Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240910-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-09-2024 01:36

General

  • Target

    58892474694c1aff444adca37753e52b93fffce8bb98b75d488ec3df2c87b2da.exe

  • Size

    1.1MB

  • MD5

    b49edb762958e81c098b4869ba26a78c

  • SHA1

    152bda24aa1bd2b8f6eff91f214ebf1701062a7e

  • SHA256

    58892474694c1aff444adca37753e52b93fffce8bb98b75d488ec3df2c87b2da

  • SHA512

    305621b6ded9f58155036348d65f6d01891b99f9d4d5c480a973419d597a8b1e95ed33a60641df0e3025eb3e97042d73f4d2362ef70e1554bdfabcdd592e8175

  • SSDEEP

    24576:uRmJkcoQricOIQxiZY1iaCfdG8gHowXUy4b59IRGEP4gnV:7JZoQrbTFZY1iaCFGdUyC9IRGEP44

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

jd21

Decoy

bankownedproperties-0.bond

slab-leak-repair-74697.bond

tvtwenty20sr.top

scw-iot.net

circusenergy.online

030002787.xyz

propertiesforrentus11.bond

defi-banksystem.online

gkbet168.net

joycasino-ed46.top

sctttc-or.top

borghardt.xyz

therealtorpeddler.info

macexpress.online

bobbyharvey.store

dating-dd-de.info

thetrue.one

alqahtani.site

mahlubini.africa

truck-driver-jobs-42274.bond

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 3 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3440
    • C:\Users\Admin\AppData\Local\Temp\58892474694c1aff444adca37753e52b93fffce8bb98b75d488ec3df2c87b2da.exe
      "C:\Users\Admin\AppData\Local\Temp\58892474694c1aff444adca37753e52b93fffce8bb98b75d488ec3df2c87b2da.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2224
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\58892474694c1aff444adca37753e52b93fffce8bb98b75d488ec3df2c87b2da.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1412
    • C:\Windows\SysWOW64\ipconfig.exe
      "C:\Windows\SysWOW64\ipconfig.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Gathers network information
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1504
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\SysWOW64\svchost.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2144

Network

  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.ax-0001.ax-msedge.net
    g-bing-com.ax-0001.ax-msedge.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=77c00fb868044ed68c5210ae7759f922&localId=w:5A295BCA-DFF9-2E0C-2E68-966309597EF6&deviceId=6755474747387675&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=77c00fb868044ed68c5210ae7759f922&localId=w:5A295BCA-DFF9-2E0C-2E68-966309597EF6&deviceId=6755474747387675&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=3E3F67117AE96550144172177B2B64C4; domain=.bing.com; expires=Tue, 21-Oct-2025 01:36:11 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: DA31D326A0C24FD19B193ED14030DE0D Ref B: LON601060105029 Ref C: 2024-09-26T01:36:11Z
    date: Thu, 26 Sep 2024 01:36:10 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=77c00fb868044ed68c5210ae7759f922&localId=w:5A295BCA-DFF9-2E0C-2E68-966309597EF6&deviceId=6755474747387675&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=77c00fb868044ed68c5210ae7759f922&localId=w:5A295BCA-DFF9-2E0C-2E68-966309597EF6&deviceId=6755474747387675&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=3E3F67117AE96550144172177B2B64C4
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=UNbFjG3PmDNqaQZ3jJu9kDKuCx3p-YLkDpLS8U70zBY; domain=.bing.com; expires=Tue, 21-Oct-2025 01:36:11 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 0C18FC1348224884B92E2D4B90226FE4 Ref B: LON601060105029 Ref C: 2024-09-26T01:36:11Z
    date: Thu, 26 Sep 2024 01:36:10 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=77c00fb868044ed68c5210ae7759f922&localId=w:5A295BCA-DFF9-2E0C-2E68-966309597EF6&deviceId=6755474747387675&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=77c00fb868044ed68c5210ae7759f922&localId=w:5A295BCA-DFF9-2E0C-2E68-966309597EF6&deviceId=6755474747387675&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=3E3F67117AE96550144172177B2B64C4; MSPTC=UNbFjG3PmDNqaQZ3jJu9kDKuCx3p-YLkDpLS8U70zBY
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 7418B952F4A944989F7EC8D33E13F2AE Ref B: LON601060105029 Ref C: 2024-09-26T01:36:11Z
    date: Thu, 26 Sep 2024 01:36:10 GMT
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    20.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    20.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    10.27.171.150.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    10.27.171.150.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    0.204.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.204.248.87.in-addr.arpa
    IN PTR
    Response
    0.204.248.87.in-addr.arpa
    IN PTR
    https-87-248-204-0lhrllnwnet
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    88.156.103.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.156.103.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340418603_15DZPLB0SHJXVDM66&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239340418603_15DZPLB0SHJXVDM66&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 820704
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 57FB0FEB03A3478E8EEFA4AEBB1B8A26 Ref B: LON601060101029 Ref C: 2024-09-26T01:36:15Z
    date: Thu, 26 Sep 2024 01:36:14 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239339388117_1JB6V9WCFP6PY54M9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239339388117_1JB6V9WCFP6PY54M9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 707951
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: D89F447616C14880A0D106AEB1C17789 Ref B: LON601060101029 Ref C: 2024-09-26T01:36:15Z
    date: Thu, 26 Sep 2024 01:36:14 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340418604_1C96RL77YFK8DKA16&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239340418604_1C96RL77YFK8DKA16&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 588459
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 73A69E7374AC409E8099E240C1F7AAF0 Ref B: LON601060101029 Ref C: 2024-09-26T01:36:15Z
    date: Thu, 26 Sep 2024 01:36:14 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317300971_1O5B0F861TRRZWX2T&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239317300971_1O5B0F861TRRZWX2T&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 780608
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: FB006E9D59C2427D87024C964CDD5949 Ref B: LON601060101029 Ref C: 2024-09-26T01:36:15Z
    date: Thu, 26 Sep 2024 01:36:14 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239339388118_1MQFN52AS0USJY79P&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239339388118_1MQFN52AS0USJY79P&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 522433
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: C6D867BE42024215B934B384B013867F Ref B: LON601060101029 Ref C: 2024-09-26T01:36:15Z
    date: Thu, 26 Sep 2024 01:36:14 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301404_13LUGLF1IFM9LJZ63&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239317301404_13LUGLF1IFM9LJZ63&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 731540
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: C6362AFA12A3456E811B6E9CFA028BBE Ref B: LON601060101029 Ref C: 2024-09-26T01:36:15Z
    date: Thu, 26 Sep 2024 01:36:14 GMT
  • flag-us
    DNS
    183.59.114.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.59.114.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    www.weight-loss-003.today
    Remote address:
    8.8.8.8:53
    Request
    www.weight-loss-003.today
    IN A
    Response
    www.weight-loss-003.today
    IN A
    172.67.155.61
    www.weight-loss-003.today
    IN A
    104.21.74.48
  • flag-us
    GET
    http://www.weight-loss-003.today/jd21/?adlLiZ=8QhlJgbxYyNJNjzU4u/NO/QAEgywgMMp9yv6yRtWAY1NzG57DnL+pjMXQfZ+yWpmN6ip&MH8peB=QT90DrPPg6mD0n
    Explorer.EXE
    Remote address:
    172.67.155.61:80
    Request
    GET /jd21/?adlLiZ=8QhlJgbxYyNJNjzU4u/NO/QAEgywgMMp9yv6yRtWAY1NzG57DnL+pjMXQfZ+yWpmN6ip&MH8peB=QT90DrPPg6mD0n HTTP/1.1
    Host: www.weight-loss-003.today
    Connection: close
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Thu, 26 Sep 2024 01:36:57 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: close
    Cache-Control: max-age=3600
    Expires: Thu, 26 Sep 2024 02:36:57 GMT
    Location: https://www.weight-loss-003.today/jd21/?adlLiZ=8QhlJgbxYyNJNjzU4u/NO/QAEgywgMMp9yv6yRtWAY1NzG57DnL+pjMXQfZ+yWpmN6ip&MH8peB=QT90DrPPg6mD0n
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v9f9qg0q7dl%2FFeYJClkBHTVLyP6ZqpJ6%2F8FLoyx%2BkWuwgOaRZxys79rTPikHBXthjB27L0eVaihT06IVeCdiOYqCFZr%2FgIXb0qleC%2B%2BRUzFnh1DF2MIe3MK9ha1w%2BrW9LFRVi9AL3r%2FSKt4o"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Speculation-Rules: "/cdn-cgi/speculation"
    Server: cloudflare
    CF-RAY: 8c8f86a8dc834195-LHR
  • flag-us
    DNS
    61.155.67.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    61.155.67.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    www.truck-driver-jobs-42274.bond
    Remote address:
    8.8.8.8:53
    Request
    www.truck-driver-jobs-42274.bond
    IN A
    Response
    www.truck-driver-jobs-42274.bond
    IN A
    185.53.179.94
  • flag-de
    GET
    http://www.truck-driver-jobs-42274.bond/jd21/?adlLiZ=h/JlaIWCBxdvjJ1zGE1SIOjOsB0hQSCBnB7tCcyFg5Wgl64gsBdXGKCmQD0dtoATWhHb&MH8peB=QT90DrPPg6mD0n
    Explorer.EXE
    Remote address:
    185.53.179.94:80
    Request
    GET /jd21/?adlLiZ=h/JlaIWCBxdvjJ1zGE1SIOjOsB0hQSCBnB7tCcyFg5Wgl64gsBdXGKCmQD0dtoATWhHb&MH8peB=QT90DrPPg6mD0n HTTP/1.1
    Host: www.truck-driver-jobs-42274.bond
    Connection: close
    Response
    HTTP/1.1 403 Forbidden
    Server: nginx
    Date: Thu, 26 Sep 2024 01:37:16 GMT
    Content-Type: text/html
    Content-Length: 146
    Connection: close
  • flag-us
    DNS
    94.179.53.185.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    94.179.53.185.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    www.hearing-aids-77773.bond
    Remote address:
    8.8.8.8:53
    Request
    www.hearing-aids-77773.bond
    IN A
    Response
    www.hearing-aids-77773.bond
    IN A
    185.53.179.90
  • flag-de
    GET
    http://www.hearing-aids-77773.bond/jd21/?adlLiZ=sy3ADqWngqEGbo+AFfFjFjkr1qsQLpxEsuJW71JaeNlHwjqGmJp99EOQw+BzyWafYTcW&MH8peB=QT90DrPPg6mD0n
    Explorer.EXE
    Remote address:
    185.53.179.90:80
    Request
    GET /jd21/?adlLiZ=sy3ADqWngqEGbo+AFfFjFjkr1qsQLpxEsuJW71JaeNlHwjqGmJp99EOQw+BzyWafYTcW&MH8peB=QT90DrPPg6mD0n HTTP/1.1
    Host: www.hearing-aids-77773.bond
    Connection: close
    Response
    HTTP/1.1 403 Forbidden
    Server: nginx
    Date: Thu, 26 Sep 2024 01:37:36 GMT
    Content-Type: text/html
    Content-Length: 146
    Connection: close
  • flag-us
    DNS
    90.179.53.185.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    90.179.53.185.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    58.99.105.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.99.105.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    www.45941978.top
    Remote address:
    8.8.8.8:53
    Request
    www.45941978.top
    IN A
    Response
  • flag-us
    DNS
    www.macexpress.online
    Remote address:
    8.8.8.8:53
    Request
    www.macexpress.online
    IN A
    Response
    www.macexpress.online
    IN A
    98.124.224.17
  • flag-us
    GET
    http://www.macexpress.online/jd21/?adlLiZ=WYyUdeM2CLA2BgR1DbiDUCSW3ORcq+/wAEWeUCh59rawXZxryb4FzUSZ+05zllnMjQNi&MH8peB=QT90DrPPg6mD0n
    Explorer.EXE
    Remote address:
    98.124.224.17:80
    Request
    GET /jd21/?adlLiZ=WYyUdeM2CLA2BgR1DbiDUCSW3ORcq+/wAEWeUCh59rawXZxryb4FzUSZ+05zllnMjQNi&MH8peB=QT90DrPPg6mD0n HTTP/1.1
    Host: www.macexpress.online
    Connection: close
    Response
    HTTP/1.1 404 Not Found
    Content-Type: text/html
    Server: Microsoft-IIS/10.0
    X-Powered-By: ASP.NET
    X-Frame-Options: SAMEORIGIN
    Date: Thu, 26 Sep 2024 01:38:16 GMT
    Connection: close
    Content-Length: 1245
  • flag-us
    DNS
    17.224.124.98.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    17.224.124.98.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    www.defi-banksystem.online
    Remote address:
    8.8.8.8:53
    Request
    www.defi-banksystem.online
    IN A
    Response
    www.defi-banksystem.online
    IN A
    89.31.143.90
  • flag-de
    GET
    http://www.defi-banksystem.online/jd21/?adlLiZ=OfBw10hx0SCl2zzkLyg7DTf/L6lD4iBR/skVq0WtSp6vFrxfDc86zYTahstzReTsBsgG&MH8peB=QT90DrPPg6mD0n
    Explorer.EXE
    Remote address:
    89.31.143.90:80
    Request
    GET /jd21/?adlLiZ=OfBw10hx0SCl2zzkLyg7DTf/L6lD4iBR/skVq0WtSp6vFrxfDc86zYTahstzReTsBsgG&MH8peB=QT90DrPPg6mD0n HTTP/1.1
    Host: www.defi-banksystem.online
    Connection: close
    Response
    HTTP/1.1 200 OK
    Date: Thu, 26 Sep 2024 01:38:37 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Server: UD Webspace 3.2
  • flag-us
    DNS
    90.143.31.89.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    90.143.31.89.in-addr.arpa
    IN PTR
    Response
  • 150.171.27.10:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=77c00fb868044ed68c5210ae7759f922&localId=w:5A295BCA-DFF9-2E0C-2E68-966309597EF6&deviceId=6755474747387675&anid=
    tls, http2
    2.0kB
    9.4kB
    22
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=77c00fb868044ed68c5210ae7759f922&localId=w:5A295BCA-DFF9-2E0C-2E68-966309597EF6&deviceId=6755474747387675&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=77c00fb868044ed68c5210ae7759f922&localId=w:5A295BCA-DFF9-2E0C-2E68-966309597EF6&deviceId=6755474747387675&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=77c00fb868044ed68c5210ae7759f922&localId=w:5A295BCA-DFF9-2E0C-2E68-966309597EF6&deviceId=6755474747387675&anid=

    HTTP Response

    204
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    6.9kB
    15
    12
  • 150.171.27.10:443
    https://tse1.mm.bing.net/th?id=OADD2.10239317301404_13LUGLF1IFM9LJZ63&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    tls, http2
    149.0kB
    4.3MB
    3124
    3122

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340418603_15DZPLB0SHJXVDM66&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239339388117_1JB6V9WCFP6PY54M9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340418604_1C96RL77YFK8DKA16&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317300971_1O5B0F861TRRZWX2T&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239339388118_1MQFN52AS0USJY79P&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301404_13LUGLF1IFM9LJZ63&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Response

    200
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    6.9kB
    15
    13
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    6.9kB
    15
    13
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    6.9kB
    15
    13
  • 172.67.155.61:80
    http://www.weight-loss-003.today/jd21/?adlLiZ=8QhlJgbxYyNJNjzU4u/NO/QAEgywgMMp9yv6yRtWAY1NzG57DnL+pjMXQfZ+yWpmN6ip&MH8peB=QT90DrPPg6mD0n
    http
    Explorer.EXE
    410 B
    1.2kB
    5
    5

    HTTP Request

    GET http://www.weight-loss-003.today/jd21/?adlLiZ=8QhlJgbxYyNJNjzU4u/NO/QAEgywgMMp9yv6yRtWAY1NzG57DnL+pjMXQfZ+yWpmN6ip&MH8peB=QT90DrPPg6mD0n

    HTTP Response

    301
  • 185.53.179.94:80
    http://www.truck-driver-jobs-42274.bond/jd21/?adlLiZ=h/JlaIWCBxdvjJ1zGE1SIOjOsB0hQSCBnB7tCcyFg5Wgl64gsBdXGKCmQD0dtoATWhHb&MH8peB=QT90DrPPg6mD0n
    http
    Explorer.EXE
    417 B
    533 B
    5
    6

    HTTP Request

    GET http://www.truck-driver-jobs-42274.bond/jd21/?adlLiZ=h/JlaIWCBxdvjJ1zGE1SIOjOsB0hQSCBnB7tCcyFg5Wgl64gsBdXGKCmQD0dtoATWhHb&MH8peB=QT90DrPPg6mD0n

    HTTP Response

    403
  • 185.53.179.90:80
    http://www.hearing-aids-77773.bond/jd21/?adlLiZ=sy3ADqWngqEGbo+AFfFjFjkr1qsQLpxEsuJW71JaeNlHwjqGmJp99EOQw+BzyWafYTcW&MH8peB=QT90DrPPg6mD0n
    http
    Explorer.EXE
    412 B
    533 B
    5
    6

    HTTP Request

    GET http://www.hearing-aids-77773.bond/jd21/?adlLiZ=sy3ADqWngqEGbo+AFfFjFjkr1qsQLpxEsuJW71JaeNlHwjqGmJp99EOQw+BzyWafYTcW&MH8peB=QT90DrPPg6mD0n

    HTTP Response

    403
  • 98.124.224.17:80
    http://www.macexpress.online/jd21/?adlLiZ=WYyUdeM2CLA2BgR1DbiDUCSW3ORcq+/wAEWeUCh59rawXZxryb4FzUSZ+05zllnMjQNi&MH8peB=QT90DrPPg6mD0n
    http
    Explorer.EXE
    452 B
    1.6kB
    6
    4

    HTTP Request

    GET http://www.macexpress.online/jd21/?adlLiZ=WYyUdeM2CLA2BgR1DbiDUCSW3ORcq+/wAEWeUCh59rawXZxryb4FzUSZ+05zllnMjQNi&MH8peB=QT90DrPPg6mD0n

    HTTP Response

    404
  • 89.31.143.90:80
    http://www.defi-banksystem.online/jd21/?adlLiZ=OfBw10hx0SCl2zzkLyg7DTf/L6lD4iBR/skVq0WtSp6vFrxfDc86zYTahstzReTsBsgG&MH8peB=QT90DrPPg6mD0n
    http
    Explorer.EXE
    549 B
    7.1kB
    8
    8

    HTTP Request

    GET http://www.defi-banksystem.online/jd21/?adlLiZ=OfBw10hx0SCl2zzkLyg7DTf/L6lD4iBR/skVq0WtSp6vFrxfDc86zYTahstzReTsBsgG&MH8peB=QT90DrPPg6mD0n

    HTTP Response

    200
  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
    148 B
    1
    1

    DNS Request

    g.bing.com

    DNS Response

    150.171.27.10
    150.171.28.10

  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    20.160.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    20.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    10.27.171.150.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    10.27.171.150.in-addr.arpa

  • 8.8.8.8:53
    0.204.248.87.in-addr.arpa
    dns
    71 B
    116 B
    1
    1

    DNS Request

    0.204.248.87.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    88.156.103.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    88.156.103.20.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
    170 B
    1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    150.171.27.10
    150.171.28.10

  • 8.8.8.8:53
    183.59.114.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    183.59.114.20.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    www.weight-loss-003.today
    dns
    71 B
    103 B
    1
    1

    DNS Request

    www.weight-loss-003.today

    DNS Response

    172.67.155.61
    104.21.74.48

  • 8.8.8.8:53
    61.155.67.172.in-addr.arpa
    dns
    72 B
    134 B
    1
    1

    DNS Request

    61.155.67.172.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    www.truck-driver-jobs-42274.bond
    dns
    78 B
    94 B
    1
    1

    DNS Request

    www.truck-driver-jobs-42274.bond

    DNS Response

    185.53.179.94

  • 8.8.8.8:53
    94.179.53.185.in-addr.arpa
    dns
    72 B
    150 B
    1
    1

    DNS Request

    94.179.53.185.in-addr.arpa

  • 8.8.8.8:53
    www.hearing-aids-77773.bond
    dns
    73 B
    89 B
    1
    1

    DNS Request

    www.hearing-aids-77773.bond

    DNS Response

    185.53.179.90

  • 8.8.8.8:53
    90.179.53.185.in-addr.arpa
    dns
    72 B
    150 B
    1
    1

    DNS Request

    90.179.53.185.in-addr.arpa

  • 8.8.8.8:53
    58.99.105.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    58.99.105.20.in-addr.arpa

  • 8.8.8.8:53
    www.45941978.top
    dns
    62 B
    118 B
    1
    1

    DNS Request

    www.45941978.top

  • 8.8.8.8:53
    www.macexpress.online
    dns
    67 B
    83 B
    1
    1

    DNS Request

    www.macexpress.online

    DNS Response

    98.124.224.17

  • 8.8.8.8:53
    17.224.124.98.in-addr.arpa
    dns
    72 B
    131 B
    1
    1

    DNS Request

    17.224.124.98.in-addr.arpa

  • 8.8.8.8:53
    www.defi-banksystem.online
    dns
    72 B
    88 B
    1
    1

    DNS Request

    www.defi-banksystem.online

    DNS Response

    89.31.143.90

  • 8.8.8.8:53
    90.143.31.89.in-addr.arpa
    dns
    71 B
    143 B
    1
    1

    DNS Request

    90.143.31.89.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1412-7-0x0000000001A80000-0x0000000001A95000-memory.dmp

    Filesize

    84KB

  • memory/1412-3-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1412-4-0x0000000001B00000-0x0000000001E4A000-memory.dmp

    Filesize

    3.3MB

  • memory/1412-6-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1504-9-0x00000000002D0000-0x00000000002DB000-memory.dmp

    Filesize

    44KB

  • memory/1504-10-0x00000000002D0000-0x00000000002DB000-memory.dmp

    Filesize

    44KB

  • memory/1504-11-0x0000000000730000-0x000000000075F000-memory.dmp

    Filesize

    188KB

  • memory/2224-2-0x0000000004040000-0x0000000004240000-memory.dmp

    Filesize

    2.0MB

  • memory/3440-8-0x0000000008590000-0x000000000865C000-memory.dmp

    Filesize

    816KB

  • memory/3440-12-0x0000000008590000-0x000000000865C000-memory.dmp

    Filesize

    816KB

  • memory/3440-16-0x0000000008A90000-0x0000000008B84000-memory.dmp

    Filesize

    976KB

  • memory/3440-17-0x0000000008A90000-0x0000000008B84000-memory.dmp

    Filesize

    976KB

  • memory/3440-19-0x0000000008A90000-0x0000000008B84000-memory.dmp

    Filesize

    976KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.