Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

61178fb2ef...fN.exe

windows7-x64

10

61178fb2ef...fN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2024, 03:00 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe

  • Size

    543KB

  • MD5

    5f388982adba14242c5e4ffcc388c1a0

  • SHA1

    8f202feb5a674362826c1e6d8fc5b1a38f86c14b

  • SHA256

    61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6f

  • SHA512

    7ad25e82b45e24d7f76bb9ec3a4ed8dbf497a5f87f1a0f3913d12cf2e1950b4981efe04a3b97b22053ac49e03c75e6fcb2dff2b4fb74f4be088e2f616355e3b4

  • SSDEEP

    12288:2iMmalyw9qfcaF52WgAIsAxOfqV42Rqol0M0pMsRNQSJGmENwMpV:nMigAm3lTaQ

Score
10/10
njratvictimdiscoverypersistencetrojan

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

Victim

C2

kgb963.duckdns.org:1115

Mutex

svchost.exe

Attributes
  • reg_key

    svchost.exe

  • splitter

    |Ghost|

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Drops startup file 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 25 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
    "C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4544
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "ChromeUpdate" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3608
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2484
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "ChromeUpdate" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4972
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:1536
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "ChromeUpdate" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4108
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:1472
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "ChromeUpdate" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4608
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:3240
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "ChromeUpdate" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1872
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:440
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "ChromeUpdate" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1324
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2476
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "ChromeUpdate" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3792
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2124
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "ChromeUpdate" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4612
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:632
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "ChromeUpdate" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3568
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:3604
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "ChromeUpdate" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3768
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:3332
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "ChromeUpdate" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3032
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2360
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "ChromeUpdate" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4812
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:4108
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "ChromeUpdate" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3436
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:964
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "ChromeUpdate" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4192
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:1504
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "ChromeUpdate" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4532
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:3992
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "ChromeUpdate" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:656
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2008
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "ChromeUpdate" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4976
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:5008
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "ChromeUpdate" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2708
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2808
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "ChromeUpdate" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4428
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:4020
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "ChromeUpdate" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3672
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:4752
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "ChromeUpdate" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2424
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:3768
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "ChromeUpdate" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:928
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:1712
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "ChromeUpdate" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:5060
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2848
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "ChromeUpdate" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3852
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2264
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "ChromeUpdate" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3228
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:868
  • C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
    C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:1912
  • C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
    C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:440

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    138.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    138.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    kgb963.duckdns.org
    61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
    Remote address:
    8.8.8.8:53
    Request
    kgb963.duckdns.org
    IN A
    Response
    kgb963.duckdns.org
    IN A
    167.71.14.135
  • flag-us
    DNS
    kgb963.duckdns.org
    61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
    Remote address:
    8.8.8.8:53
    Request
    kgb963.duckdns.org
    IN A
    Response
    kgb963.duckdns.org
    IN A
    167.71.14.135
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    107.12.20.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    107.12.20.2.in-addr.arpa
    IN PTR
    Response
    107.12.20.2.in-addr.arpa
    IN PTR
    a2-20-12-107deploystaticakamaitechnologiescom
  • flag-us
    DNS
    180.129.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    180.129.81.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    kgb963.duckdns.org
    61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
    Remote address:
    8.8.8.8:53
    Request
    kgb963.duckdns.org
    IN A
    Response
    kgb963.duckdns.org
    IN A
    167.71.14.135
  • flag-us
    DNS
    kgb963.duckdns.org
    61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
    Remote address:
    8.8.8.8:53
    Request
    kgb963.duckdns.org
    IN A
    Response
    kgb963.duckdns.org
    IN A
    167.71.14.135
  • flag-us
    DNS
    85.49.80.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    85.49.80.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 167.71.14.135:1115
    kgb963.duckdns.org
    61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
    260 B
     200 B
     5
    5
  • 167.71.14.135:1115
    kgb963.duckdns.org
    61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
    260 B
     200 B
     5
    5
  • 167.71.14.135:1115
    kgb963.duckdns.org
    61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
    260 B
     200 B
     5
    5
  • 167.71.14.135:1115
    kgb963.duckdns.org
    61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
    260 B
     200 B
     5
    5
  • 167.71.14.135:1115
    kgb963.duckdns.org
    61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
    260 B
     200 B
     5
    5
  • 167.71.14.135:1115
    kgb963.duckdns.org
    61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
    260 B
     200 B
     5
    5
  • 167.71.14.135:1115
    kgb963.duckdns.org
    61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
    260 B
     200 B
     5
    5
  • 167.71.14.135:1115
    kgb963.duckdns.org
    61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
    260 B
     200 B
     5
    5
  • 167.71.14.135:1115
    kgb963.duckdns.org
    61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
    260 B
     200 B
     5
    5
  • 167.71.14.135:1115
    kgb963.duckdns.org
    61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
    260 B
     200 B
     5
    5
  • 167.71.14.135:1115
    kgb963.duckdns.org
    61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
    260 B
     200 B
     5
    5
  • 167.71.14.135:1115
    kgb963.duckdns.org
    61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
    260 B
     200 B
     5
    5
  • 167.71.14.135:1115
    kgb963.duckdns.org
    61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
    260 B
     200 B
     5
    5
  • 167.71.14.135:1115
    kgb963.duckdns.org
    61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
    260 B
     200 B
     5
    5
  • 167.71.14.135:1115
    kgb963.duckdns.org
    61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
    260 B
     200 B
     5
    5
  • 167.71.14.135:1115
    kgb963.duckdns.org
    61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
    260 B
     200 B
     5
    5
  • 167.71.14.135:1115
    kgb963.duckdns.org
    61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
    260 B
     200 B
     5
    5
  • 167.71.14.135:1115
    kgb963.duckdns.org
    61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
    260 B
     200 B
     5
    5
  • 167.71.14.135:1115
    kgb963.duckdns.org
    61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
    260 B
     200 B
     5
    5
  • 167.71.14.135:1115
    kgb963.duckdns.org
    61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
    260 B
     200 B
     5
    5
  • 167.71.14.135:1115
    kgb963.duckdns.org
    61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
    260 B
     200 B
     5
    5
  • 167.71.14.135:1115
    kgb963.duckdns.org
    61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
    260 B
     200 B
     5
    5
  • 167.71.14.135:1115
    kgb963.duckdns.org
    61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
    260 B
     200 B
     5
    5
  • 167.71.14.135:1115
    kgb963.duckdns.org
    61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
    260 B
     200 B
     5
    5
  • 167.71.14.135:1115
    kgb963.duckdns.org
    61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
    260 B
     200 B
     5
    5
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    138.32.126.40.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    138.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    kgb963.duckdns.org
    dns
    61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
    128 B
     160 B
     2
    2

    DNS Request

    kgb963.duckdns.org

    DNS Request

    kgb963.duckdns.org

    DNS Response

    167.71.14.135

    DNS Response

    167.71.14.135

  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    53.210.109.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    53.210.109.20.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    107.12.20.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    107.12.20.2.in-addr.arpa

  • 8.8.8.8:53
    180.129.81.91.in-addr.arpa
    dns
    72 B
     147 B
     1
    1

    DNS Request

    180.129.81.91.in-addr.arpa

  • 8.8.8.8:53
    kgb963.duckdns.org
    dns
    61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
    128 B
     160 B
     2
    2

    DNS Request

    kgb963.duckdns.org

    DNS Request

    kgb963.duckdns.org

    DNS Response

    167.71.14.135

    DNS Response

    167.71.14.135

  • 8.8.8.8:53
    85.49.80.91.in-addr.arpa
    dns
    70 B
     145 B
     1
    1

    DNS Request

    85.49.80.91.in-addr.arpa

  • 8.8.8.8:53
    13.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    13.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe.log
    Filesize

    418B

    MD5

    50045c5c59ae3eb2db5452fb39e13335

    SHA1

    56226b40d4458df7e92f802381401e4183c97cb2

    SHA256

    b90b2a4ba2c69f094edce48807ad1873b1265c83795139fbf4576697fe65cae9

    SHA512

    bb20f9389e69e4a17fa254bd3b77212797f3be159ec6129b3a1501db3e24fb7b12096fbdbfcc93c24ecdb3cea88eae8a58e279b39c0777b6a4e9d4c15057faa4

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\dllhost.exe
    Filesize

    543KB

    MD5

    5f388982adba14242c5e4ffcc388c1a0

    SHA1

    8f202feb5a674362826c1e6d8fc5b1a38f86c14b

    SHA256

    61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6f

    SHA512

    7ad25e82b45e24d7f76bb9ec3a4ed8dbf497a5f87f1a0f3913d12cf2e1950b4981efe04a3b97b22053ac49e03c75e6fcb2dff2b4fb74f4be088e2f616355e3b4

    Download Submit

  • memory/1912-20-0x0000000075350000-0x0000000075B00000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1912-16-0x0000000075350000-0x0000000075B00000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1912-15-0x0000000075350000-0x0000000075B00000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4544-11-0x0000000005E20000-0x0000000005E2A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4544-0-0x000000007535E000-0x000000007535F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4544-10-0x0000000005E70000-0x0000000005F02000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4544-13-0x000000007535E000-0x000000007535F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4544-14-0x0000000075350000-0x0000000075B00000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4544-6-0x0000000075350000-0x0000000075B00000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4544-3-0x0000000005520000-0x0000000005AC4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4544-2-0x0000000004ED0000-0x0000000004F6C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4544-1-0x0000000000430000-0x00000000004BE000-memory.dmp

    Filesize

    568KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.