Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14/01/2025, 13:44 UTC
Static task
static1
Behavioral task
behavioral1
Sample
inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
General
-
Target
inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe
-
Size
537KB
-
MD5
25eec63edf7c0eb8628a89712b5cb363
-
SHA1
4e8d586a950492c30147b7d56bcfad49cd577966
-
SHA256
e075807417590255de4d395fa3dfbc336e88c96bbab8afca1d5e5d5abbac0237
-
SHA512
086feb119e2a02f2fd7afc45c422f9b472f049eb2e79f83769f25254d88a84086275d2cff1e891d360ea57978292cd0caf958e4000cd659ac532165e1f881dfb
-
SSDEEP
6144:UnPdudwDCVOCg2G4A+uxXCpzna3MSzy99s5sbro5kd+B4hJ1QQsSGuhkrpzOUlec:UnPdMg2H8SpzaThHy7mzOUlvnVMs3e+
Malware Config
Extracted
remcos
Manifest
linktreewealth.zapto.org:3980
linktreewealth.zapto.org:3981
linktreewealthy.zapto.org:3980
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-0B1XIG
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
latentbot
linktreewealth.zapto.org
Signatures
-
Latentbot family
-
Remcos family
-
Detected Nirsoft tools 10 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral2/memory/2080-71-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/2080-79-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/4704-85-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/3900-78-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/3900-77-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/4704-68-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/3516-100-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/3516-91-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/2052-107-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/3924-101-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft -
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/2080-71-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral2/memory/2080-79-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral2/memory/3924-101-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/4704-85-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/4704-68-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/3516-100-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/3516-91-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Loads dropped DLL 1 IoCs
pid Process 3668 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Unvanquished = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fejlbetjening\\Rockerfest.bat" inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 4528 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3668 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 4528 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe -
Suspicious use of SetThreadContext 7 IoCs
description pid Process procid_target PID 3668 set thread context of 4528 3668 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 94 PID 4528 set thread context of 4704 4528 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 99 PID 4528 set thread context of 2080 4528 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 100 PID 4528 set thread context of 3900 4528 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 101 PID 4528 set thread context of 3516 4528 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 104 PID 4528 set thread context of 3924 4528 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 105 PID 4528 set thread context of 2052 4528 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 106 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1924 4704 WerFault.exe 99 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4704 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 4704 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 3900 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 3900 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 4704 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 4704 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 3516 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 3516 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 3516 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 3516 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 2052 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 2052 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 3668 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 4528 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 4528 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 4528 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 4528 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 4528 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 4528 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3900 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe Token: SeDebugPrivilege 2052 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4528 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 3668 wrote to memory of 4528 3668 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 94 PID 3668 wrote to memory of 4528 3668 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 94 PID 3668 wrote to memory of 4528 3668 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 94 PID 3668 wrote to memory of 4528 3668 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 94 PID 3668 wrote to memory of 4528 3668 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 94 PID 4528 wrote to memory of 4704 4528 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 99 PID 4528 wrote to memory of 4704 4528 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 99 PID 4528 wrote to memory of 4704 4528 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 99 PID 4528 wrote to memory of 2080 4528 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 100 PID 4528 wrote to memory of 2080 4528 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 100 PID 4528 wrote to memory of 2080 4528 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 100 PID 4528 wrote to memory of 3900 4528 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 101 PID 4528 wrote to memory of 3900 4528 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 101 PID 4528 wrote to memory of 3900 4528 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 101 PID 4528 wrote to memory of 3516 4528 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 104 PID 4528 wrote to memory of 3516 4528 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 104 PID 4528 wrote to memory of 3516 4528 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 104 PID 4528 wrote to memory of 3924 4528 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 105 PID 4528 wrote to memory of 3924 4528 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 105 PID 4528 wrote to memory of 3924 4528 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 105 PID 4528 wrote to memory of 2052 4528 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 106 PID 4528 wrote to memory of 2052 4528 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 106 PID 4528 wrote to memory of 2052 4528 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 106 PID 4704 wrote to memory of 1924 4704 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 108 PID 4704 wrote to memory of 1924 4704 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 108 PID 4704 wrote to memory of 1924 4704 inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe"C:\Users\Admin\AppData\Local\Temp\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Users\Admin\AppData\Local\Temp\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe"C:\Users\Admin\AppData\Local\Temp\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe"2⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Users\Admin\AppData\Local\Temp\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exeC:\Users\Admin\AppData\Local\Temp\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe /stext "C:\Users\Admin\AppData\Local\Temp\zorwseoq"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 6644⤵
- Program crash
PID:1924
-
-
-
C:\Users\Admin\AppData\Local\Temp\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exeC:\Users\Admin\AppData\Local\Temp\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe /stext "C:\Users\Admin\AppData\Local\Temp\kqxptoykorjr"3⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:2080
-
-
C:\Users\Admin\AppData\Local\Temp\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exeC:\Users\Admin\AppData\Local\Temp\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe /stext "C:\Users\Admin\AppData\Local\Temp\ukchugjlczbeunu"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3900
-
-
C:\Users\Admin\AppData\Local\Temp\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exeC:\Users\Admin\AppData\Local\Temp\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe /stext "C:\Users\Admin\AppData\Local\Temp\bwicsyzsam"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3516
-
-
C:\Users\Admin\AppData\Local\Temp\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exeC:\Users\Admin\AppData\Local\Temp\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe /stext "C:\Users\Admin\AppData\Local\Temp\mqovsikmnuilv"3⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:3924
-
-
C:\Users\Admin\AppData\Local\Temp\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exeC:\Users\Admin\AppData\Local\Temp\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe /stext "C:\Users\Admin\AppData\Local\Temp\osbftbunbcaygulub"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052
-
-
Network
-
Remote address:8.8.8.8:53Request196.249.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request22.49.80.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request72.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request167.173.78.104.in-addr.arpaIN PTRResponse167.173.78.104.in-addr.arpaIN PTRa104-78-173-167deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request228.249.119.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestteldrum.roIN AResponseteldrum.roIN A109.99.162.14
-
GEThttps://teldrum.ro/NJrdZqNcCtz102.bininward_payment_confirmation_reference_Z1766053541_notifications.bat.exeRemote address:109.99.162.14:443RequestGET /NJrdZqNcCtz102.bin HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
Host: teldrum.ro
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache
Last-Modified: Mon, 13 Jan 2025 20:36:39 GMT
Accept-Ranges: bytes
Content-Length: 493632
Content-Type: application/octet-stream
-
Remote address:8.8.8.8:53Request14.162.99.109.in-addr.arpaIN PTRResponse14.162.99.109.in-addr.arpaIN PTRcpanel4 romtelecomnet
-
Remote address:8.8.8.8:53Request40.13.222.173.in-addr.arpaIN PTRResponse40.13.222.173.in-addr.arpaIN PTRa173-222-13-40deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request53.210.109.20.in-addr.arpaIN PTRResponse
-
DNSlinktreewealth.zapto.orginward_payment_confirmation_reference_Z1766053541_notifications.bat.exeRemote address:8.8.8.8:53Requestlinktreewealth.zapto.orgIN AResponselinktreewealth.zapto.orgIN A43.226.229.209
-
Remote address:8.8.8.8:53Request241.42.69.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestgeoplugin.netIN AResponsegeoplugin.netIN A178.237.33.50
-
GEThttp://geoplugin.net/json.gpinward_payment_confirmation_reference_Z1766053541_notifications.bat.exeRemote address:178.237.33.50:80RequestGET /json.gp HTTP/1.1
Host: geoplugin.net
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
server: Apache
content-length: 956
content-type: application/json; charset=utf-8
cache-control: public, max-age=300
access-control-allow-origin: *
-
Remote address:8.8.8.8:53Request209.229.226.43.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request107.12.20.2.in-addr.arpaIN PTRResponse107.12.20.2.in-addr.arpaIN PTRa2-20-12-107deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request50.33.237.178.in-addr.arpaIN PTRResponse50.33.237.178.in-addr.arpaIN CNAME50.32/27.178.237.178.in-addr.arpa
-
Remote address:8.8.8.8:53Request86.49.80.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request22.236.111.52.in-addr.arpaIN PTRResponse
-
109.99.162.14:443https://teldrum.ro/NJrdZqNcCtz102.bintls, httpinward_payment_confirmation_reference_Z1766053541_notifications.bat.exe18.3kB 514.4kB 379 374
HTTP Request
GET https://teldrum.ro/NJrdZqNcCtz102.binHTTP Response
200 -
43.226.229.209:3980linktreewealth.zapto.orginward_payment_confirmation_reference_Z1766053541_notifications.bat.exe2.6kB 631 B 10 12
-
43.226.229.209:3980linktreewealth.zapto.orginward_payment_confirmation_reference_Z1766053541_notifications.bat.exe40.2kB 574.8kB 310 417
-
178.237.33.50:80http://geoplugin.net/json.gphttpinward_payment_confirmation_reference_Z1766053541_notifications.bat.exe577 B 1.3kB 11 3
HTTP Request
GET http://geoplugin.net/json.gpHTTP Response
200
-
73 B 147 B 1 1
DNS Request
196.249.167.52.in-addr.arpa
-
70 B 145 B 1 1
DNS Request
22.49.80.91.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
72.32.126.40.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
167.173.78.104.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
228.249.119.40.in-addr.arpa
-
56 B 72 B 1 1
DNS Request
teldrum.ro
DNS Response
109.99.162.14
-
72 B 108 B 1 1
DNS Request
14.162.99.109.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
40.13.222.173.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
53.210.109.20.in-addr.arpa
-
8.8.8.8:53linktreewealth.zapto.orgdnsinward_payment_confirmation_reference_Z1766053541_notifications.bat.exe70 B 86 B 1 1
DNS Request
linktreewealth.zapto.org
DNS Response
43.226.229.209
-
71 B 145 B 1 1
DNS Request
241.42.69.40.in-addr.arpa
-
8.8.8.8:53geoplugin.netdnsinward_payment_confirmation_reference_Z1766053541_notifications.bat.exe59 B 75 B 1 1
DNS Request
geoplugin.net
DNS Response
178.237.33.50
-
73 B 161 B 1 1
DNS Request
209.229.226.43.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
107.12.20.2.in-addr.arpa
-
72 B 155 B 1 1
DNS Request
50.33.237.178.in-addr.arpa
-
70 B 145 B 1 1
DNS Request
86.49.80.91.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
22.236.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD525f8276e687facc21e45dc1e9e765fe8
SHA1c5461cdbe8010131dc25dcee5e43d0219bc84225
SHA256d2f3ecd58b5e588e53a83968803fcd8fccb9263590ea8578b80fbee2c4f9e5fe
SHA512d0106f03f2ef65aa8767cb14823113f03cab05499a6f3bba60cc5d13cf08dd4bfdf92f0c4014e4e3e1809e025af15c185f5bc6ef0bc096451f3014a9a918ec10
-
Filesize
4KB
MD5562a58578d6d04c7fb6bda581c57c03c
SHA112ab2b88624d01da0c5f5d1441aa21cbc276c5f5
SHA256ff5c70287ba432a83f9015209d6e933462edca01d68c53c09882e1e4d22241c8
SHA5123f6e19faa0196bd4c085defa587e664abdd63c25ef30df8f4323e60a5a5aca3cd2709466f772e64ab00fe331d4264841422d6057451947f3500e9252a132254e
-
Filesize
12KB
MD54add245d4ba34b04f213409bfe504c07
SHA1ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
SHA2569111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
SHA5121bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d