Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    20/01/2024, 14:10 UTC

General

  • Target

    bTcG.exe

  • Size

    28KB

  • MD5

    8e1bb22b17551346730179e6616eb42e

  • SHA1

    7d2482fd93f0824e4353522c68c0fd39af445fc0

  • SHA256

    9bb9a1974de3b7ca8de3fd9afd7fb0f92d8f24c33b651584b2d7e2d0bd0da2fe

  • SHA512

    ec3a09f32393ce91486342712e200d4d0e432f0df90a1e58dd8251281c5257372a31c50db1b5a3a0fb552fa179199d88359c07b63d6b896188dfe32cb5d18ee6

  • SSDEEP

    768:EpDU6F1w9pXlmjF845NonMfo3z3aNHm4j:Epb1w9pIphknMAuH5

Score
10/10

Malware Config

Extracted

Family

limerat

Attributes
  • aes_key

    Kronic

  • antivm

    true

  • c2_url

    https://pastebin.com/raw/jxx7yjgK

  • delay

    3

  • download_payload

    false

  • install

    true

  • install_name

    MSIbuilder.exe

  • main_folder

    AppData

  • pin_spread

    true

  • sub_folder

    \Service Windows\

  • usb_spread

    true

Extracted

Family

limerat

Attributes
  • antivm

    false

  • c2_url

    https://pastebin.com/raw/jxx7yjgK

  • download_payload

    false

  • install

    false

  • pin_spread

    false

  • usb_spread

    false

Signatures

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bTcG.exe
    "C:\Users\Admin\AppData\Local\Temp\bTcG.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1340
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\Service Windows\MSIbuilder.exe'"
      2⤵
      • Creates scheduled task(s)
      PID:2932
    • C:\Users\Admin\AppData\Roaming\Service Windows\MSIbuilder.exe
      "C:\Users\Admin\AppData\Roaming\Service Windows\MSIbuilder.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2848

Network

  • flag-us
    DNS
    pastebin.com
    MSIbuilder.exe
    Remote address:
    8.8.8.8:53
    Request
    pastebin.com
    IN A
    Response
    pastebin.com
    IN A
    104.20.68.143
    pastebin.com
    IN A
    172.67.34.170
    pastebin.com
    IN A
    104.20.67.143
  • flag-us
    DNS
    pastebin.com
    MSIbuilder.exe
    Remote address:
    8.8.8.8:53
    Request
    pastebin.com
    IN A
  • flag-us
    DNS
    pastebin.com
    MSIbuilder.exe
    Remote address:
    8.8.8.8:53
    Request
    pastebin.com
    IN A
  • flag-us
    DNS
    pastebin.com
    MSIbuilder.exe
    Remote address:
    8.8.8.8:53
    Request
    pastebin.com
    IN A
  • flag-us
    DNS
    pastebin.com
    MSIbuilder.exe
    Remote address:
    8.8.8.8:53
    Request
    pastebin.com
    IN A
  • flag-us
    GET
    https://pastebin.com/raw/jxx7yjgK
    MSIbuilder.exe
    Remote address:
    104.20.68.143:443
    Request
    GET /raw/jxx7yjgK HTTP/1.1
    Host: pastebin.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sat, 20 Jan 2024 14:11:00 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: MISS
    Last-Modified: Sat, 20 Jan 2024 14:11:00 GMT
    Server: cloudflare
    CF-RAY: 8487e7757f75885f-LHR
  • flag-us
    GET
    https://pastebin.com/raw/jxx7yjgK
    MSIbuilder.exe
    Remote address:
    104.20.68.143:443
    Request
    GET /raw/jxx7yjgK HTTP/1.1
    Host: pastebin.com
    Response
    HTTP/1.1 200 OK
    Date: Sat, 20 Jan 2024 14:11:02 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 2
    Last-Modified: Sat, 20 Jan 2024 14:11:00 GMT
    Server: cloudflare
    CF-RAY: 8487e78528dd885f-LHR
  • flag-us
    GET
    https://pastebin.com/raw/jxx7yjgK
    MSIbuilder.exe
    Remote address:
    104.20.68.143:443
    Request
    GET /raw/jxx7yjgK HTTP/1.1
    Host: pastebin.com
    Response
    HTTP/1.1 200 OK
    Date: Sat, 20 Jan 2024 14:11:19 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 19
    Last-Modified: Sat, 20 Jan 2024 14:11:00 GMT
    Server: cloudflare
    CF-RAY: 8487e7f149a0885f-LHR
  • flag-us
    GET
    https://pastebin.com/raw/jxx7yjgK
    MSIbuilder.exe
    Remote address:
    104.20.68.143:443
    Request
    GET /raw/jxx7yjgK HTTP/1.1
    Host: pastebin.com
    Response
    HTTP/1.1 200 OK
    Date: Sat, 20 Jan 2024 14:11:28 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 28
    Last-Modified: Sat, 20 Jan 2024 14:11:00 GMT
    Server: cloudflare
    CF-RAY: 8487e824c89e885f-LHR
  • flag-us
    GET
    https://pastebin.com/raw/jxx7yjgK
    MSIbuilder.exe
    Remote address:
    104.20.68.143:443
    Request
    GET /raw/jxx7yjgK HTTP/1.1
    Host: pastebin.com
    Response
    HTTP/1.1 200 OK
    Date: Sat, 20 Jan 2024 14:11:42 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 42
    Last-Modified: Sat, 20 Jan 2024 14:11:00 GMT
    Server: cloudflare
    CF-RAY: 8487e87f980b885f-LHR
  • flag-us
    GET
    https://pastebin.com/raw/jxx7yjgK
    MSIbuilder.exe
    Remote address:
    104.20.68.143:443
    Request
    GET /raw/jxx7yjgK HTTP/1.1
    Host: pastebin.com
    Response
    HTTP/1.1 200 OK
    Date: Sat, 20 Jan 2024 14:11:48 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 48
    Last-Modified: Sat, 20 Jan 2024 14:11:00 GMT
    Server: cloudflare
    CF-RAY: 8487e8a12da6885f-LHR
  • flag-us
    GET
    https://pastebin.com/raw/jxx7yjgK
    MSIbuilder.exe
    Remote address:
    104.20.68.143:443
    Request
    GET /raw/jxx7yjgK HTTP/1.1
    Host: pastebin.com
    Response
    HTTP/1.1 200 OK
    Date: Sat, 20 Jan 2024 14:11:53 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 53
    Last-Modified: Sat, 20 Jan 2024 14:11:00 GMT
    Server: cloudflare
    CF-RAY: 8487e8c24f5f885f-LHR
  • flag-us
    GET
    https://pastebin.com/raw/jxx7yjgK
    MSIbuilder.exe
    Remote address:
    104.20.68.143:443
    Request
    GET /raw/jxx7yjgK HTTP/1.1
    Host: pastebin.com
    Response
    HTTP/1.1 200 OK
    Date: Sat, 20 Jan 2024 14:11:57 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 57
    Last-Modified: Sat, 20 Jan 2024 14:11:00 GMT
    Server: cloudflare
    CF-RAY: 8487e8dadaf0885f-LHR
  • flag-us
    GET
    https://pastebin.com/raw/jxx7yjgK
    MSIbuilder.exe
    Remote address:
    104.20.68.143:443
    Request
    GET /raw/jxx7yjgK HTTP/1.1
    Host: pastebin.com
    Response
    HTTP/1.1 200 OK
    Date: Sat, 20 Jan 2024 14:12:01 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 61
    Last-Modified: Sat, 20 Jan 2024 14:11:00 GMT
    Server: cloudflare
    CF-RAY: 8487e8f849e2885f-LHR
  • flag-us
    GET
    https://pastebin.com/raw/jxx7yjgK
    MSIbuilder.exe
    Remote address:
    104.20.68.143:443
    Request
    GET /raw/jxx7yjgK HTTP/1.1
    Host: pastebin.com
    Response
    HTTP/1.1 200 OK
    Date: Sat, 20 Jan 2024 14:12:04 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 64
    Last-Modified: Sat, 20 Jan 2024 14:11:00 GMT
    Server: cloudflare
    CF-RAY: 8487e905af58885f-LHR
  • flag-us
    GET
    https://pastebin.com/raw/jxx7yjgK
    MSIbuilder.exe
    Remote address:
    104.20.68.143:443
    Request
    GET /raw/jxx7yjgK HTTP/1.1
    Host: pastebin.com
    Response
    HTTP/1.1 200 OK
    Date: Sat, 20 Jan 2024 14:12:21 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 81
    Last-Modified: Sat, 20 Jan 2024 14:11:00 GMT
    Server: cloudflare
    CF-RAY: 8487e9712f50885f-LHR
  • flag-us
    GET
    https://pastebin.com/raw/jxx7yjgK
    MSIbuilder.exe
    Remote address:
    104.20.68.143:443
    Request
    GET /raw/jxx7yjgK HTTP/1.1
    Host: pastebin.com
    Response
    HTTP/1.1 200 OK
    Date: Sat, 20 Jan 2024 14:12:23 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 83
    Last-Modified: Sat, 20 Jan 2024 14:11:00 GMT
    Server: cloudflare
    CF-RAY: 8487e97ffc9d885f-LHR
  • flag-us
    GET
    https://pastebin.com/raw/jxx7yjgK
    MSIbuilder.exe
    Remote address:
    104.20.68.143:443
    Request
    GET /raw/jxx7yjgK HTTP/1.1
    Host: pastebin.com
    Response
    HTTP/1.1 200 OK
    Date: Sat, 20 Jan 2024 14:12:30 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 90
    Last-Modified: Sat, 20 Jan 2024 14:11:00 GMT
    Server: cloudflare
    CF-RAY: 8487e9a98a60885f-LHR
  • flag-us
    GET
    https://pastebin.com/raw/jxx7yjgK
    MSIbuilder.exe
    Remote address:
    104.20.68.143:443
    Request
    GET /raw/jxx7yjgK HTTP/1.1
    Host: pastebin.com
    Response
    HTTP/1.1 200 OK
    Date: Sat, 20 Jan 2024 14:12:41 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 101
    Last-Modified: Sat, 20 Jan 2024 14:11:00 GMT
    Server: cloudflare
    CF-RAY: 8487e9f098b8885f-LHR
  • flag-us
    GET
    https://pastebin.com/raw/jxx7yjgK
    MSIbuilder.exe
    Remote address:
    104.20.68.143:443
    Request
    GET /raw/jxx7yjgK HTTP/1.1
    Host: pastebin.com
    Response
    HTTP/1.1 200 OK
    Date: Sat, 20 Jan 2024 14:12:51 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 111
    Last-Modified: Sat, 20 Jan 2024 14:11:00 GMT
    Server: cloudflare
    CF-RAY: 8487ea2f7f8a885f-LHR
  • flag-us
    GET
    https://pastebin.com/raw/jxx7yjgK
    MSIbuilder.exe
    Remote address:
    104.20.68.143:443
    Request
    GET /raw/jxx7yjgK HTTP/1.1
    Host: pastebin.com
    Response
    HTTP/1.1 200 OK
    Date: Sat, 20 Jan 2024 14:12:54 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 114
    Last-Modified: Sat, 20 Jan 2024 14:11:00 GMT
    Server: cloudflare
    CF-RAY: 8487ea3ed921885f-LHR
  • flag-us
    GET
    https://pastebin.com/raw/jxx7yjgK
    MSIbuilder.exe
    Remote address:
    104.20.68.143:443
    Request
    GET /raw/jxx7yjgK HTTP/1.1
    Host: pastebin.com
    Response
    HTTP/1.1 200 OK
    Date: Sat, 20 Jan 2024 14:12:58 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 118
    Last-Modified: Sat, 20 Jan 2024 14:11:00 GMT
    Server: cloudflare
    CF-RAY: 8487ea5b099b885f-LHR
  • flag-us
    GET
    https://pastebin.com/raw/jxx7yjgK
    MSIbuilder.exe
    Remote address:
    104.20.68.143:443
    Request
    GET /raw/jxx7yjgK HTTP/1.1
    Host: pastebin.com
    Response
    HTTP/1.1 200 OK
    Date: Sat, 20 Jan 2024 14:13:01 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 121
    Last-Modified: Sat, 20 Jan 2024 14:11:00 GMT
    Server: cloudflare
    CF-RAY: 8487ea6f2f34885f-LHR
  • flag-us
    DNS
    0.tcp.sa.ngrok.io
    MSIbuilder.exe
    Remote address:
    8.8.8.8:53
    Request
    0.tcp.sa.ngrok.io
    IN A
    Response
    0.tcp.sa.ngrok.io
    IN A
    18.228.115.60
  • flag-us
    DNS
    0.tcp.sa.ngrok.io
    MSIbuilder.exe
    Remote address:
    8.8.8.8:53
    Request
    0.tcp.sa.ngrok.io
    IN A
    Response
    0.tcp.sa.ngrok.io
    IN A
    18.229.146.63
  • flag-us
    DNS
    0.tcp.sa.ngrok.io
    MSIbuilder.exe
    Remote address:
    8.8.8.8:53
    Request
    0.tcp.sa.ngrok.io
    IN A
    Response
    0.tcp.sa.ngrok.io
    IN A
    54.94.248.37
  • 104.20.68.143:443
    https://pastebin.com/raw/jxx7yjgK
    tls, http
    MSIbuilder.exe
    4.0kB
    14.4kB
    46
    45

    HTTP Request

    GET https://pastebin.com/raw/jxx7yjgK

    HTTP Response

    200

    HTTP Request

    GET https://pastebin.com/raw/jxx7yjgK

    HTTP Response

    200

    HTTP Request

    GET https://pastebin.com/raw/jxx7yjgK

    HTTP Response

    200

    HTTP Request

    GET https://pastebin.com/raw/jxx7yjgK

    HTTP Response

    200

    HTTP Request

    GET https://pastebin.com/raw/jxx7yjgK

    HTTP Response

    200

    HTTP Request

    GET https://pastebin.com/raw/jxx7yjgK

    HTTP Response

    200

    HTTP Request

    GET https://pastebin.com/raw/jxx7yjgK

    HTTP Response

    200

    HTTP Request

    GET https://pastebin.com/raw/jxx7yjgK

    HTTP Response

    200

    HTTP Request

    GET https://pastebin.com/raw/jxx7yjgK

    HTTP Response

    200

    HTTP Request

    GET https://pastebin.com/raw/jxx7yjgK

    HTTP Response

    200

    HTTP Request

    GET https://pastebin.com/raw/jxx7yjgK

    HTTP Response

    200

    HTTP Request

    GET https://pastebin.com/raw/jxx7yjgK

    HTTP Response

    200

    HTTP Request

    GET https://pastebin.com/raw/jxx7yjgK

    HTTP Response

    200

    HTTP Request

    GET https://pastebin.com/raw/jxx7yjgK

    HTTP Response

    200

    HTTP Request

    GET https://pastebin.com/raw/jxx7yjgK

    HTTP Response

    200

    HTTP Request

    GET https://pastebin.com/raw/jxx7yjgK

    HTTP Response

    200

    HTTP Request

    GET https://pastebin.com/raw/jxx7yjgK

    HTTP Response

    200

    HTTP Request

    GET https://pastebin.com/raw/jxx7yjgK

    HTTP Response

    200
  • 18.228.115.60:12936
    0.tcp.sa.ngrok.io
    MSIbuilder.exe
    152 B
    120 B
    3
    3
  • 18.228.115.60:12936
    0.tcp.sa.ngrok.io
    MSIbuilder.exe
    152 B
    80 B
    3
    2
  • 18.228.115.60:12936
    0.tcp.sa.ngrok.io
    MSIbuilder.exe
    152 B
    80 B
    3
    2
  • 18.228.115.60:12936
    0.tcp.sa.ngrok.io
    MSIbuilder.exe
    152 B
    80 B
    3
    2
  • 18.228.115.60:12936
    0.tcp.sa.ngrok.io
    MSIbuilder.exe
    152 B
    120 B
    3
    3
  • 18.228.115.60:12936
    0.tcp.sa.ngrok.io
    MSIbuilder.exe
    152 B
    120 B
    3
    3
  • 18.228.115.60:12936
    0.tcp.sa.ngrok.io
    MSIbuilder.exe
    152 B
    120 B
    3
    3
  • 18.228.115.60:12936
    0.tcp.sa.ngrok.io
    MSIbuilder.exe
    152 B
    120 B
    3
    3
  • 18.229.146.63:12936
    0.tcp.sa.ngrok.io
    MSIbuilder.exe
    152 B
    120 B
    3
    3
  • 18.229.146.63:12936
    0.tcp.sa.ngrok.io
    MSIbuilder.exe
    152 B
    40 B
    3
    1
  • 18.229.146.63:12936
    0.tcp.sa.ngrok.io
    MSIbuilder.exe
    152 B
    120 B
    3
    3
  • 18.229.146.63:12936
    0.tcp.sa.ngrok.io
    MSIbuilder.exe
    152 B
    120 B
    3
    3
  • 18.229.146.63:12936
    0.tcp.sa.ngrok.io
    MSIbuilder.exe
    152 B
    80 B
    3
    2
  • 18.229.146.63:12936
    0.tcp.sa.ngrok.io
    MSIbuilder.exe
    152 B
    80 B
    3
    2
  • 18.229.146.63:12936
    0.tcp.sa.ngrok.io
    MSIbuilder.exe
    152 B
    120 B
    3
    3
  • 18.229.146.63:12936
    0.tcp.sa.ngrok.io
    MSIbuilder.exe
    152 B
    120 B
    3
    3
  • 18.229.146.63:12936
    0.tcp.sa.ngrok.io
    MSIbuilder.exe
    152 B
    120 B
    3
    3
  • 54.94.248.37:12936
    0.tcp.sa.ngrok.io
    MSIbuilder.exe
    152 B
    120 B
    3
    3
  • 8.8.8.8:53
    pastebin.com
    dns
    MSIbuilder.exe
    290 B
    106 B
    5
    1

    DNS Request

    pastebin.com

    DNS Request

    pastebin.com

    DNS Request

    pastebin.com

    DNS Request

    pastebin.com

    DNS Request

    pastebin.com

    DNS Response

    104.20.68.143
    172.67.34.170
    104.20.67.143

  • 8.8.8.8:53
    0.tcp.sa.ngrok.io
    dns
    MSIbuilder.exe
    63 B
    79 B
    1
    1

    DNS Request

    0.tcp.sa.ngrok.io

    DNS Response

    18.228.115.60

  • 8.8.8.8:53
    0.tcp.sa.ngrok.io
    dns
    MSIbuilder.exe
    63 B
    79 B
    1
    1

    DNS Request

    0.tcp.sa.ngrok.io

    DNS Response

    18.229.146.63

  • 8.8.8.8:53
    0.tcp.sa.ngrok.io
    dns
    MSIbuilder.exe
    63 B
    79 B
    1
    1

    DNS Request

    0.tcp.sa.ngrok.io

    DNS Response

    54.94.248.37

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CabAA18.tmp

    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

  • C:\Users\Admin\AppData\Local\Temp\TarAA59.tmp

    Filesize

    171KB

    MD5

    9c0c641c06238516f27941aa1166d427

    SHA1

    64cd549fb8cf014fcd9312aa7a5b023847b6c977

    SHA256

    4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

    SHA512

    936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

  • C:\Users\Admin\AppData\Roaming\Service Windows\MSIbuilder.exe

    Filesize

    28KB

    MD5

    8e1bb22b17551346730179e6616eb42e

    SHA1

    7d2482fd93f0824e4353522c68c0fd39af445fc0

    SHA256

    9bb9a1974de3b7ca8de3fd9afd7fb0f92d8f24c33b651584b2d7e2d0bd0da2fe

    SHA512

    ec3a09f32393ce91486342712e200d4d0e432f0df90a1e58dd8251281c5257372a31c50db1b5a3a0fb552fa179199d88359c07b63d6b896188dfe32cb5d18ee6

  • memory/1340-0-0x0000000000FF0000-0x0000000000FFC000-memory.dmp

    Filesize

    48KB

  • memory/1340-1-0x0000000073E00000-0x00000000744EE000-memory.dmp

    Filesize

    6.9MB

  • memory/1340-3-0x0000000004D90000-0x0000000004DD0000-memory.dmp

    Filesize

    256KB

  • memory/1340-14-0x0000000073E00000-0x00000000744EE000-memory.dmp

    Filesize

    6.9MB

  • memory/2848-13-0x0000000000C40000-0x0000000000C4C000-memory.dmp

    Filesize

    48KB

  • memory/2848-15-0x0000000073E00000-0x00000000744EE000-memory.dmp

    Filesize

    6.9MB

  • memory/2848-16-0x00000000047B0000-0x00000000047F0000-memory.dmp

    Filesize

    256KB

  • memory/2848-51-0x0000000073E00000-0x00000000744EE000-memory.dmp

    Filesize

    6.9MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.