Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    300s
  • max time network
    281s
  • platform
    windows10-1703_x64
  • resource
    win10-20230703-en
  • resource tags

    arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03/08/2023, 05:01 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    adbe7a6a87ed8acc591a850031d9dfd8f70399a5bee4d749ebd68d120d195695.exe

  • Size

    321KB

  • MD5

    30ff060017187bb4b3d03a131a07182b

  • SHA1

    4e3d0cace04c9de5041f5c947cacfb2ffc57cfe4

  • SHA256

    adbe7a6a87ed8acc591a850031d9dfd8f70399a5bee4d749ebd68d120d195695

  • SHA512

    23343e03f7c5752effedfb842e71ab7852de3f55267728130e67d0e8cab8f9af97d2abe4a41f0261ce6e9580e1fce1204b677f62a764b64749a856c1768e2103

  • SSDEEP

    3072:7bLJL7l1YVVVlFhjHUMeLGN/pKHojv7URsR9iFITEFDRFMWjkK9:7hh1YVVnnU/C1MOjhv8FDT

Score
10/10
smokeloader0020backdoorevasiontrojan

Malware Config

Extracted

Family

smokeloader

Botnet

0020

Extracted

Family

smokeloader

Version

2022

C2

https://nebraska-pizza.com/search.php

https://alaska-ships.com/search.php
rc4.i32
1
0x34abc5e8
rc4.i32
1
0xaefe271c

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Deletes itself 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers network information 2 TTPs 4 IoCs

    Uses commandline utility to view network configuration.

  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
    adwarespyware
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\adbe7a6a87ed8acc591a850031d9dfd8f70399a5bee4d749ebd68d120d195695.exe
    "C:\Users\Admin\AppData\Local\Temp\adbe7a6a87ed8acc591a850031d9dfd8f70399a5bee4d749ebd68d120d195695.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:5096
  • C:\Windows\system32\cmd.exe
    cmd
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2252
    • C:\Windows\System32\Wbem\WMIC.exe
      wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:5000
    • C:\Windows\System32\Wbem\WMIC.exe
      wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2576
    • C:\Windows\System32\Wbem\WMIC.exe
      wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
      2⤵
        PID:3796
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
        2⤵
          PID:2332
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
          2⤵
            PID:4824
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
            2⤵
              PID:4556
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
              2⤵
                PID:2652
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
                2⤵
                  PID:4976
                • C:\Windows\System32\Wbem\WMIC.exe
                  wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
                  2⤵
                    PID:4836
                  • C:\Windows\System32\Wbem\WMIC.exe
                    wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
                    2⤵
                      PID:3652
                    • C:\Windows\System32\Wbem\WMIC.exe
                      wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
                      2⤵
                        PID:4304
                      • C:\Windows\System32\Wbem\WMIC.exe
                        wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
                        2⤵
                          PID:4932
                        • C:\Windows\System32\Wbem\WMIC.exe
                          wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
                          2⤵
                            PID:2016
                          • C:\Windows\System32\Wbem\WMIC.exe
                            wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
                            2⤵
                              PID:1740
                            • C:\Windows\system32\ipconfig.exe
                              ipconfig /displaydns
                              2⤵
                              • Gathers network information
                              PID:32
                            • C:\Windows\system32\ROUTE.EXE
                              route print
                              2⤵
                                PID:4616
                              • C:\Windows\system32\netsh.exe
                                netsh firewall show state
                                2⤵
                                • Modifies Windows Firewall
                                PID:4516
                              • C:\Windows\system32\systeminfo.exe
                                systeminfo
                                2⤵
                                • Gathers system information
                                PID:2952
                              • C:\Windows\system32\tasklist.exe
                                tasklist /v
                                2⤵
                                • Enumerates processes with tasklist
                                PID:652
                              • C:\Windows\system32\net.exe
                                net accounts /domain
                                2⤵
                                • Suspicious use of WriteProcessMemory
                                PID:1012
                                • C:\Windows\system32\net1.exe
                                  C:\Windows\system32\net1 accounts /domain
                                  3⤵
                                    PID:4600
                                • C:\Windows\system32\net.exe
                                  net share
                                  2⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:2140
                                  • C:\Windows\system32\net1.exe
                                    C:\Windows\system32\net1 share
                                    3⤵
                                      PID:236
                                  • C:\Windows\system32\net.exe
                                    net user
                                    2⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:3456
                                    • C:\Windows\system32\net1.exe
                                      C:\Windows\system32\net1 user
                                      3⤵
                                        PID:2216
                                    • C:\Windows\system32\net.exe
                                      net user /domain
                                      2⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:4980
                                      • C:\Windows\system32\net1.exe
                                        C:\Windows\system32\net1 user /domain
                                        3⤵
                                          PID:3464
                                      • C:\Windows\system32\net.exe
                                        net use
                                        2⤵
                                          PID:4240
                                        • C:\Windows\system32\net.exe
                                          net group
                                          2⤵
                                          • Suspicious use of WriteProcessMemory
                                          PID:2176
                                          • C:\Windows\system32\net1.exe
                                            C:\Windows\system32\net1 group
                                            3⤵
                                              PID:5012
                                          • C:\Windows\system32\net.exe
                                            net localgroup
                                            2⤵
                                              PID:1396
                                              • C:\Windows\system32\net1.exe
                                                C:\Windows\system32\net1 localgroup
                                                3⤵
                                                  PID:424
                                              • C:\Windows\system32\NETSTAT.EXE
                                                netstat -r
                                                2⤵
                                                • Gathers network information
                                                PID:3492
                                                • C:\Windows\system32\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
                                                  3⤵
                                                    PID:632
                                                    • C:\Windows\system32\ROUTE.EXE
                                                      C:\Windows\system32\route.exe print
                                                      4⤵
                                                        PID:996
                                                  • C:\Windows\system32\NETSTAT.EXE
                                                    netstat -nao
                                                    2⤵
                                                    • Gathers network information
                                                    PID:2508
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks /query
                                                    2⤵
                                                      PID:2544
                                                    • C:\Windows\system32\ipconfig.exe
                                                      ipconfig /all
                                                      2⤵
                                                      • Gathers network information
                                                      PID:2320
                                                  • C:\Windows\system32\msiexec.exe
                                                    C:\Windows\system32\msiexec.exe /V
                                                    1⤵
                                                      PID:2204
                                                    • C:\Program Files\Internet Explorer\iexplore.exe
                                                      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
                                                      1⤵
                                                      • Modifies Internet Explorer settings
                                                      • Suspicious use of FindShellTrayWindow
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:1016
                                                      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1016 CREDAT:82945 /prefetch:2
                                                        2⤵
                                                        • Modifies Internet Explorer settings
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:2452
                                                    • C:\Windows\SysWOW64\explorer.exe
                                                      C:\Windows\SysWOW64\explorer.exe
                                                      1⤵
                                                        PID:1580
                                                      • C:\Windows\explorer.exe
                                                        C:\Windows\explorer.exe
                                                        1⤵
                                                          PID:2904
                                                        • C:\Windows\SysWOW64\explorer.exe
                                                          C:\Windows\SysWOW64\explorer.exe
                                                          1⤵
                                                          • Suspicious behavior: MapViewOfSection
                                                          PID:4876
                                                        • C:\Windows\explorer.exe
                                                          C:\Windows\explorer.exe
                                                          1⤵
                                                          • Suspicious behavior: MapViewOfSection
                                                          PID:4132
                                                        • C:\Windows\SysWOW64\explorer.exe
                                                          C:\Windows\SysWOW64\explorer.exe
                                                          1⤵
                                                          • Suspicious behavior: MapViewOfSection
                                                          PID:752
                                                        • C:\Windows\explorer.exe
                                                          C:\Windows\explorer.exe
                                                          1⤵
                                                          • Suspicious behavior: MapViewOfSection
                                                          PID:4104
                                                        • C:\Windows\SysWOW64\explorer.exe
                                                          C:\Windows\SysWOW64\explorer.exe
                                                          1⤵
                                                            PID:4628
                                                          • C:\Windows\explorer.exe
                                                            C:\Windows\explorer.exe
                                                            1⤵
                                                              PID:220

                                                            Network

                                                            • flag-us
                                                              DNS
                                                              nebraska-pizza.com
                                                              explorer.exe
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              nebraska-pizza.com
                                                              IN A
                                                              Response
                                                              nebraska-pizza.com
                                                              IN A
                                                              45.61.136.186
                                                            • flag-us
                                                              POST
                                                              https://nebraska-pizza.com/search.php
                                                              Remote address:
                                                              45.61.136.186:443
                                                              Request
                                                              POST /search.php HTTP/1.1
                                                              Connection: Keep-Alive
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Accept: */*
                                                              Referer: https://lxrmds.org/
                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                              Content-Length: 330
                                                              Host: nebraska-pizza.com
                                                              Response
                                                              HTTP/1.1 404 Not Found
                                                              Server: nginx/1.18.0 (Ubuntu)
                                                              Date: Thu, 03 Aug 2023 05:02:00 GMT
                                                              Content-Type: text/html; charset=utf-8
                                                              Transfer-Encoding: chunked
                                                              Connection: keep-alive
                                                            • flag-us
                                                              POST
                                                              https://nebraska-pizza.com/search.php
                                                              Remote address:
                                                              45.61.136.186:443
                                                              Request
                                                              POST /search.php HTTP/1.1
                                                              Connection: Keep-Alive
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Accept: */*
                                                              Referer: https://eartvjfa.org/
                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                              Content-Length: 268
                                                              Host: nebraska-pizza.com
                                                              Response
                                                              HTTP/1.1 404 Not Found
                                                              Server: nginx/1.18.0 (Ubuntu)
                                                              Date: Thu, 03 Aug 2023 05:02:02 GMT
                                                              Content-Type: text/html; charset=utf-8
                                                              Transfer-Encoding: chunked
                                                              Connection: keep-alive
                                                            • flag-us
                                                              POST
                                                              https://nebraska-pizza.com/search.php
                                                              Remote address:
                                                              45.61.136.186:443
                                                              Request
                                                              POST /search.php HTTP/1.1
                                                              Connection: Keep-Alive
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Accept: */*
                                                              Referer: https://iknkbpw.net/
                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                              Content-Length: 324
                                                              Host: nebraska-pizza.com
                                                              Response
                                                              HTTP/1.1 404 Not Found
                                                              Server: nginx/1.18.0 (Ubuntu)
                                                              Date: Thu, 03 Aug 2023 05:02:02 GMT
                                                              Content-Type: text/html; charset=utf-8
                                                              Transfer-Encoding: chunked
                                                              Connection: keep-alive
                                                            • flag-us
                                                              DNS
                                                              186.136.61.45.in-addr.arpa
                                                              ipconfig.exe
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              186.136.61.45.in-addr.arpa
                                                              IN PTR
                                                              Response
                                                            • flag-us
                                                              DNS
                                                              240.81.21.72.in-addr.arpa
                                                              ipconfig.exe
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              240.81.21.72.in-addr.arpa
                                                              IN PTR
                                                              Response
                                                            • flag-us
                                                              DNS
                                                              evcs-ocsp.ws.symantec.com
                                                              ipconfig.exe
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              evcs-ocsp.ws.symantec.com
                                                              IN A
                                                              Response
                                                              evcs-ocsp.ws.symantec.com
                                                              IN CNAME
                                                              mpki-ocsp.digicert.com
                                                              mpki-ocsp.digicert.com
                                                              IN CNAME
                                                              fp3011.wpc.2be4.phicdn.net
                                                              fp3011.wpc.2be4.phicdn.net
                                                              IN CNAME
                                                              fp3011.wpc.phicdn.net
                                                              fp3011.wpc.phicdn.net
                                                              IN A
                                                              152.195.50.149
                                                            • flag-us
                                                              GET
                                                              http://evcs-ocsp.ws.symantec.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQckPwgwK2Thdm9JYVwXQ4ERz3XDQQUo47PGUI9MeGrIYmEbcvZeaKysloCEHX7Uch2jvaSe%2FQdoaI0odk%3D
                                                              Remote address:
                                                              152.195.50.149:80
                                                              Request
                                                              GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQckPwgwK2Thdm9JYVwXQ4ERz3XDQQUo47PGUI9MeGrIYmEbcvZeaKysloCEHX7Uch2jvaSe%2FQdoaI0odk%3D HTTP/1.1
                                                              Connection: Keep-Alive
                                                              Accept: */*
                                                              User-Agent: Microsoft-CryptoAPI/10.0
                                                              Host: evcs-ocsp.ws.symantec.com
                                                              Response
                                                              HTTP/1.1 200 OK
                                                              Accept-Ranges: bytes
                                                              Age: 1650
                                                              Cache-Control: public, max-age=86400
                                                              Content-Type: application/ocsp-response
                                                              Date: Thu, 03 Aug 2023 05:02:10 GMT
                                                              Last-Modified: Thu, 03 Aug 2023 04:34:40 GMT
                                                              Server: ECAcc (bsa/EB27)
                                                              X-Cache: HIT
                                                              X-Content-Type-Options: nosniff
                                                              X-Frame-Options: SAMEORIGIN
                                                              X-XSS-Protection: 1; mode=block
                                                              Content-Length: 1517
                                                            • flag-us
                                                              DNS
                                                              74.19.199.152.in-addr.arpa
                                                              ipconfig.exe
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              74.19.199.152.in-addr.arpa
                                                              IN PTR
                                                              Response
                                                            • flag-us
                                                              DNS
                                                              149.50.195.152.in-addr.arpa
                                                              ipconfig.exe
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              149.50.195.152.in-addr.arpa
                                                              IN PTR
                                                              Response
                                                            • flag-us
                                                              DNS
                                                              ca-ferrari-club.com
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              ca-ferrari-club.com
                                                              IN A
                                                              Response
                                                              ca-ferrari-club.com
                                                              IN A
                                                              165.227.8.65
                                                            • flag-us
                                                              DNS
                                                              ca-ferrari-club.com
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              ca-ferrari-club.com
                                                              IN A
                                                              Response
                                                            • flag-us
                                                              DNS
                                                              200.81.21.72.in-addr.arpa
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              200.81.21.72.in-addr.arpa
                                                              IN PTR
                                                              Response
                                                            • flag-us
                                                              POST
                                                              https://nebraska-pizza.com/search.php
                                                              Remote address:
                                                              45.61.136.186:443
                                                              Request
                                                              POST /search.php HTTP/1.1
                                                              Connection: Keep-Alive
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Accept: */*
                                                              Referer: https://qfwdclkf.org/
                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                              Content-Length: 237
                                                              Host: nebraska-pizza.com
                                                              Response
                                                              HTTP/1.1 404 Not Found
                                                              Server: nginx/1.18.0 (Ubuntu)
                                                              Date: Thu, 03 Aug 2023 05:03:07 GMT
                                                              Content-Type: text/html; charset=utf-8
                                                              Transfer-Encoding: chunked
                                                              Connection: keep-alive
                                                            • flag-us
                                                              POST
                                                              https://nebraska-pizza.com/search.php
                                                              explorer.exe
                                                              Remote address:
                                                              45.61.136.186:443
                                                              Request
                                                              POST /search.php HTTP/1.1
                                                              Cache-Control: no-cache
                                                              Connection: Keep-Alive
                                                              Pragma: no-cache
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Accept: */*
                                                              Referer: https://nebraska-pizza.com/
                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                              Content-Length: 533
                                                              Host: nebraska-pizza.com
                                                              Response
                                                              HTTP/1.1 404 Not Found
                                                              Server: nginx/1.18.0 (Ubuntu)
                                                              Date: Thu, 03 Aug 2023 05:03:09 GMT
                                                              Content-Type: text/html; charset=utf-8
                                                              Transfer-Encoding: chunked
                                                              Connection: keep-alive
                                                            • flag-us
                                                              DNS
                                                              9.57.101.20.in-addr.arpa
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              9.57.101.20.in-addr.arpa
                                                              IN PTR
                                                              Response
                                                            • flag-us
                                                              DNS
                                                              200.197.79.204.in-addr.arpa
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              200.197.79.204.in-addr.arpa
                                                              IN PTR
                                                              Response
                                                              200.197.79.204.in-addr.arpa
                                                              IN PTR
                                                              a-0001a-msedgenet
                                                            • flag-us
                                                              DNS
                                                              224.104.207.23.in-addr.arpa
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              224.104.207.23.in-addr.arpa
                                                              IN PTR
                                                              Response
                                                              224.104.207.23.in-addr.arpa
                                                              IN PTR
                                                              a23-207-104-224deploystaticakamaitechnologiescom
                                                            • flag-us
                                                              DNS
                                                              25.73.42.20.in-addr.arpa
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              25.73.42.20.in-addr.arpa
                                                              IN PTR
                                                              Response
                                                            • 45.61.136.186:443
                                                              https://nebraska-pizza.com/search.php
                                                              tls, http
                                                              9.6kB
                                                               386.8kB
                                                               161
                                                              300

                                                              HTTP Request

                                                              POST https://nebraska-pizza.com/search.php

                                                              HTTP Response

                                                              404

                                                              HTTP Request

                                                              POST https://nebraska-pizza.com/search.php

                                                              HTTP Response

                                                              404

                                                              HTTP Request

                                                              POST https://nebraska-pizza.com/search.php

                                                              HTTP Response

                                                              404
                                                            • 152.195.50.149:80
                                                              http://evcs-ocsp.ws.symantec.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQckPwgwK2Thdm9JYVwXQ4ERz3XDQQUo47PGUI9MeGrIYmEbcvZeaKysloCEHX7Uch2jvaSe%2FQdoaI0odk%3D
                                                              http
                                                              518 B
                                                               2.1kB
                                                               6
                                                              5

                                                              HTTP Request

                                                              GET http://evcs-ocsp.ws.symantec.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQckPwgwK2Thdm9JYVwXQ4ERz3XDQQUo47PGUI9MeGrIYmEbcvZeaKysloCEHX7Uch2jvaSe%2FQdoaI0odk%3D

                                                              HTTP Response

                                                              200
                                                            • 165.227.8.65:443
                                                              ca-ferrari-club.com
                                                              IEXPLORE.EXE
                                                              156 B
                                                               3
                                                            • 165.227.8.65:443
                                                              ca-ferrari-club.com
                                                              IEXPLORE.EXE
                                                              156 B
                                                               3
                                                            • 165.227.8.65:443
                                                              ca-ferrari-club.com
                                                              IEXPLORE.EXE
                                                              156 B
                                                               3
                                                            • 165.227.8.65:443
                                                              ca-ferrari-club.com
                                                              156 B
                                                               3
                                                            • 45.61.136.186:443
                                                              https://nebraska-pizza.com/search.php
                                                              tls, http
                                                              1.3kB
                                                               6.5kB
                                                               11
                                                              13

                                                              HTTP Request

                                                              POST https://nebraska-pizza.com/search.php

                                                              HTTP Response

                                                              404
                                                            • 45.61.136.186:443
                                                              https://nebraska-pizza.com/search.php
                                                              tls, http
                                                              explorer.exe
                                                              1.6kB
                                                               6.4kB
                                                               9
                                                              12

                                                              HTTP Request

                                                              POST https://nebraska-pizza.com/search.php

                                                              HTTP Response

                                                              404
                                                            • 204.79.197.200:443
                                                              ieonline.microsoft.com
                                                              tls
                                                              iexplore.exe
                                                              717 B
                                                               7.6kB
                                                               11
                                                              9
                                                            • 204.79.197.200:443
                                                              ieonline.microsoft.com
                                                              tls
                                                              iexplore.exe
                                                              717 B
                                                               7.6kB
                                                               11
                                                              9
                                                            • 204.79.197.200:443
                                                              ieonline.microsoft.com
                                                              tls
                                                              iexplore.exe
                                                              717 B
                                                               7.6kB
                                                               11
                                                              9
                                                            • 204.79.197.200:443
                                                              ieonline.microsoft.com
                                                              tls
                                                              iexplore.exe
                                                              717 B
                                                               7.6kB
                                                               11
                                                              9
                                                            • 204.79.197.200:443
                                                              ieonline.microsoft.com
                                                              tls
                                                              iexplore.exe
                                                              717 B
                                                               7.6kB
                                                               11
                                                              9
                                                            • 204.79.197.200:443
                                                              ieonline.microsoft.com
                                                              tls
                                                              iexplore.exe
                                                              717 B
                                                               7.6kB
                                                               11
                                                              9
                                                            • 8.8.8.8:53
                                                              nebraska-pizza.com
                                                              dns
                                                              explorer.exe
                                                              64 B
                                                               80 B
                                                               1
                                                              1

                                                              DNS Request

                                                              nebraska-pizza.com

                                                              DNS Response

                                                              45.61.136.186

                                                            • 8.8.8.8:53
                                                              186.136.61.45.in-addr.arpa
                                                              dns
                                                              ipconfig.exe
                                                              72 B
                                                               127 B
                                                               1
                                                              1

                                                              DNS Request

                                                              186.136.61.45.in-addr.arpa

                                                            • 8.8.8.8:53
                                                              240.81.21.72.in-addr.arpa
                                                              dns
                                                              ipconfig.exe
                                                              71 B
                                                               142 B
                                                               1
                                                              1

                                                              DNS Request

                                                              240.81.21.72.in-addr.arpa

                                                            • 8.8.8.8:53
                                                              evcs-ocsp.ws.symantec.com
                                                              dns
                                                              ipconfig.exe
                                                              71 B
                                                               185 B
                                                               1
                                                              1

                                                              DNS Request

                                                              evcs-ocsp.ws.symantec.com

                                                              DNS Response

                                                              152.195.50.149

                                                            • 8.8.8.8:53
                                                              74.19.199.152.in-addr.arpa
                                                              dns
                                                              ipconfig.exe
                                                              72 B
                                                               143 B
                                                               1
                                                              1

                                                              DNS Request

                                                              74.19.199.152.in-addr.arpa

                                                            • 8.8.8.8:53
                                                              149.50.195.152.in-addr.arpa
                                                              dns
                                                              ipconfig.exe
                                                              73 B
                                                               144 B
                                                               1
                                                              1

                                                              DNS Request

                                                              149.50.195.152.in-addr.arpa

                                                            • 8.8.8.8:53
                                                              ca-ferrari-club.com
                                                              dns
                                                              65 B
                                                               81 B
                                                               1
                                                              1

                                                              DNS Request

                                                              ca-ferrari-club.com

                                                              DNS Response

                                                              165.227.8.65

                                                            • 8.8.8.8:53
                                                              ca-ferrari-club.com
                                                              dns
                                                              65 B
                                                               65 B
                                                               1
                                                              1

                                                              DNS Request

                                                              ca-ferrari-club.com

                                                            • 8.8.8.8:53
                                                              200.81.21.72.in-addr.arpa
                                                              dns
                                                              71 B
                                                               142 B
                                                               1
                                                              1

                                                              DNS Request

                                                              200.81.21.72.in-addr.arpa

                                                            • 8.8.8.8:53
                                                              9.57.101.20.in-addr.arpa
                                                              dns
                                                              70 B
                                                               156 B
                                                               1
                                                              1

                                                              DNS Request

                                                              9.57.101.20.in-addr.arpa

                                                            • 8.8.8.8:53
                                                              200.197.79.204.in-addr.arpa
                                                              dns
                                                              73 B
                                                               106 B
                                                               1
                                                              1

                                                              DNS Request

                                                              200.197.79.204.in-addr.arpa

                                                            • 8.8.8.8:53
                                                              224.104.207.23.in-addr.arpa
                                                              dns
                                                              73 B
                                                               139 B
                                                               1
                                                              1

                                                              DNS Request

                                                              224.104.207.23.in-addr.arpa

                                                            • 8.8.8.8:53
                                                              25.73.42.20.in-addr.arpa
                                                              dns
                                                              70 B
                                                               156 B
                                                               1
                                                              1

                                                              DNS Request

                                                              25.73.42.20.in-addr.arpa

                                                            MITRE ATT&CK Enterprise v15

                                                            Replay Monitor

                                                            Loading Replay Monitor...

                                                            Downloads

                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                                                              Filesize

                                                              471B

                                                              MD5

                                                              6b5f38d2860debf21b5bd969669d864a

                                                              SHA1

                                                              63b82fbada2ac0c1fe421db939687b3e15143c92

                                                              SHA256

                                                              9974b3ced043323550037e294cbaa56c8bc865586c5c811a9397a94a9bb2f5ac

                                                              SHA512

                                                              e18cc742219983947cb72f0aa96277c43f2dd798e88d9a83dbc3ad5525867e34702827b4c61ad9a532dfe5d29ec271c95df68b1c6081379e08ceb025600fb434

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                                                              Filesize

                                                              404B

                                                              MD5

                                                              d452962e69954397b88f3789c9fee3a4

                                                              SHA1

                                                              8f4199f207d8e3a3330252fe7bc7aa2a19887cfc

                                                              SHA256

                                                              9d2b9e8c9e29845fff8c82a01158b31bc3be4fef50a5508185f6998227e57f47

                                                              SHA512

                                                              95d3e94876a8e2986cf3b0a472d8622562afd32004a25d53bb2089b922e5c83750332928ed254f0720e366c22df278f186dcdb4c4e8ff29b2970b1712b7e5356

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verF20C.tmp
                                                              Filesize

                                                              15KB

                                                              MD5

                                                              1a545d0052b581fbb2ab4c52133846bc

                                                              SHA1

                                                              62f3266a9b9925cd6d98658b92adec673cbe3dd3

                                                              SHA256

                                                              557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

                                                              SHA512

                                                              bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

                                                              Download Submit

                                                            • memory/220-204-0x00000000001D0000-0x00000000001DB000-memory.dmp

                                                              Filesize

                                                              44KB

                                                              Download

                                                            • memory/220-195-0x00000000001D0000-0x00000000001DB000-memory.dmp

                                                              Filesize

                                                              44KB

                                                              Download

                                                            • memory/220-194-0x0000000000FE0000-0x0000000000FED000-memory.dmp

                                                              Filesize

                                                              52KB

                                                              Download

                                                            • memory/220-196-0x0000000000FE0000-0x0000000000FED000-memory.dmp

                                                              Filesize

                                                              52KB

                                                              Download

                                                            • memory/752-200-0x0000000000840000-0x0000000000845000-memory.dmp

                                                              Filesize

                                                              20KB

                                                              Download

                                                            • memory/752-185-0x0000000000840000-0x0000000000845000-memory.dmp

                                                              Filesize

                                                              20KB

                                                              Download

                                                            • memory/752-186-0x0000000000830000-0x0000000000839000-memory.dmp

                                                              Filesize

                                                              36KB

                                                              Download

                                                            • memory/752-201-0x0000000000830000-0x0000000000839000-memory.dmp

                                                              Filesize

                                                              36KB

                                                              Download

                                                            • memory/1580-162-0x0000000000520000-0x0000000000595000-memory.dmp

                                                              Filesize

                                                              468KB

                                                              Download

                                                            • memory/1580-164-0x00000000004B0000-0x000000000051B000-memory.dmp

                                                              Filesize

                                                              428KB

                                                              Download

                                                            • memory/1580-180-0x00000000004B0000-0x000000000051B000-memory.dmp

                                                              Filesize

                                                              428KB

                                                              Download

                                                            • memory/2904-179-0x00000000004B0000-0x00000000004BC000-memory.dmp

                                                              Filesize

                                                              48KB

                                                              Download

                                                            • memory/2904-178-0x00000000004C0000-0x00000000004C7000-memory.dmp

                                                              Filesize

                                                              28KB

                                                              Download

                                                            • memory/2904-177-0x00000000004B0000-0x00000000004BC000-memory.dmp

                                                              Filesize

                                                              48KB

                                                              Download

                                                            • memory/3292-137-0x0000000000CD0000-0x0000000000CDF000-memory.dmp

                                                              Filesize

                                                              60KB

                                                              Download

                                                            • memory/3292-133-0x0000000000CD0000-0x0000000000CDF000-memory.dmp

                                                              Filesize

                                                              60KB

                                                              Download

                                                            • memory/3292-121-0x0000000000CB0000-0x0000000000CC6000-memory.dmp

                                                              Filesize

                                                              88KB

                                                              Download

                                                            • memory/4104-188-0x0000000000CD0000-0x0000000000CDC000-memory.dmp

                                                              Filesize

                                                              48KB

                                                              Download

                                                            • memory/4104-202-0x0000000000CE0000-0x0000000000CE6000-memory.dmp

                                                              Filesize

                                                              24KB

                                                              Download

                                                            • memory/4104-203-0x0000000000CD0000-0x0000000000CDC000-memory.dmp

                                                              Filesize

                                                              48KB

                                                              Download

                                                            • memory/4104-187-0x0000000000CE0000-0x0000000000CE6000-memory.dmp

                                                              Filesize

                                                              24KB

                                                              Download

                                                            • memory/4104-189-0x0000000000CD0000-0x0000000000CDC000-memory.dmp

                                                              Filesize

                                                              48KB

                                                              Download

                                                            • memory/4132-184-0x0000000000110000-0x000000000011F000-memory.dmp

                                                              Filesize

                                                              60KB

                                                              Download

                                                            • memory/4132-197-0x0000000000110000-0x000000000011F000-memory.dmp

                                                              Filesize

                                                              60KB

                                                              Download

                                                            • memory/4132-183-0x0000000000120000-0x0000000000129000-memory.dmp

                                                              Filesize

                                                              36KB

                                                              Download

                                                            • memory/4628-190-0x00000000001E0000-0x00000000001E6000-memory.dmp

                                                              Filesize

                                                              24KB

                                                              Download

                                                            • memory/4628-191-0x00000000001D0000-0x00000000001DB000-memory.dmp

                                                              Filesize

                                                              44KB

                                                              Download

                                                            • memory/4628-192-0x00000000001D0000-0x00000000001DB000-memory.dmp

                                                              Filesize

                                                              44KB

                                                              Download

                                                            • memory/4876-182-0x0000000000640000-0x000000000064B000-memory.dmp

                                                              Filesize

                                                              44KB

                                                              Download

                                                            • memory/4876-193-0x0000000000640000-0x000000000064B000-memory.dmp

                                                              Filesize

                                                              44KB

                                                              Download

                                                            • memory/4876-181-0x0000000000650000-0x0000000000657000-memory.dmp

                                                              Filesize

                                                              28KB

                                                              Download

                                                            • memory/5096-118-0x00000000024E0000-0x00000000025E0000-memory.dmp

                                                              Filesize

                                                              1024KB

                                                              Download

                                                            • memory/5096-125-0x0000000002360000-0x0000000002369000-memory.dmp

                                                              Filesize

                                                              36KB

                                                              Download

                                                            • memory/5096-122-0x0000000000400000-0x00000000022F7000-memory.dmp

                                                              Filesize

                                                              31.0MB

                                                              Download

                                                            • memory/5096-120-0x0000000000400000-0x00000000022F7000-memory.dmp

                                                              Filesize

                                                              31.0MB

                                                              Download

                                                            • memory/5096-119-0x0000000002360000-0x0000000002369000-memory.dmp

                                                              Filesize

                                                              36KB

                                                              Download

                                                            We care about your privacy.

                                                            This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.