Overview

overview

10

Static

static

3

fc22cdf353...5N.exe

windows7-x64

10

fc22cdf353...5N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    116s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/10/2024, 23:55 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fc22cdf353ad4a36ab7d22310eaec07551dc84fcdd8d6d58b139d5f672097055N.exe

  • Size

    527KB

  • MD5

    0766745a1e47110b99674de3b2a8bb00

  • SHA1

    fcbe357415a4505ad02c92bfe4e28cc2372d9bea

  • SHA256

    fc22cdf353ad4a36ab7d22310eaec07551dc84fcdd8d6d58b139d5f672097055

  • SHA512

    4a3bf06cc1169cc41b474763cd2fcfa4ac2b7f044ceb0b05982501b492570652efa07e98339f8ea8e26717306d04b3dcabca360968e3a1190c5501388a2d933d

  • SSDEEP

    12288:1f09ZppPNIuu5wU/bK9sRarTjl0fCOQmlKdXeWlv9u3EN:1SpVT87aD+fCOQmlH

Score
10/10
snakekeyloggercollectiondiscoveryexecutionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7013350856:AAEMW-L9OH6xJPBSHadxtnabC3gFbH_e250/sendMessage?chat_id=7239159003

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fc22cdf353ad4a36ab7d22310eaec07551dc84fcdd8d6d58b139d5f672097055N.exe
    "C:\Users\Admin\AppData\Local\Temp\fc22cdf353ad4a36ab7d22310eaec07551dc84fcdd8d6d58b139d5f672097055N.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:636
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fc22cdf353ad4a36ab7d22310eaec07551dc84fcdd8d6d58b139d5f672097055N.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3200
    • C:\Users\Admin\AppData\Local\Temp\fc22cdf353ad4a36ab7d22310eaec07551dc84fcdd8d6d58b139d5f672097055N.exe
      "C:\Users\Admin\AppData\Local\Temp\fc22cdf353ad4a36ab7d22310eaec07551dc84fcdd8d6d58b139d5f672097055N.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:4656

Network

  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.ax-0001.ax-msedge.net
    g-bing-com.ax-0001.ax-msedge.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=eb54a13ec48a4c488c7f5b5da1227016&localId=w:54ECD007-E294-A159-E37D-CA55023ED6B0&deviceId=6966572651497155&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=eb54a13ec48a4c488c7f5b5da1227016&localId=w:54ECD007-E294-A159-E37D-CA55023ED6B0&deviceId=6966572651497155&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=03D10A8DF6E866BC10E71F9EF7EE6758; domain=.bing.com; expires=Mon, 03-Nov-2025 23:55:24 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 7F211528252F49918C6E92BD1F33FE39 Ref B: LON601060108023 Ref C: 2024-10-09T23:55:24Z
    date: Wed, 09 Oct 2024 23:55:23 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=eb54a13ec48a4c488c7f5b5da1227016&localId=w:54ECD007-E294-A159-E37D-CA55023ED6B0&deviceId=6966572651497155&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=eb54a13ec48a4c488c7f5b5da1227016&localId=w:54ECD007-E294-A159-E37D-CA55023ED6B0&deviceId=6966572651497155&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=03D10A8DF6E866BC10E71F9EF7EE6758
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=7y8fjk-WgLR1r9GliAjQfjlabArHShPLt-j3299h-rY; domain=.bing.com; expires=Mon, 03-Nov-2025 23:55:24 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 5631BB7C3127444BB21453836636D5B0 Ref B: LON601060108023 Ref C: 2024-10-09T23:55:24Z
    date: Wed, 09 Oct 2024 23:55:23 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=eb54a13ec48a4c488c7f5b5da1227016&localId=w:54ECD007-E294-A159-E37D-CA55023ED6B0&deviceId=6966572651497155&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=eb54a13ec48a4c488c7f5b5da1227016&localId=w:54ECD007-E294-A159-E37D-CA55023ED6B0&deviceId=6966572651497155&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=03D10A8DF6E866BC10E71F9EF7EE6758; MSPTC=7y8fjk-WgLR1r9GliAjQfjlabArHShPLt-j3299h-rY
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: DCFE0FC3DDE74FA3BF61C81803FA22FA Ref B: LON601060108023 Ref C: 2024-10-09T23:55:24Z
    date: Wed, 09 Oct 2024 23:55:23 GMT
  • flag-us
    DNS
    68.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    68.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    88.156.103.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.156.103.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    checkip.dyndns.org
    fc22cdf353ad4a36ab7d22310eaec07551dc84fcdd8d6d58b139d5f672097055N.exe
    Remote address:
    8.8.8.8:53
    Request
    checkip.dyndns.org
    IN A
    Response
    checkip.dyndns.org
    IN CNAME
    checkip.dyndns.com
    checkip.dyndns.com
    IN A
    193.122.130.0
    checkip.dyndns.com
    IN A
    132.226.8.169
    checkip.dyndns.com
    IN A
    158.101.44.242
    checkip.dyndns.com
    IN A
    193.122.6.168
    checkip.dyndns.com
    IN A
    132.226.247.73
  • flag-us
    GET
    http://checkip.dyndns.org/
    fc22cdf353ad4a36ab7d22310eaec07551dc84fcdd8d6d58b139d5f672097055N.exe
    Remote address:
    193.122.130.0:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Wed, 09 Oct 2024 23:55:37 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 9d5638f7e8cb6cc504d1bedecea20f74
  • flag-us
    GET
    http://checkip.dyndns.org/
    fc22cdf353ad4a36ab7d22310eaec07551dc84fcdd8d6d58b139d5f672097055N.exe
    Remote address:
    193.122.130.0:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 09 Oct 2024 23:55:37 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 41705b25844f17b4b0e3a81bcace0520
  • flag-us
    GET
    http://checkip.dyndns.org/
    fc22cdf353ad4a36ab7d22310eaec07551dc84fcdd8d6d58b139d5f672097055N.exe
    Remote address:
    193.122.130.0:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 09 Oct 2024 23:55:37 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: db40a60cbc4ba4058fd45259eaf1b21a
  • flag-us
    GET
    http://checkip.dyndns.org/
    fc22cdf353ad4a36ab7d22310eaec07551dc84fcdd8d6d58b139d5f672097055N.exe
    Remote address:
    193.122.130.0:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 09 Oct 2024 23:55:38 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: d62dbc7818dc103be67bca450b7e1034
  • flag-us
    GET
    http://checkip.dyndns.org/
    fc22cdf353ad4a36ab7d22310eaec07551dc84fcdd8d6d58b139d5f672097055N.exe
    Remote address:
    193.122.130.0:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 09 Oct 2024 23:55:38 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: eddbea97af5328c28e59a80a1387fd35
  • flag-us
    GET
    http://checkip.dyndns.org/
    fc22cdf353ad4a36ab7d22310eaec07551dc84fcdd8d6d58b139d5f672097055N.exe
    Remote address:
    193.122.130.0:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 09 Oct 2024 23:55:38 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 046bab46d284594036bb4d72fb488b02
  • flag-us
    GET
    http://checkip.dyndns.org/
    fc22cdf353ad4a36ab7d22310eaec07551dc84fcdd8d6d58b139d5f672097055N.exe
    Remote address:
    193.122.130.0:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 09 Oct 2024 23:55:38 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 11e758b8223aa2005044cdddda7ffe73
  • flag-us
    GET
    http://checkip.dyndns.org/
    fc22cdf353ad4a36ab7d22310eaec07551dc84fcdd8d6d58b139d5f672097055N.exe
    Remote address:
    193.122.130.0:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 09 Oct 2024 23:55:38 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: b6303e8fffdaad46627c9652fc393950
  • flag-us
    GET
    http://checkip.dyndns.org/
    fc22cdf353ad4a36ab7d22310eaec07551dc84fcdd8d6d58b139d5f672097055N.exe
    Remote address:
    193.122.130.0:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 09 Oct 2024 23:55:38 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 803018ed3e8993f45919277cfd6d3a60
  • flag-us
    DNS
    reallyfreegeoip.org
    fc22cdf353ad4a36ab7d22310eaec07551dc84fcdd8d6d58b139d5f672097055N.exe
    Remote address:
    8.8.8.8:53
    Request
    reallyfreegeoip.org
    IN A
    Response
    reallyfreegeoip.org
    IN A
    172.67.177.134
    reallyfreegeoip.org
    IN A
    104.21.67.152
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/138.199.29.44
    fc22cdf353ad4a36ab7d22310eaec07551dc84fcdd8d6d58b139d5f672097055N.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: reallyfreegeoip.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Wed, 09 Oct 2024 23:55:37 GMT
    Content-Type: application/xml
    Transfer-Encoding: chunked
    Connection: keep-alive
    access-control-allow-origin: *
    vary: Accept-Encoding
    Cache-Control: max-age=86400
    CF-Cache-Status: HIT
    Age: 23142
    Last-Modified: Wed, 09 Oct 2024 17:29:55 GMT
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=s9RES%2B3tsv50MtazxYOORd1y1Oi%2Fiwv2irxbP7vCNCF%2FP6DxZ93P%2BNzcy0BbDEus4emSD6%2B9hi9MKnHvm98DwDILRyW8q3CZKmB65QcBds%2Bq4pr5vi7%2F68CnYkOZHREGMHnv7kdh"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8d024d78e9948867-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/138.199.29.44
    fc22cdf353ad4a36ab7d22310eaec07551dc84fcdd8d6d58b139d5f672097055N.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 09 Oct 2024 23:55:37 GMT
    Content-Type: application/xml
    Transfer-Encoding: chunked
    Connection: keep-alive
    access-control-allow-origin: *
    vary: Accept-Encoding
    Cache-Control: max-age=86400
    CF-Cache-Status: HIT
    Age: 23142
    Last-Modified: Wed, 09 Oct 2024 17:29:55 GMT
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9854qazXYHvdYKaFuNCO%2FnlEDAv3Eav0EB3oFsVgjZvxCERc1d3%2BBLTHa998MVVaUtsiyiQvgYTaI%2BIEEHqXjdNzz6R78qU4c4fYxgPuMn3E8yBYTo5uxhKfcd%2FNLj9dEDtxrh6W"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8d024d7a0a448867-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/138.199.29.44
    fc22cdf353ad4a36ab7d22310eaec07551dc84fcdd8d6d58b139d5f672097055N.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 09 Oct 2024 23:55:38 GMT
    Content-Type: application/xml
    Transfer-Encoding: chunked
    Connection: keep-alive
    access-control-allow-origin: *
    vary: Accept-Encoding
    Cache-Control: max-age=86400
    CF-Cache-Status: HIT
    Age: 23143
    Last-Modified: Wed, 09 Oct 2024 17:29:55 GMT
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NSUrvBNT5xjS5hhn2BpLzInKN%2F0w8S%2BAYEV4kGC8Wkn%2FozxkrmQeCML%2Fk%2FbSsUAkdnPrksXOWz8nj2U2kTWgXfPetVXAAYPHUI2z28NWxbqdgduFCaAdxZgdVSG4FTGeueJ%2BRg4h"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8d024d7b2b228867-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/138.199.29.44
    fc22cdf353ad4a36ab7d22310eaec07551dc84fcdd8d6d58b139d5f672097055N.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 09 Oct 2024 23:55:38 GMT
    Content-Type: application/xml
    Transfer-Encoding: chunked
    Connection: keep-alive
    access-control-allow-origin: *
    vary: Accept-Encoding
    Cache-Control: max-age=86400
    CF-Cache-Status: HIT
    Age: 23143
    Last-Modified: Wed, 09 Oct 2024 17:29:55 GMT
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i%2BJ%2F6yDF4VKkJtJO7pD3l8iimMZh01WPklbZoy8ivU%2F480sOwneDvLmcLnNCWqA99h31m7nu34c1Fn1Qs19pCuK4Xwx6Z0aHETFOLUr6ZFHVVSeSjp%2FMvnO%2BMAaOI8dhSnxgYbXK"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8d024d7c3bbd8867-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/138.199.29.44
    fc22cdf353ad4a36ab7d22310eaec07551dc84fcdd8d6d58b139d5f672097055N.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 09 Oct 2024 23:55:38 GMT
    Content-Type: application/xml
    Transfer-Encoding: chunked
    Connection: keep-alive
    access-control-allow-origin: *
    vary: Accept-Encoding
    Cache-Control: max-age=86400
    CF-Cache-Status: HIT
    Age: 23143
    Last-Modified: Wed, 09 Oct 2024 17:29:55 GMT
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mjAxGerUzOH%2FD1jw4PjnraAK%2F1Mxsa3Z0aILbinZre%2FgOq3%2Ftar9rh%2F4YCkuUsyY%2FUx1l6GcYA43PiTqLR0FL9wA%2BZYAhh%2BoWZCUzJzgZWXc8c96A1efO64dFqXfA0ZXfxZ8WSE0"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8d024d7d5c518867-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/138.199.29.44
    fc22cdf353ad4a36ab7d22310eaec07551dc84fcdd8d6d58b139d5f672097055N.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 09 Oct 2024 23:55:38 GMT
    Content-Type: application/xml
    Transfer-Encoding: chunked
    Connection: keep-alive
    access-control-allow-origin: *
    vary: Accept-Encoding
    Cache-Control: max-age=86400
    CF-Cache-Status: HIT
    Age: 23143
    Last-Modified: Wed, 09 Oct 2024 17:29:55 GMT
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cbtgD5WxnHnN3qauau%2BIilpoF0OuwuWx4AC0e6GI39nZKo3xk9Wau%2B1EMKEDpYa5%2Fk51UzY2ohXqPudApGP2HPOSI2BugdzJHRJ2LZID%2Fmmh2r5JL8zFyp6ZbIrhGrXoyvYI6czp"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8d024d7e7cdc8867-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/138.199.29.44
    fc22cdf353ad4a36ab7d22310eaec07551dc84fcdd8d6d58b139d5f672097055N.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 09 Oct 2024 23:55:38 GMT
    Content-Type: application/xml
    Transfer-Encoding: chunked
    Connection: keep-alive
    access-control-allow-origin: *
    vary: Accept-Encoding
    Cache-Control: max-age=86400
    CF-Cache-Status: HIT
    Age: 23143
    Last-Modified: Wed, 09 Oct 2024 17:29:55 GMT
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9tVDIR%2FOV1r7xjRrvJgvzOKw2Mrf9udf2NCLkpZgu5SFO%2FIfx%2BgneZVJ9%2FFHB8S25RWNF0al7A%2BksJ3NgVigekOsANK1oS20%2BsF0mJKycSpEremAJDnmNaeN39va0U2zoA5G1T3i"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8d024d7f7d658867-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/138.199.29.44
    fc22cdf353ad4a36ab7d22310eaec07551dc84fcdd8d6d58b139d5f672097055N.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 09 Oct 2024 23:55:38 GMT
    Content-Type: application/xml
    Transfer-Encoding: chunked
    Connection: keep-alive
    access-control-allow-origin: *
    vary: Accept-Encoding
    Cache-Control: max-age=86400
    CF-Cache-Status: HIT
    Age: 23143
    Last-Modified: Wed, 09 Oct 2024 17:29:55 GMT
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OyA6beAhy9TmAhby18KBvFDV%2BpqUvk38HJcMnbe9tRDEPBNrAqF8e0W%2B69Rj3CYly2L2OyiDF%2BRuS2GbHhkFTc3jeLjln7AfXo3Eso754Sk3v55pzscKxVpUKwOz8fzMnc8gj2lE"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8d024d809e178867-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    0.130.122.193.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.130.122.193.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    134.177.67.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    134.177.67.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    212.20.149.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    212.20.149.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    21.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    21.236.111.52.in-addr.arpa
    IN PTR
    Response
  • 150.171.27.10:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=eb54a13ec48a4c488c7f5b5da1227016&localId=w:54ECD007-E294-A159-E37D-CA55023ED6B0&deviceId=6966572651497155&anid=
    tls, http2
    2.0kB
     9.4kB
     21
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=eb54a13ec48a4c488c7f5b5da1227016&localId=w:54ECD007-E294-A159-E37D-CA55023ED6B0&deviceId=6966572651497155&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=eb54a13ec48a4c488c7f5b5da1227016&localId=w:54ECD007-E294-A159-E37D-CA55023ED6B0&deviceId=6966572651497155&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=eb54a13ec48a4c488c7f5b5da1227016&localId=w:54ECD007-E294-A159-E37D-CA55023ED6B0&deviceId=6966572651497155&anid=

    HTTP Response

    204
  • 193.122.130.0:80
    http://checkip.dyndns.org/
    http
    fc22cdf353ad4a36ab7d22310eaec07551dc84fcdd8d6d58b139d5f672097055N.exe
    1.9kB
     3.8kB
     16
    14

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200
  • 172.67.177.134:443
    https://reallyfreegeoip.org/xml/138.199.29.44
    tls, http
    fc22cdf353ad4a36ab7d22310eaec07551dc84fcdd8d6d58b139d5f672097055N.exe
    2.0kB
     12.7kB
     23
    23

    HTTP Request

    GET https://reallyfreegeoip.org/xml/138.199.29.44

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/138.199.29.44

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/138.199.29.44

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/138.199.29.44

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/138.199.29.44

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/138.199.29.44

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/138.199.29.44

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/138.199.29.44

    HTTP Response

    200
  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     148 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    150.171.27.10
    150.171.28.10

  • 8.8.8.8:53
    68.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    68.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    88.156.103.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    88.156.103.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    checkip.dyndns.org
    dns
    fc22cdf353ad4a36ab7d22310eaec07551dc84fcdd8d6d58b139d5f672097055N.exe
    64 B
     176 B
     1
    1

    DNS Request

    checkip.dyndns.org

    DNS Response

    193.122.130.0
    132.226.8.169
    158.101.44.242
    193.122.6.168
    132.226.247.73

  • 8.8.8.8:53
    reallyfreegeoip.org
    dns
    fc22cdf353ad4a36ab7d22310eaec07551dc84fcdd8d6d58b139d5f672097055N.exe
    65 B
     97 B
     1
    1

    DNS Request

    reallyfreegeoip.org

    DNS Response

    172.67.177.134
    104.21.67.152

  • 8.8.8.8:53
    0.130.122.193.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    0.130.122.193.in-addr.arpa

  • 8.8.8.8:53
    134.177.67.172.in-addr.arpa
    dns
    73 B
     135 B
     1
    1

    DNS Request

    134.177.67.172.in-addr.arpa

  • 8.8.8.8:53
    212.20.149.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    212.20.149.52.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    21.236.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    21.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_05bdgagc.wzh.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/636-6-0x0000000005080000-0x0000000005098000-memory.dmp

    Filesize

    96KB

    Download

  • memory/636-2-0x00000000050F0000-0x0000000005694000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/636-3-0x0000000004BE0000-0x0000000004C72000-memory.dmp

    Filesize

    584KB

    Download

  • memory/636-5-0x0000000074B30000-0x00000000752E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/636-4-0x0000000004BC0000-0x0000000004BCA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/636-14-0x0000000074B30000-0x00000000752E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/636-7-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/636-8-0x0000000074B30000-0x00000000752E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/636-9-0x0000000005EA0000-0x0000000005F08000-memory.dmp

    Filesize

    416KB

    Download

  • memory/636-10-0x0000000006030000-0x00000000060CC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/636-0-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/636-1-0x0000000000120000-0x00000000001AA000-memory.dmp

    Filesize

    552KB

    Download

  • memory/3200-51-0x0000000007CE0000-0x0000000007CEA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3200-37-0x0000000070560000-0x00000000705AC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3200-16-0x0000000074B30000-0x00000000752E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3200-17-0x0000000005B90000-0x00000000061B8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3200-21-0x00000000061C0000-0x0000000006226000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3200-20-0x0000000005A20000-0x0000000005A86000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3200-22-0x0000000074B30000-0x00000000752E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3200-60-0x0000000074B30000-0x00000000752E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3200-28-0x0000000074B30000-0x00000000752E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3200-57-0x0000000007F90000-0x0000000007F98000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3200-29-0x0000000006340000-0x0000000006694000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3200-18-0x0000000005880000-0x00000000058A2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3200-34-0x0000000006950000-0x000000000696E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3200-35-0x0000000006980000-0x00000000069CC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3200-36-0x0000000006F00000-0x0000000006F32000-memory.dmp

    Filesize

    200KB

    Download

  • memory/3200-15-0x00000000053A0000-0x00000000053D6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3200-47-0x0000000006EE0000-0x0000000006EFE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3200-48-0x0000000007920000-0x00000000079C3000-memory.dmp

    Filesize

    652KB

    Download

  • memory/3200-49-0x00000000082C0000-0x000000000893A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3200-50-0x0000000007C70000-0x0000000007C8A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3200-56-0x0000000007FB0000-0x0000000007FCA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3200-52-0x0000000007EF0000-0x0000000007F86000-memory.dmp

    Filesize

    600KB

    Download

  • memory/3200-53-0x0000000007E70000-0x0000000007E81000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3200-54-0x0000000007EA0000-0x0000000007EAE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3200-55-0x0000000007EB0000-0x0000000007EC4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/4656-11-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/4656-13-0x0000000074B30000-0x00000000752E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4656-19-0x0000000074B30000-0x00000000752E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4656-61-0x0000000006BE0000-0x0000000006C30000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4656-62-0x0000000006E00000-0x0000000006FC2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4656-63-0x0000000074B30000-0x00000000752E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4656-64-0x0000000074B30000-0x00000000752E0000-memory.dmp

    Filesize

    7.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.