Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

5

Static

static

3

filename.exe

windows7-x64

1

filename.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    144s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/02/2024, 18:40 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    filename.exe

  • Size

    1.4MB

  • MD5

    1db34920c3ae3eb8560695f89e92d930

  • SHA1

    531fea122037a7b503e0fcb42aa24382a9631ac8

  • SHA256

    569cf3de44279490ab8fe47d78ace6d5cbd6e6413be9d14316d31338eef12bdd

  • SHA512

    b311b876c06e8d056a06991a8ebbcfd56c47a0b5d72e5f6ac94a20546f5c7bb857b143d22a09649e630d2474dfe8b7c9115b102443fe12910969f55178a74336

  • SSDEEP

    24576:y0/wpWGxRsnyM3LF+0mlBnjs60nEisX1N9rm1Jo/13JQyjLc22dEaY7Unbya87CJ://wn0x3LFfmHnIZE9rm1Ji3hLc22dEa3

Score
5/10

Malware Config

Signatures

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\filename.exe
    "C:\Users\Admin\AppData\Local\Temp\filename.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Windows\SysWOW64\ctfmon.exe
      "C:\Windows\SysWOW64\ctfmon.exe -p 1234"
      2⤵
        PID:1092

    Network

    • flag-us
      DNS
      58.55.71.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      58.55.71.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      176.178.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      176.178.17.96.in-addr.arpa
      IN PTR
      Response
      176.178.17.96.in-addr.arpa
      IN PTR
      a96-17-178-176deploystaticakamaitechnologiescom
    • flag-us
      DNS
      68.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      68.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      209.205.72.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      209.205.72.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      97.17.167.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      97.17.167.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      POST
      https://104.129.55.105:2223/api/admin.users.list
      ctfmon.exe
      Remote address:
      104.129.55.105:2223
      Request
      POST /api/admin.users.list HTTP/1.1
      Cache-Control: no-cache
      Connection: Keep-Alive
      Pragma: no-cache
      Accept: */*
      Accept-Encoding: gzip, deflate, br
      Accept-Language: en-US,en;q=0.8
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Zoom 3.6.0)
      Content-Length: 5370
      Host: 104.129.55.105:2223
      Response
      HTTP/1.1 502 Bad Gateway
      Server: nginx
      Date: Tue, 13 Feb 2024 18:40:46 GMT
      Content-Type: text/html
      Content-Length: 552
      Connection: keep-alive
    • flag-us
      POST
      https://104.129.55.105:2223/api/admin.conversations.convertToPrivate
      ctfmon.exe
      Remote address:
      104.129.55.105:2223
      Request
      POST /api/admin.conversations.convertToPrivate HTTP/1.1
      Cache-Control: no-cache
      Connection: Keep-Alive
      Pragma: no-cache
      Accept: */*
      Accept-Encoding: gzip, deflate, br
      Accept-Language: en-US,en;q=0.8
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Zoom 3.6.0)
      Content-Length: 5370
      Host: 104.129.55.105:2223
      Response
      HTTP/1.1 502 Bad Gateway
      Server: nginx
      Date: Tue, 13 Feb 2024 18:41:42 GMT
      Content-Type: text/html
      Content-Length: 552
      Connection: keep-alive
    • flag-us
      POST
      https://104.129.55.105:2223/api/admin.users.setAdmin
      ctfmon.exe
      Remote address:
      104.129.55.105:2223
      Request
      POST /api/admin.users.setAdmin HTTP/1.1
      Cache-Control: no-cache
      Connection: Keep-Alive
      Pragma: no-cache
      Accept: */*
      Accept-Encoding: gzip, deflate, br
      Accept-Language: en-US,en;q=0.8
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Zoom 3.6.0)
      Content-Length: 5370
      Host: 104.129.55.105:2223
      Response
      HTTP/1.1 502 Bad Gateway
      Server: nginx
      Date: Tue, 13 Feb 2024 18:42:21 GMT
      Content-Type: text/html
      Content-Length: 552
      Connection: keep-alive
    • flag-us
      DNS
      105.55.129.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      105.55.129.104.in-addr.arpa
      IN PTR
      Response
      105.55.129.104.in-addr.arpa
      IN PTR
      10412955105static quadranetcom
    • flag-us
      DNS
      157.123.68.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      157.123.68.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      18.31.95.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.31.95.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      240.221.184.93.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.221.184.93.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      23.160.77.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      23.160.77.104.in-addr.arpa
      IN PTR
      Response
      23.160.77.104.in-addr.arpa
      IN PTR
      a104-77-160-23deploystaticakamaitechnologiescom
    • flag-hk
      POST
      https://154.201.81.8:2967/api/admin.inviteRequests.deny
      ctfmon.exe
      Remote address:
      154.201.81.8:2967
      Request
      POST /api/admin.inviteRequests.deny HTTP/1.1
      Cache-Control: no-cache
      Connection: Keep-Alive
      Pragma: no-cache
      Accept: */*
      Accept-Encoding: gzip, deflate, br
      Accept-Language: en-US,en;q=0.8
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Zoom 3.6.0)
      Content-Length: 5370
      Host: 154.201.81.8:2967
      Response
      HTTP/1.1 502 Bad Gateway
      Server: nginx
      Date: Tue, 13 Feb 2024 18:40:50 GMT
      Content-Type: text/html
      Content-Length: 552
      Connection: keep-alive
    • flag-hk
      POST
      https://154.201.81.8:2967/api/admin.inviteRequests.approve
      ctfmon.exe
      Remote address:
      154.201.81.8:2967
      Request
      POST /api/admin.inviteRequests.approve HTTP/1.1
      Cache-Control: no-cache
      Connection: Keep-Alive
      Pragma: no-cache
      Accept: */*
      Accept-Encoding: gzip, deflate, br
      Accept-Language: en-US,en;q=0.8
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Zoom 3.6.0)
      Content-Length: 5370
      Host: 154.201.81.8:2967
      Response
      HTTP/1.1 502 Bad Gateway
      Server: nginx
      Date: Tue, 13 Feb 2024 18:41:45 GMT
      Content-Type: text/html
      Content-Length: 552
      Connection: keep-alive
    • flag-hk
      POST
      https://154.201.81.8:2967/api/admin.conversations.convertToPrivate
      ctfmon.exe
      Remote address:
      154.201.81.8:2967
      Request
      POST /api/admin.conversations.convertToPrivate HTTP/1.1
      Cache-Control: no-cache
      Connection: Keep-Alive
      Pragma: no-cache
      Accept: */*
      Accept-Encoding: gzip, deflate, br
      Accept-Language: en-US,en;q=0.8
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Zoom 3.6.0)
      Content-Length: 5370
      Host: 154.201.81.8:2967
      Response
      HTTP/1.1 502 Bad Gateway
      Server: nginx
      Date: Tue, 13 Feb 2024 18:42:23 GMT
      Content-Type: text/html
      Content-Length: 552
      Connection: keep-alive
    • flag-us
      DNS
      8.81.201.154.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.81.201.154.in-addr.arpa
      IN PTR
      Response
    • flag-us
      POST
      https://86.38.225.106:2221/api/admin.conversations.rename
      ctfmon.exe
      Remote address:
      86.38.225.106:2221
      Request
      POST /api/admin.conversations.rename HTTP/1.1
      Cache-Control: no-cache
      Connection: Keep-Alive
      Pragma: no-cache
      Accept: */*
      Accept-Encoding: gzip, deflate, br
      Accept-Language: en-US,en;q=0.8
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Zoom 3.6.0)
      Content-Length: 5370
      Host: 86.38.225.106:2221
      Response
      HTTP/1.1 502 Bad Gateway
      Server: nginx
      Date: Tue, 13 Feb 2024 18:40:55 GMT
      Content-Type: text/html
      Content-Length: 552
      Connection: keep-alive
    • flag-us
      POST
      https://86.38.225.106:2221/api/admin.conversations.convertToPrivate
      ctfmon.exe
      Remote address:
      86.38.225.106:2221
      Request
      POST /api/admin.conversations.convertToPrivate HTTP/1.1
      Cache-Control: no-cache
      Connection: Keep-Alive
      Pragma: no-cache
      Accept: */*
      Accept-Encoding: gzip, deflate, br
      Accept-Language: en-US,en;q=0.8
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Zoom 3.6.0)
      Content-Length: 5370
      Host: 86.38.225.106:2221
      Response
      HTTP/1.1 502 Bad Gateway
      Server: nginx
      Date: Tue, 13 Feb 2024 18:41:50 GMT
      Content-Type: text/html
      Content-Length: 552
      Connection: keep-alive
    • flag-us
      POST
      https://86.38.225.106:2221/api/admin.inviteRequests.deny
      ctfmon.exe
      Remote address:
      86.38.225.106:2221
      Request
      POST /api/admin.inviteRequests.deny HTTP/1.1
      Cache-Control: no-cache
      Connection: Keep-Alive
      Pragma: no-cache
      Accept: */*
      Accept-Encoding: gzip, deflate, br
      Accept-Language: en-US,en;q=0.8
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Zoom 3.6.0)
      Content-Length: 5370
      Host: 86.38.225.106:2221
      Response
      HTTP/1.1 502 Bad Gateway
      Server: nginx
      Date: Tue, 13 Feb 2024 18:42:28 GMT
      Content-Type: text/html
      Content-Length: 552
      Connection: keep-alive
    • flag-us
      DNS
      106.225.38.86.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      106.225.38.86.in-addr.arpa
      IN PTR
      Response
    • flag-de
      POST
      https://37.60.242.85:9785/api/admin.inviteRequests.deny
      ctfmon.exe
      Remote address:
      37.60.242.85:9785
      Request
      POST /api/admin.inviteRequests.deny HTTP/1.1
      Cache-Control: no-cache
      Connection: Keep-Alive
      Pragma: no-cache
      Accept: */*
      Accept-Encoding: gzip, deflate, br
      Accept-Language: en-US,en;q=0.8
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Zoom 3.6.0)
      Content-Length: 5370
      Host: 37.60.242.85:9785
      Response
      HTTP/1.1 502 Bad Gateway
      Server: nginx
      Date: Tue, 13 Feb 2024 18:41:00 GMT
      Content-Type: text/html
      Content-Length: 552
      Connection: keep-alive
    • flag-de
      POST
      https://37.60.242.85:9785/api/admin.conversations.convertToPrivate
      ctfmon.exe
      Remote address:
      37.60.242.85:9785
      Request
      POST /api/admin.conversations.convertToPrivate HTTP/1.1
      Cache-Control: no-cache
      Connection: Keep-Alive
      Pragma: no-cache
      Accept: */*
      Accept-Encoding: gzip, deflate, br
      Accept-Language: en-US,en;q=0.8
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Zoom 3.6.0)
      Content-Length: 5370
      Host: 37.60.242.85:9785
      Response
      HTTP/1.1 502 Bad Gateway
      Server: nginx
      Date: Tue, 13 Feb 2024 18:41:54 GMT
      Content-Type: text/html
      Content-Length: 552
      Connection: keep-alive
    • flag-de
      POST
      https://37.60.242.85:9785/api/admin.inviteRequests.deny
      ctfmon.exe
      Remote address:
      37.60.242.85:9785
      Request
      POST /api/admin.inviteRequests.deny HTTP/1.1
      Cache-Control: no-cache
      Connection: Keep-Alive
      Pragma: no-cache
      Accept: */*
      Accept-Encoding: gzip, deflate, br
      Accept-Language: en-US,en;q=0.8
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Zoom 3.6.0)
      Content-Length: 5370
      Host: 37.60.242.85:9785
      Response
      HTTP/1.1 502 Bad Gateway
      Server: nginx
      Date: Tue, 13 Feb 2024 18:42:32 GMT
      Content-Type: text/html
      Content-Length: 552
      Connection: keep-alive
    • flag-us
      DNS
      85.242.60.37.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      85.242.60.37.in-addr.arpa
      IN PTR
      Response
      85.242.60.37.in-addr.arpa
      IN PTR
      vmd129090 contaboservernet
    • flag-id
      POST
      https://103.82.243.5:13785/api/admin.inviteRequests.deny
      ctfmon.exe
      Remote address:
      103.82.243.5:13785
      Request
      POST /api/admin.inviteRequests.deny HTTP/1.1
      Cache-Control: no-cache
      Connection: Keep-Alive
      Pragma: no-cache
      Accept: */*
      Accept-Encoding: gzip, deflate, br
      Accept-Language: en-US,en;q=0.8
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Zoom 3.6.0)
      Content-Length: 5370
      Host: 103.82.243.5:13785
      Response
      HTTP/1.1 502 Bad Gateway
      Server: nginx
      Date: Tue, 13 Feb 2024 18:41:17 GMT
      Content-Type: text/html
      Content-Length: 552
      Connection: keep-alive
    • flag-id
      POST
      https://103.82.243.5:13785/api/admin.inviteRequests.deny
      ctfmon.exe
      Remote address:
      103.82.243.5:13785
      Request
      POST /api/admin.inviteRequests.deny HTTP/1.1
      Cache-Control: no-cache
      Connection: Keep-Alive
      Pragma: no-cache
      Accept: */*
      Accept-Encoding: gzip, deflate, br
      Accept-Language: en-US,en;q=0.8
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Zoom 3.6.0)
      Content-Length: 5370
      Host: 103.82.243.5:13785
      Response
      HTTP/1.1 502 Bad Gateway
      Server: nginx
      Date: Tue, 13 Feb 2024 18:41:59 GMT
      Content-Type: text/html
      Content-Length: 552
      Connection: keep-alive
    • flag-id
      POST
      https://103.82.243.5:13785/api/admin.usergroups.listChannels
      ctfmon.exe
      Remote address:
      103.82.243.5:13785
      Request
      POST /api/admin.usergroups.listChannels HTTP/1.1
      Cache-Control: no-cache
      Connection: Keep-Alive
      Pragma: no-cache
      Accept: */*
      Accept-Encoding: gzip, deflate, br
      Accept-Language: en-US,en;q=0.8
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Zoom 3.6.0)
      Content-Length: 5370
      Host: 103.82.243.5:13785
      Response
      HTTP/1.1 502 Bad Gateway
      Server: nginx
      Date: Tue, 13 Feb 2024 18:42:37 GMT
      Content-Type: text/html
      Content-Length: 552
      Connection: keep-alive
    • flag-us
      DNS
      5.243.82.103.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      5.243.82.103.in-addr.arpa
      IN PTR
      Response
      5.243.82.103.in-addr.arpa
      IN PTR
      103-82-243-5idcloudhostingmyid
    • flag-us
      POST
      https://108.61.78.17:13783/api/admin.usergroups.removeChannels
      ctfmon.exe
      Remote address:
      108.61.78.17:13783
      Request
      POST /api/admin.usergroups.removeChannels HTTP/1.1
      Cache-Control: no-cache
      Connection: Keep-Alive
      Pragma: no-cache
      Accept: */*
      Accept-Encoding: gzip, deflate, br
      Accept-Language: en-US,en;q=0.8
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Zoom 3.6.0)
      Content-Length: 5370
      Host: 108.61.78.17:13783
      Response
      HTTP/1.1 502 Bad Gateway
      Server: nginx
      Date: Tue, 13 Feb 2024 18:41:22 GMT
      Content-Type: text/html
      Content-Length: 552
      Connection: keep-alive
    • flag-us
      POST
      https://108.61.78.17:13783/api/admin.usergroups.listChannels
      ctfmon.exe
      Remote address:
      108.61.78.17:13783
      Request
      POST /api/admin.usergroups.listChannels HTTP/1.1
      Cache-Control: no-cache
      Connection: Keep-Alive
      Pragma: no-cache
      Accept: */*
      Accept-Encoding: gzip, deflate, br
      Accept-Language: en-US,en;q=0.8
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Zoom 3.6.0)
      Content-Length: 5370
      Host: 108.61.78.17:13783
      Response
      HTTP/1.1 502 Bad Gateway
      Server: nginx
      Date: Tue, 13 Feb 2024 18:42:03 GMT
      Content-Type: text/html
      Content-Length: 552
      Connection: keep-alive
    • flag-us
      POST
      https://108.61.78.17:13783/api/admin.users.list
      ctfmon.exe
      Remote address:
      108.61.78.17:13783
      Request
      POST /api/admin.users.list HTTP/1.1
      Cache-Control: no-cache
      Connection: Keep-Alive
      Pragma: no-cache
      Accept: */*
      Accept-Encoding: gzip, deflate, br
      Accept-Language: en-US,en;q=0.8
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Zoom 3.6.0)
      Content-Length: 5370
      Host: 108.61.78.17:13783
      Response
      HTTP/1.1 502 Bad Gateway
      Server: nginx
      Date: Tue, 13 Feb 2024 18:42:41 GMT
      Content-Type: text/html
      Content-Length: 552
      Connection: keep-alive
    • flag-us
      DNS
      17.78.61.108.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      17.78.61.108.in-addr.arpa
      IN PTR
      Response
      17.78.61.108.in-addr.arpa
      IN PTR
      108617817vultrusercontentcom
    • flag-au
      POST
      https://104.156.233.235:2226/api/admin.conversations.restrictAccess.listGroups
      ctfmon.exe
      Remote address:
      104.156.233.235:2226
      Request
      POST /api/admin.conversations.restrictAccess.listGroups HTTP/1.1
      Cache-Control: no-cache
      Connection: Keep-Alive
      Pragma: no-cache
      Accept: */*
      Accept-Encoding: gzip, deflate, br
      Accept-Language: en-US,en;q=0.8
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Zoom 3.6.0)
      Content-Length: 5370
      Host: 104.156.233.235:2226
      Response
      HTTP/1.1 502 Bad Gateway
      Server: nginx
      Date: Tue, 13 Feb 2024 18:41:28 GMT
      Content-Type: text/html
      Content-Length: 552
      Connection: keep-alive
    • flag-au
      POST
      https://104.156.233.235:2226/api/admin.teams.settings.setDiscoverability
      ctfmon.exe
      Remote address:
      104.156.233.235:2226
      Request
      POST /api/admin.teams.settings.setDiscoverability HTTP/1.1
      Cache-Control: no-cache
      Connection: Keep-Alive
      Pragma: no-cache
      Accept: */*
      Accept-Encoding: gzip, deflate, br
      Accept-Language: en-US,en;q=0.8
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Zoom 3.6.0)
      Content-Length: 5370
      Host: 104.156.233.235:2226
      Response
      HTTP/1.1 502 Bad Gateway
      Server: nginx
      Date: Tue, 13 Feb 2024 18:42:09 GMT
      Content-Type: text/html
      Content-Length: 552
      Connection: keep-alive
    • flag-us
      DNS
      235.233.156.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      235.233.156.104.in-addr.arpa
      IN PTR
      Response
      235.233.156.104.in-addr.arpa
      IN PTR
      104156233235vultrusercontentcom
    • flag-us
      POST
      https://23.226.138.161:5242/api/admin.usergroups.removeChannels
      ctfmon.exe
      Remote address:
      23.226.138.161:5242
      Request
      POST /api/admin.usergroups.removeChannels HTTP/1.1
      Cache-Control: no-cache
      Connection: Keep-Alive
      Pragma: no-cache
      Accept: */*
      Accept-Encoding: gzip, deflate, br
      Accept-Language: en-US,en;q=0.8
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Zoom 3.6.0)
      Content-Length: 5370
      Host: 23.226.138.161:5242
      Response
      HTTP/1.1 502 Bad Gateway
      Server: nginx
      Date: Tue, 13 Feb 2024 18:41:35 GMT
      Content-Type: text/html
      Content-Length: 552
      Connection: keep-alive
    • flag-us
      POST
      https://23.226.138.161:5242/api/admin.inviteRequests.deny
      ctfmon.exe
      Remote address:
      23.226.138.161:5242
      Request
      POST /api/admin.inviteRequests.deny HTTP/1.1
      Cache-Control: no-cache
      Connection: Keep-Alive
      Pragma: no-cache
      Accept: */*
      Accept-Encoding: gzip, deflate, br
      Accept-Language: en-US,en;q=0.8
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Zoom 3.6.0)
      Content-Length: 5370
      Host: 23.226.138.161:5242
      Response
      HTTP/1.1 502 Bad Gateway
      Server: nginx
      Date: Tue, 13 Feb 2024 18:42:15 GMT
      Content-Type: text/html
      Content-Length: 552
      Connection: keep-alive
    • flag-us
      DNS
      161.138.226.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      161.138.226.23.in-addr.arpa
      IN PTR
      Response
      161.138.226.23.in-addr.arpa
      IN PTR
      23226138161static quadranetcom
    • flag-us
      DNS
      19.229.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      19.229.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      8.173.189.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.173.189.20.in-addr.arpa
      IN PTR
      Response
    • 138.91.171.81:80
      104 B
       2
    • 104.129.55.105:2223
      https://104.129.55.105:2223/api/admin.users.setAdmin
      tls, http
      ctfmon.exe
      18.9kB
       5.2kB
       24
      14

      HTTP Request

      POST https://104.129.55.105:2223/api/admin.users.list

      HTTP Response

      502

      HTTP Request

      POST https://104.129.55.105:2223/api/admin.conversations.convertToPrivate

      HTTP Response

      502

      HTTP Request

      POST https://104.129.55.105:2223/api/admin.users.setAdmin

      HTTP Response

      502
    • 154.201.81.8:2967
      https://154.201.81.8:2967/api/admin.conversations.convertToPrivate
      tls, http
      ctfmon.exe
      19.1kB
       6.0kB
       28
      33

      HTTP Request

      POST https://154.201.81.8:2967/api/admin.inviteRequests.deny

      HTTP Response

      502

      HTTP Request

      POST https://154.201.81.8:2967/api/admin.inviteRequests.approve

      HTTP Response

      502

      HTTP Request

      POST https://154.201.81.8:2967/api/admin.conversations.convertToPrivate

      HTTP Response

      502
    • 86.38.225.106:2221
      https://86.38.225.106:2221/api/admin.inviteRequests.deny
      tls, http
      ctfmon.exe
      18.9kB
       5.4kB
       23
      18

      HTTP Request

      POST https://86.38.225.106:2221/api/admin.conversations.rename

      HTTP Response

      502

      HTTP Request

      POST https://86.38.225.106:2221/api/admin.conversations.convertToPrivate

      HTTP Response

      502

      HTTP Request

      POST https://86.38.225.106:2221/api/admin.inviteRequests.deny

      HTTP Response

      502
    • 37.60.242.85:9785
      https://37.60.242.85:9785/api/admin.inviteRequests.deny
      tls, http
      ctfmon.exe
      18.9kB
       5.2kB
       23
      13

      HTTP Request

      POST https://37.60.242.85:9785/api/admin.inviteRequests.deny

      HTTP Response

      502

      HTTP Request

      POST https://37.60.242.85:9785/api/admin.conversations.convertToPrivate

      HTTP Response

      502

      HTTP Request

      POST https://37.60.242.85:9785/api/admin.inviteRequests.deny

      HTTP Response

      502
    • 103.82.243.5:13785
      https://103.82.243.5:13785/api/admin.usergroups.listChannels
      tls, http
      ctfmon.exe
      18.9kB
       5.3kB
       23
      15

      HTTP Request

      POST https://103.82.243.5:13785/api/admin.inviteRequests.deny

      HTTP Response

      502

      HTTP Request

      POST https://103.82.243.5:13785/api/admin.inviteRequests.deny

      HTTP Response

      502

      HTTP Request

      POST https://103.82.243.5:13785/api/admin.usergroups.listChannels

      HTTP Response

      502
    • 108.61.78.17:13783
      https://108.61.78.17:13783/api/admin.users.list
      tls, http
      ctfmon.exe
      18.9kB
       5.2kB
       23
      16

      HTTP Request

      POST https://108.61.78.17:13783/api/admin.usergroups.removeChannels

      HTTP Response

      502

      HTTP Request

      POST https://108.61.78.17:13783/api/admin.usergroups.listChannels

      HTTP Response

      502

      HTTP Request

      POST https://108.61.78.17:13783/api/admin.users.list

      HTTP Response

      502
    • 104.156.233.235:2226
      https://104.156.233.235:2226/api/admin.teams.settings.setDiscoverability
      tls, http
      ctfmon.exe
      12.8kB
       4.3kB
       17
      11

      HTTP Request

      POST https://104.156.233.235:2226/api/admin.conversations.restrictAccess.listGroups

      HTTP Response

      502

      HTTP Request

      POST https://104.156.233.235:2226/api/admin.teams.settings.setDiscoverability

      HTTP Response

      502
    • 23.226.138.161:5242
      https://23.226.138.161:5242/api/admin.inviteRequests.deny
      tls, http
      ctfmon.exe
      12.7kB
       4.5kB
       17
      13

      HTTP Request

      POST https://23.226.138.161:5242/api/admin.usergroups.removeChannels

      HTTP Response

      502

      HTTP Request

      POST https://23.226.138.161:5242/api/admin.inviteRequests.deny

      HTTP Response

      502
    • 43.229.78.74:2226
      ctfmon.exe
      260 B
       200 B
       5
      5
    • 43.229.78.74:2226
      ctfmon.exe
      260 B
       200 B
       5
      5
    • 8.8.8.8:53
      58.55.71.13.in-addr.arpa
      dns
      70 B
       144 B
       1
      1

      DNS Request

      58.55.71.13.in-addr.arpa

    • 8.8.8.8:53
      176.178.17.96.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      176.178.17.96.in-addr.arpa

    • 8.8.8.8:53
      68.159.190.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      68.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      209.205.72.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      209.205.72.20.in-addr.arpa

    • 8.8.8.8:53
      97.17.167.52.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      97.17.167.52.in-addr.arpa

    • 8.8.8.8:53
      105.55.129.104.in-addr.arpa
      dns
      73 B
       122 B
       1
      1

      DNS Request

      105.55.129.104.in-addr.arpa

    • 8.8.8.8:53
      157.123.68.40.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      157.123.68.40.in-addr.arpa

    • 8.8.8.8:53
      18.31.95.13.in-addr.arpa
      dns
      70 B
       144 B
       1
      1

      DNS Request

      18.31.95.13.in-addr.arpa

    • 8.8.8.8:53
      240.221.184.93.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      240.221.184.93.in-addr.arpa

    • 8.8.8.8:53
      23.160.77.104.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      23.160.77.104.in-addr.arpa

    • 8.8.8.8:53
      8.81.201.154.in-addr.arpa
      dns
      71 B
       132 B
       1
      1

      DNS Request

      8.81.201.154.in-addr.arpa

    • 8.8.8.8:53
      106.225.38.86.in-addr.arpa
      dns
      72 B
       132 B
       1
      1

      DNS Request

      106.225.38.86.in-addr.arpa

    • 8.8.8.8:53
      85.242.60.37.in-addr.arpa
      dns
      71 B
       112 B
       1
      1

      DNS Request

      85.242.60.37.in-addr.arpa

    • 8.8.8.8:53
      5.243.82.103.in-addr.arpa
      dns
      71 B
       118 B
       1
      1

      DNS Request

      5.243.82.103.in-addr.arpa

    • 8.8.8.8:53
      17.78.61.108.in-addr.arpa
      dns
      71 B
       118 B
       1
      1

      DNS Request

      17.78.61.108.in-addr.arpa

    • 8.8.8.8:53
      235.233.156.104.in-addr.arpa
      dns
      74 B
       124 B
       1
      1

      DNS Request

      235.233.156.104.in-addr.arpa

    • 8.8.8.8:53
      161.138.226.23.in-addr.arpa
      dns
      73 B
       122 B
       1
      1

      DNS Request

      161.138.226.23.in-addr.arpa

    • 8.8.8.8:53
      19.229.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      19.229.111.52.in-addr.arpa

    • 8.8.8.8:53
      8.173.189.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      8.173.189.20.in-addr.arpa

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1092-1-0x0000000000B20000-0x0000000000B38000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1092-8-0x0000000000B20000-0x0000000000B38000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1976-0-0x0000000002330000-0x0000000002363000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1976-3-0x0000000000660000-0x0000000000673000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1976-5-0x0000000002330000-0x0000000002363000-memory.dmp

      Filesize

      204KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.