1
    Host: whatismyipaddress.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 403 Forbidden
    Date: Fri, 30 Aug 2024 00:58:47 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: close
    Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
    Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
    Cross-Origin-Embedder-Policy: require-corp
    Cross-Origin-Opener-Policy: same-origin
    Cross-Origin-Resource-Policy: same-origin
    Origin-Agent-Cluster: ?1
    Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
    Referrer-Policy: same-origin
    X-Content-Options: nosniff
    cf-mitigated: challenge
    cf-chl-out: 9Acaj5tk5knndbNJbwUIRTzSzFBv5TX9YflOMnXGQnHO6XY9J/5gr4pbXAwfn6+PT9W0DWpzU6F/C3N+0+eNVZQGT6yaWScDePnPNTCeKVKsgesf1NFkNG+MaE1BZpp8wd4hPa0cV0YH1IeDr7w7oQ==$SLc99MuJZGe8b+N/XeeEIA==
    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Expires: Thu, 01 Jan 1970 00:00:01 GMT
    Set-Cookie: __cf_bm=.1XgmYN3Dyqf_DNBtKSA9odJ0pSQkkGNnBYNwFiT8WU-1724979527-1.0.1.1-XeUpihe_05buriV8KEGpViwlkQR9CFgY7W3ynEBT7_Rm4FWtoKnINEu6GNpULcojZEaFrrA8sc0LJOgrZeKFbw; path=/; expires=Fri, 30-Aug-24 01:28:47 GMT; domain=.whatismyipaddress.com; HttpOnly; Secure
    X-Frame-Options: deny
    Server: cloudflare
    CF-RAY: 8bb0d59e0be76524-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    smtp.zoho.com
    magert.exe
    Remote address:
    8.8.8.8:53
    Request
    smtp.zoho.com
    IN A
    Response
    smtp.zoho.com
    IN A
    136.143.190.56
  • flag-us
    DNS
    79.223.19.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    79.223.19.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.190.143.136.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.190.143.136.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    21.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    21.236.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239339388096_1DBFGPPKZBTOVVSVU&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239339388096_1DBFGPPKZBTOVVSVU&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 540156
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: D6152266372345E29683073D63D86B02 Ref B: LON04EDGE0816 Ref C: 2024-08-30T00:59:18Z
    date: Fri, 30 Aug 2024 00:59:18 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360504960_1PLAHYZB4JQO28JRC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239360504960_1PLAHYZB4JQO28JRC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 370008
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: C62960A24BF04917BCFD8A026F4E222C Ref B: LON04EDGE0816 Ref C: 2024-08-30T00:59:18Z
    date: Fri, 30 Aug 2024 00:59:18 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340418573_1OCPZP6XQOXA94H84&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239340418573_1OCPZP6XQOXA94H84&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 442929
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 5A42D391F22A4E249FFCBAEC5D497ED4 Ref B: LON04EDGE0816 Ref C: 2024-08-30T00:59:18Z
    date: Fri, 30 Aug 2024 00:59:18 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340418574_15LZ4V0VK97RULTEQ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239340418574_15LZ4V0VK97RULTEQ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 688331
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 7DDD04223E85447BADEC47E0FAEB2C2E Ref B: LON04EDGE0816 Ref C: 2024-08-30T00:59:19Z
    date: Fri, 30 Aug 2024 00:59:19 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239339388095_1V0S9Y27HKQEJAFN6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239339388095_1V0S9Y27HKQEJAFN6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 320336
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 1B3DD5FB17B74326836934FE332C88AB Ref B: LON04EDGE0816 Ref C: 2024-08-30T00:59:19Z
    date: Fri, 30 Aug 2024 00:59:19 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360505011_123FH55PMWQ5EA6JP&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239360505011_123FH55PMWQ5EA6JP&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 356644
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 26B5200AB64A4BB99884F0A9DB0C98BF Ref B: LON04EDGE0816 Ref C: 2024-08-30T00:59:19Z
    date: Fri, 30 Aug 2024 00:59:19 GMT
  • flag-us
    DNS
    10.28.171.150.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    10.28.171.150.in-addr.arpa
    IN PTR
    Response
  • 104.19.223.79:80
    http://whatismyipaddress.com/
    http
    magert.exe
    255 B
     911 B
     4
    3

    HTTP Request

    GET http://whatismyipaddress.com/

    HTTP Response

    301
  • 104.19.223.79:443
    https://whatismyipaddress.com/
    tls, http
    magert.exe
    1.2kB
     22.8kB
     19
    29

    HTTP Request

    GET https://whatismyipaddress.com/

    HTTP Response

    403
  • 136.143.190.56:587
    smtp.zoho.com
    smtp
    magert.exe
    1.3kB
     4.9kB
     15
    19
  • 136.143.190.56:587
    smtp.zoho.com
    smtp
    magert.exe
    1.4kB
     4.9kB
     15
    19
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
     6.9kB
     15
    12
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.1kB
     593 B
     10
    8
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.1kB
     553 B
     10
    7
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
     6.9kB
     15
    13
  • 150.171.28.10:443
    https://tse1.mm.bing.net/th?id=OADD2.10239360505011_123FH55PMWQ5EA6JP&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    tls, http2
    102.1kB
     2.8MB
     2062
    2054

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239339388096_1DBFGPPKZBTOVVSVU&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360504960_1PLAHYZB4JQO28JRC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340418573_1OCPZP6XQOXA94H84&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340418574_15LZ4V0VK97RULTEQ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239339388095_1V0S9Y27HKQEJAFN6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360505011_123FH55PMWQ5EA6JP&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200
  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    73.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    73.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    55.36.223.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    55.36.223.20.in-addr.arpa

  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    146 B
     147 B
     2
    1

    DNS Request

    196.249.167.52.in-addr.arpa

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    103.169.127.40.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    103.169.127.40.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    140 B
     144 B
     2
    1

    DNS Request

    18.31.95.13.in-addr.arpa

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    26.35.223.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    26.35.223.20.in-addr.arpa

  • 8.8.8.8:53
    whatismyipaddress.com
    dns
    magert.exe
    67 B
     99 B
     1
    1

    DNS Request

    whatismyipaddress.com

    DNS Response

    104.19.223.79
    104.19.222.79

  • 8.8.8.8:53
    smtp.zoho.com
    dns
    magert.exe
    59 B
     75 B
     1
    1

    DNS Request

    smtp.zoho.com

    DNS Response

    136.143.190.56

  • 8.8.8.8:53
    79.223.19.104.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    79.223.19.104.in-addr.arpa

  • 8.8.8.8:53
    56.190.143.136.in-addr.arpa
    dns
    73 B
     142 B
     1
    1

    DNS Request

    56.190.143.136.in-addr.arpa

  • 8.8.8.8:53
    21.236.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    21.236.111.52.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
     170 B
     1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    150.171.28.10
    150.171.27.10

  • 8.8.8.8:53
    10.28.171.150.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    10.28.171.150.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\magert.exe.log
    Filesize

    526B

    MD5

    0b25f9f358a722369479cecdb0bfdfd4

    SHA1

    0e5e586dc2387f8492dc7bb8b9ba17cce90ba6fb

    SHA256

    97e51099c3c8b24d92ae0f8c0241b3477e52127f0da5f89175c56abc202196c7

    SHA512

    5f91fcd8822aa8e74566dc4b89af55e9f539aab19dc11cb450c13baa846e494b9f27954cce8626c867177b43e76be03a631c58e29be41b7bdad61576f5b8378b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\holderwb.txt
    Filesize

    3KB

    MD5

    f94dc819ca773f1e3cb27abbc9e7fa27

    SHA1

    9a7700efadc5ea09ab288544ef1e3cd876255086

    SHA256

    a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

    SHA512

    72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

    Download Submit

  • C:\Users\Admin\Music\magert.exe
    Filesize

    1.1MB

    MD5

    b8b4dc0622d8f443a2353deaf2e69bab

    SHA1

    32a05d9fd8255fd71a1d6bca13a58dcb2d2b24e8

    SHA256

    4b8e9b653ed0e0a47e1e50b69ca9311f0b5ca96ee1a3bab3fe275cdeb98ea96e

    SHA512

    8ed3d118314dc39e97ea4bf0c3891d0b30844e9d3f9e395ea76e99203a29841aa424ab71975191829588106774135cab44d803b58192a495f3678582b2fc5337

    Download Submit

  • memory/1396-62-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download

  • memory/1396-55-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download

  • memory/1396-54-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2432-37-0x0000000000770000-0x00000000007F4000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2432-38-0x0000000000770000-0x00000000007F4000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2432-53-0x00000000745C0000-0x0000000074B71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2432-46-0x00000000745C0000-0x0000000074B71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2432-45-0x00000000745C0000-0x0000000074B71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2432-39-0x0000000000770000-0x00000000007F4000-memory.dmp

    Filesize

    528KB

    Download

  • memory/3236-51-0x0000000000420000-0x00000000004E9000-memory.dmp

    Filesize

    804KB

    Download

  • memory/3236-52-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/3236-50-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/3236-49-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/3300-7-0x00000000745C2000-0x00000000745C3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3300-6-0x00000000745C0000-0x0000000074B71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3300-0-0x00000000745C2000-0x00000000745C3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3300-1-0x00000000745C0000-0x0000000074B71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3300-2-0x00000000745C0000-0x0000000074B71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3300-5-0x00000000745C0000-0x0000000074B71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3300-8-0x00000000745C0000-0x0000000074B71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3300-30-0x00000000745C0000-0x0000000074B71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3856-31-0x00000000745C0000-0x0000000074B71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3856-32-0x00000000745C0000-0x0000000074B71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3856-33-0x00000000745C0000-0x0000000074B71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3856-34-0x00000000745C0000-0x0000000074B71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3856-44-0x00000000745C0000-0x0000000074B71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3856-35-0x00000000745C0000-0x0000000074B71000-memory.dmp

    Filesize

    5.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.