Overview

overview

10

Static

static

10

1fbed394ea...cN.exe

windows7-x64

10

1fbed394ea...cN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2024, 02:37 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1fbed394ea4b77f0e1911abf8e2a12b8b098522dd537e77d06831e569768f03cN.exe

  • Size

    183KB

  • MD5

    ab4a1b6423ebbc2637cae2a6a8573560

  • SHA1

    56a59803a73d3903feb0760319af1c7bca410663

  • SHA256

    1fbed394ea4b77f0e1911abf8e2a12b8b098522dd537e77d06831e569768f03c

  • SHA512

    10db67ac209b5f27324289ea45c2f207f2ba64a92c45c0e942a9e23060281c6193e6ed3ed3c7b2b0f189a99168239112d19fb1e327878fd0babebcb6df16924b

  • SSDEEP

    3072:sr85Cei1+1W4satQR+Gu6Je9eSduw+c0B8DApefjWLB8DApf7C2o:k9l+WDMWJR8D7g8De7C

Score
10/10
neshtadiscoverypersistencespywarestealer

Malware Config

Signatures

  • Detect Neshta payload 4 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1fbed394ea4b77f0e1911abf8e2a12b8b098522dd537e77d06831e569768f03cN.exe
    "C:\Users\Admin\AppData\Local\Temp\1fbed394ea4b77f0e1911abf8e2a12b8b098522dd537e77d06831e569768f03cN.exe"
    1⤵
    • Checks computer location settings
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3576
    • C:\Users\Admin\AppData\Local\Temp\3582-490\1fbed394ea4b77f0e1911abf8e2a12b8b098522dd537e77d06831e569768f03cN.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\1fbed394ea4b77f0e1911abf8e2a12b8b098522dd537e77d06831e569768f03cN.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4500
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        dw20.exe -x -s 1512
        3⤵
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        PID:2776

Network

  • flag-us
    DNS
    t2.symcb.com
    1fbed394ea4b77f0e1911abf8e2a12b8b098522dd537e77d06831e569768f03cN.exe
    Remote address:
    8.8.8.8:53
    Request
    t2.symcb.com
    IN A
    Response
    t2.symcb.com
    IN CNAME
    mpki-ocsp.digicert.com
    mpki-ocsp.digicert.com
    IN CNAME
    fp3011.wpc.2be4.phicdn.net
    fp3011.wpc.2be4.phicdn.net
    IN CNAME
    fp3011.wpc.phicdn.net
    fp3011.wpc.phicdn.net
    IN A
    152.199.19.74
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-de
    GET
    http://t2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEHGgtzaV3bGvwjsrmhjuVMs%3D
    1fbed394ea4b77f0e1911abf8e2a12b8b098522dd537e77d06831e569768f03cN.exe
    Remote address:
    152.199.19.74:80
    Request
    GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEHGgtzaV3bGvwjsrmhjuVMs%3D HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: t2.symcb.com
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Age: 3227
    Cache-Control: public, max-age=300
    Content-Type: application/ocsp-response
    Date: Sat, 12 Oct 2024 02:37:10 GMT
    Last-Modified: Sat, 12 Oct 2024 01:43:23 GMT
    Server: ECAcc (frc/4CF9)
    X-Cache: HIT
    X-Content-Type-Options: nosniff
    X-Frame-Options: SAMEORIGIN
    X-XSS-Protection: 1; mode=block
    Content-Length: 5
  • flag-de
    GET
    http://t2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEHGgtzaV3bGvwjsrmhjuVMs%3D
    1fbed394ea4b77f0e1911abf8e2a12b8b098522dd537e77d06831e569768f03cN.exe
    Remote address:
    152.199.19.74:80
    Request
    GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEHGgtzaV3bGvwjsrmhjuVMs%3D HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: t2.symcb.com
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Age: 3227
    Cache-Control: public, max-age=300
    Content-Type: application/ocsp-response
    Date: Sat, 12 Oct 2024 02:37:10 GMT
    Last-Modified: Sat, 12 Oct 2024 01:43:23 GMT
    Server: ECAcc (frc/4CF9)
    X-Cache: HIT
    X-Content-Type-Options: nosniff
    X-Frame-Options: SAMEORIGIN
    X-XSS-Protection: 1; mode=block
    Content-Length: 5
  • flag-us
    DNS
    t1.symcb.com
    1fbed394ea4b77f0e1911abf8e2a12b8b098522dd537e77d06831e569768f03cN.exe
    Remote address:
    8.8.8.8:53
    Request
    t1.symcb.com
    IN A
    Response
    t1.symcb.com
    IN CNAME
    crl-symcprod.digicert.com
    crl-symcprod.digicert.com
    IN CNAME
    crl.edge.digicert.com
    crl.edge.digicert.com
    IN CNAME
    fp2e7a.wpc.2be4.phicdn.net
    fp2e7a.wpc.2be4.phicdn.net
    IN CNAME
    fp2e7a.wpc.phicdn.net
    fp2e7a.wpc.phicdn.net
    IN A
    192.229.221.95
  • flag-se
    GET
    http://t1.symcb.com/ThawtePCA.crl
    1fbed394ea4b77f0e1911abf8e2a12b8b098522dd537e77d06831e569768f03cN.exe
    Remote address:
    192.229.221.95:80
    Request
    GET /ThawtePCA.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: t1.symcb.com
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Age: 3228
    Cache-Control: public, max-age=3600
    Content-Type: application/pkix-crl
    Date: Sat, 12 Oct 2024 02:37:10 GMT
    Last-Modified: Sat, 12 Oct 2024 01:43:22 GMT
    Server: ECAcc (frc/4CF5)
    X-Cache: HIT
    X-Content-Type-Options: nosniff
    X-Frame-Options: SAMEORIGIN
    X-XSS-Protection: 1; mode=block
    Content-Length: 604
  • flag-us
    DNS
    tl.symcd.com
    1fbed394ea4b77f0e1911abf8e2a12b8b098522dd537e77d06831e569768f03cN.exe
    Remote address:
    8.8.8.8:53
    Request
    tl.symcd.com
    IN A
    Response
    tl.symcd.com
    IN CNAME
    mpki-ocsp.digicert.com
    mpki-ocsp.digicert.com
    IN CNAME
    fp3011.wpc.2be4.phicdn.net
    fp3011.wpc.2be4.phicdn.net
    IN CNAME
    fp3011.wpc.phicdn.net
    fp3011.wpc.phicdn.net
    IN A
    152.199.19.74
  • flag-de
    GET
    http://tl.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSFBjxN%2BWY73bfUnSOp7HDKJ%2Fbx0wQUV4abVLi%2BpimK5PbC4hMYiYXN3LcCEGY6K1kkmjfjHY31QY9%2Fi3Y%3D
    1fbed394ea4b77f0e1911abf8e2a12b8b098522dd537e77d06831e569768f03cN.exe
    Remote address:
    152.199.19.74:80
    Request
    GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSFBjxN%2BWY73bfUnSOp7HDKJ%2Fbx0wQUV4abVLi%2BpimK5PbC4hMYiYXN3LcCEGY6K1kkmjfjHY31QY9%2Fi3Y%3D HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: tl.symcd.com
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Age: 0
    Cache-Control: public, max-age=300
    Content-Type: application/ocsp-response
    Date: Sat, 12 Oct 2024 02:37:10 GMT
    Last-Modified: Sat, 12 Oct 2024 02:37:10 GMT
    Server: ECAcc (frc/4D0C)
    X-Content-Type-Options: nosniff
    X-Frame-Options: SAMEORIGIN
    X-XSS-Protection: 1; mode=block
    Content-Length: 5
  • flag-de
    GET
    http://tl.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSFBjxN%2BWY73bfUnSOp7HDKJ%2Fbx0wQUV4abVLi%2BpimK5PbC4hMYiYXN3LcCEGY6K1kkmjfjHY31QY9%2Fi3Y%3D
    1fbed394ea4b77f0e1911abf8e2a12b8b098522dd537e77d06831e569768f03cN.exe
    Remote address:
    152.199.19.74:80
    Request
    GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSFBjxN%2BWY73bfUnSOp7HDKJ%2Fbx0wQUV4abVLi%2BpimK5PbC4hMYiYXN3LcCEGY6K1kkmjfjHY31QY9%2Fi3Y%3D HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: tl.symcd.com
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Age: 0
    Cache-Control: public, max-age=300
    Content-Type: application/ocsp-response
    Date: Sat, 12 Oct 2024 02:37:10 GMT
    Last-Modified: Sat, 12 Oct 2024 02:37:10 GMT
    Server: ECAcc (frc/4D0C)
    X-Cache: HIT
    X-Content-Type-Options: nosniff
    X-Frame-Options: SAMEORIGIN
    X-XSS-Protection: 1; mode=block
    Content-Length: 5
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.ax-0001.ax-msedge.net
    g-bing-com.ax-0001.ax-msedge.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a2d507f8600c4302b1cad9168d83f481&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a2d507f8600c4302b1cad9168d83f481&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=098C64A4B7B06ACD182F71B2B6726B13; domain=.bing.com; expires=Thu, 06-Nov-2025 02:37:10 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 603136EBEC7947CE9E07E791DC5C9AE8 Ref B: LON601060105036 Ref C: 2024-10-12T02:37:10Z
    date: Sat, 12 Oct 2024 02:37:10 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=a2d507f8600c4302b1cad9168d83f481&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=a2d507f8600c4302b1cad9168d83f481&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=098C64A4B7B06ACD182F71B2B6726B13
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=frRtA_KQlQxW-HmuQiYA3dBR8rciNtWm6QgU3z3dwUE; domain=.bing.com; expires=Thu, 06-Nov-2025 02:37:10 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: C40E4A687C2D46AE8CF72DCA09A63143 Ref B: LON601060105036 Ref C: 2024-10-12T02:37:10Z
    date: Sat, 12 Oct 2024 02:37:10 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a2d507f8600c4302b1cad9168d83f481&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a2d507f8600c4302b1cad9168d83f481&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=098C64A4B7B06ACD182F71B2B6726B13; MSPTC=frRtA_KQlQxW-HmuQiYA3dBR8rciNtWm6QgU3z3dwUE
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: A0233D40DD4E41AD8F8318C9D02A2A25 Ref B: LON601060105036 Ref C: 2024-10-12T02:37:11Z
    date: Sat, 12 Oct 2024 02:37:10 GMT
  • flag-us
    DNS
    tl.symcb.com
    1fbed394ea4b77f0e1911abf8e2a12b8b098522dd537e77d06831e569768f03cN.exe
    Remote address:
    8.8.8.8:53
    Request
    tl.symcb.com
    IN A
    Response
    tl.symcb.com
    IN CNAME
    crl-symcprod.digicert.com
    crl-symcprod.digicert.com
    IN CNAME
    crl.edge.digicert.com
    crl.edge.digicert.com
    IN CNAME
    fp2e7a.wpc.2be4.phicdn.net
    fp2e7a.wpc.2be4.phicdn.net
    IN CNAME
    fp2e7a.wpc.phicdn.net
    fp2e7a.wpc.phicdn.net
    IN A
    192.229.221.95
  • flag-se
    GET
    http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
    Remote address:
    192.229.221.95:80
    Request
    GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: ocsp.digicert.com
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Age: 589
    Cache-Control: max-age=7200
    Content-Type: application/ocsp-response
    Date: Sat, 12 Oct 2024 02:37:10 GMT
    Last-Modified: Sat, 12 Oct 2024 02:27:21 GMT
    Server: ECAcc (frc/4D05)
    X-Cache: HIT
    Content-Length: 471
  • flag-se
    GET
    http://tl.symcb.com/tl.crl
    1fbed394ea4b77f0e1911abf8e2a12b8b098522dd537e77d06831e569768f03cN.exe
    Remote address:
    192.229.221.95:80
    Request
    GET /tl.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: tl.symcb.com
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Age: 3204
    Cache-Control: public, max-age=3600
    Content-Type: application/pkix-crl
    Date: Sat, 12 Oct 2024 02:37:10 GMT
    Last-Modified: Sat, 12 Oct 2024 01:43:46 GMT
    Server: ECAcc (frc/4CE6)
    X-Cache: HIT
    X-Content-Type-Options: nosniff
    X-Frame-Options: SAMEORIGIN
    X-XSS-Protection: 1; mode=block
    Content-Length: 90682
  • flag-us
    DNS
    74.19.199.152.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    74.19.199.152.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    10.28.171.150.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    10.28.171.150.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    88.156.103.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.156.103.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
    Response
    88.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-88deploystaticakamaitechnologiescom
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 152.199.19.74:80
    http://t2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEHGgtzaV3bGvwjsrmhjuVMs%3D
    http
    1fbed394ea4b77f0e1911abf8e2a12b8b098522dd537e77d06831e569768f03cN.exe
    775 B
     914 B
     6
    4

    HTTP Request

    GET http://t2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEHGgtzaV3bGvwjsrmhjuVMs%3D

    HTTP Response

    200

    HTTP Request

    GET http://t2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEHGgtzaV3bGvwjsrmhjuVMs%3D

    HTTP Response

    200
  • 192.229.221.95:80
    http://t1.symcb.com/ThawtePCA.crl
    http
    1fbed394ea4b77f0e1911abf8e2a12b8b098522dd537e77d06831e569768f03cN.exe
    356 B
     1.1kB
     5
    3

    HTTP Request

    GET http://t1.symcb.com/ThawtePCA.crl

    HTTP Response

    200
  • 152.199.19.74:80
    http://tl.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSFBjxN%2BWY73bfUnSOp7HDKJ%2Fbx0wQUV4abVLi%2BpimK5PbC4hMYiYXN3LcCEGY6K1kkmjfjHY31QY9%2Fi3Y%3D
    http
    1fbed394ea4b77f0e1911abf8e2a12b8b098522dd537e77d06831e569768f03cN.exe
    783 B
     934 B
     6
    5

    HTTP Request

    GET http://tl.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSFBjxN%2BWY73bfUnSOp7HDKJ%2Fbx0wQUV4abVLi%2BpimK5PbC4hMYiYXN3LcCEGY6K1kkmjfjHY31QY9%2Fi3Y%3D

    HTTP Response

    200

    HTTP Request

    GET http://tl.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSFBjxN%2BWY73bfUnSOp7HDKJ%2Fbx0wQUV4abVLi%2BpimK5PbC4hMYiYXN3LcCEGY6K1kkmjfjHY31QY9%2Fi3Y%3D

    HTTP Response

    200
  • 150.171.28.10:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a2d507f8600c4302b1cad9168d83f481&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=
    tls, http2
    2.0kB
     9.4kB
     21
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a2d507f8600c4302b1cad9168d83f481&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=a2d507f8600c4302b1cad9168d83f481&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a2d507f8600c4302b1cad9168d83f481&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=

    HTTP Response

    204
  • 192.229.221.95:80
    http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
    http
    470 B
     868 B
     5
    3

    HTTP Request

    GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D

    HTTP Response

    200
  • 192.229.221.95:80
    http://tl.symcb.com/tl.crl
    http
    1fbed394ea4b77f0e1911abf8e2a12b8b098522dd537e77d06831e569768f03cN.exe
    1.9kB
     93.9kB
     38
    70

    HTTP Request

    GET http://tl.symcb.com/tl.crl

    HTTP Response

    200
  • 8.8.8.8:53
    t2.symcb.com
    dns
    1fbed394ea4b77f0e1911abf8e2a12b8b098522dd537e77d06831e569768f03cN.exe
    58 B
     172 B
     1
    1

    DNS Request

    t2.symcb.com

    DNS Response

    152.199.19.74

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    t1.symcb.com
    dns
    1fbed394ea4b77f0e1911abf8e2a12b8b098522dd537e77d06831e569768f03cN.exe
    58 B
     198 B
     1
    1

    DNS Request

    t1.symcb.com

    DNS Response

    192.229.221.95

  • 8.8.8.8:53
    tl.symcd.com
    dns
    1fbed394ea4b77f0e1911abf8e2a12b8b098522dd537e77d06831e569768f03cN.exe
    58 B
     172 B
     1
    1

    DNS Request

    tl.symcd.com

    DNS Response

    152.199.19.74

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     148 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    150.171.28.10
    150.171.27.10

  • 8.8.8.8:53
    tl.symcb.com
    dns
    1fbed394ea4b77f0e1911abf8e2a12b8b098522dd537e77d06831e569768f03cN.exe
    58 B
     198 B
     1
    1

    DNS Request

    tl.symcb.com

    DNS Response

    192.229.221.95

  • 8.8.8.8:53
    74.19.199.152.in-addr.arpa
    dns
    72 B
     143 B
     1
    1

    DNS Request

    74.19.199.152.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    73.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    73.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    10.28.171.150.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    10.28.171.150.in-addr.arpa

  • 8.8.8.8:53
    88.156.103.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    88.156.103.20.in-addr.arpa

  • 8.8.8.8:53
    53.210.109.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    53.210.109.20.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    88.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    88.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
    Filesize

    86KB

    MD5

    3b73078a714bf61d1c19ebc3afc0e454

    SHA1

    9abeabd74613a2f533e2244c9ee6f967188e4e7e

    SHA256

    ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

    SHA512

    75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\1fbed394ea4b77f0e1911abf8e2a12b8b098522dd537e77d06831e569768f03cN.exe
    Filesize

    143KB

    MD5

    e69724cd5ba6e4676fe2a31e366cd844

    SHA1

    57dcebf698125bacb0c56578849e8bd43f12b7fe

    SHA256

    519ac8d30f861b5bdbf2f7121566eb1a982510d4792b5a11a7b0801c58932dd6

    SHA512

    1d6687f4ee847a5d97d074280f7939619564d1391e4955c12f53a40b17cb2d7af30f0c977e8b3b30a2d6f33c7f1dbf06e659114c46b6670ebe4ed2718a56b0ec

    Download Submit

  • memory/3576-123-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/3576-124-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/3576-126-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4500-12-0x0000000073772000-0x0000000073773000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4500-13-0x0000000073770000-0x0000000073D21000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4500-14-0x0000000073770000-0x0000000073D21000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4500-111-0x0000000073770000-0x0000000073D21000-memory.dmp

    Filesize

    5.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.