b797da06023ce45d205951c01118c58b96eddb6d43ea6db3b0a197c7b024fe51

Analysis

max time kernel
135s
max time network
216s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 19:39 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e26b78b82d3242f897bf0bf79b7d97b.exe
Size

108KB
MD5

0e26b78b82d3242f897bf0bf79b7d97b
SHA1

5596ae05c4e3324f350d517f850824dd02c3ee09
SHA256

b797da06023ce45d205951c01118c58b96eddb6d43ea6db3b0a197c7b024fe51
SHA512

fff0a6793014d3f2fb4560f76806ece4e97b78b553e6e1d58e89dee7a8425304d891b573b6b0be6a02a098aca992ed68da425e4f54da802e2dd26e6b5859e544
SSDEEP

3072:Nz4Ug5p9LspgQck04JjrOfhPbNOje3YFtoEG:aUgOZJj+bNOjiYFto

Score

7^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x00070000000231fa-5.dat	aspack_v212_v242
behavioral2/files/0x0007000000023203-27.dat	aspack_v212_v242
behavioral2/files/0x0007000000023230-177.dat	aspack_v212_v242
behavioral2/files/0x0007000000023230-178.dat	aspack_v212_v242
behavioral2/files/0x0007000000023231-184.dat	aspack_v212_v242
behavioral2/files/0x0007000000023231-183.dat	aspack_v212_v242

Executes dropped EXE 20 IoCs

pid	Process
4376	sqasgmwlk.exe
1872	dmblogwqx.exe
2392	slcppfrzc.exe
4256	dgdzwzswp.exe
388	pijpidefd.exe
736	aazvuuyiw.exe
4556	uirhcnckq.exe
2116	xbvofkuad.exe
5000	pgyulrgvw.exe
1012	zrzixozpm.exe
4600	rfzstxeii.exe
4292	hdvhwlfbh.exe
1136	trvxttigh.exe
1228	rtcezsrhd.exe
1840	hjiihbhjl.exe
3432	ogeaprbrv.exe
1468	lewdhstgz.exe
5028	eftrjaplx.exe
3252	wufgwhdei.exe
2240	yfrftrflb.exe

Drops file in System32 directory 40 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\aazvuuyiw.exe	pijpidefd.exe
File created	C:\Windows\SysWOW64\zrzixozpm.exe	pgyulrgvw.exe
File created	C:\Windows\SysWOW64\wufgwhdei.exe	eftrjaplx.exe
File created	C:\Windows\SysWOW64\slcppfrzc.exe	dmblogwqx.exe
File opened for modification	C:\Windows\SysWOW64\dgdzwzswp.exe	slcppfrzc.exe
File opened for modification	C:\Windows\SysWOW64\pijpidefd.exe	dgdzwzswp.exe
File created	C:\Windows\SysWOW64\sqasgmwlk.exe	0e26b78b82d3242f897bf0bf79b7d97b.exe
File opened for modification	C:\Windows\SysWOW64\sqasgmwlk.exe	0e26b78b82d3242f897bf0bf79b7d97b.exe
File opened for modification	C:\Windows\SysWOW64\rfzstxeii.exe	zrzixozpm.exe
File opened for modification	C:\Windows\SysWOW64\uirhcnckq.exe	aazvuuyiw.exe
File opened for modification	C:\Windows\SysWOW64\xbvofkuad.exe	uirhcnckq.exe
File created	C:\Windows\SysWOW64\lewdhstgz.exe	ogeaprbrv.exe
File opened for modification	C:\Windows\SysWOW64\slcppfrzc.exe	dmblogwqx.exe
File created	C:\Windows\SysWOW64\dgdzwzswp.exe	slcppfrzc.exe
File opened for modification	C:\Windows\SysWOW64\aazvuuyiw.exe	pijpidefd.exe
File created	C:\Windows\SysWOW64\rfzstxeii.exe	zrzixozpm.exe
File opened for modification	C:\Windows\SysWOW64\ogeaprbrv.exe	hjiihbhjl.exe
File opened for modification	C:\Windows\SysWOW64\lewdhstgz.exe	ogeaprbrv.exe
File opened for modification	C:\Windows\SysWOW64\wufgwhdei.exe	eftrjaplx.exe
File created	C:\Windows\SysWOW64\pijpidefd.exe	dgdzwzswp.exe
File created	C:\Windows\SysWOW64\pgyulrgvw.exe	xbvofkuad.exe
File opened for modification	C:\Windows\SysWOW64\zrzixozpm.exe	pgyulrgvw.exe
File opened for modification	C:\Windows\SysWOW64\hjiihbhjl.exe	rtcezsrhd.exe
File created	C:\Windows\SysWOW64\eftrjaplx.exe	lewdhstgz.exe
File opened for modification	C:\Windows\SysWOW64\eftrjaplx.exe	lewdhstgz.exe
File created	C:\Windows\SysWOW64\xbvofkuad.exe	uirhcnckq.exe
File opened for modification	C:\Windows\SysWOW64\hdvhwlfbh.exe	rfzstxeii.exe
File created	C:\Windows\SysWOW64\trvxttigh.exe	hdvhwlfbh.exe
File created	C:\Windows\SysWOW64\ogeaprbrv.exe	hjiihbhjl.exe
File opened for modification	C:\Windows\SysWOW64\yfrftrflb.exe	wufgwhdei.exe
File created	C:\Windows\SysWOW64\hdvhwlfbh.exe	rfzstxeii.exe
File opened for modification	C:\Windows\SysWOW64\trvxttigh.exe	hdvhwlfbh.exe
File created	C:\Windows\SysWOW64\rtcezsrhd.exe	trvxttigh.exe
File created	C:\Windows\SysWOW64\dmblogwqx.exe	sqasgmwlk.exe
File opened for modification	C:\Windows\SysWOW64\dmblogwqx.exe	sqasgmwlk.exe
File opened for modification	C:\Windows\SysWOW64\pgyulrgvw.exe	xbvofkuad.exe
File created	C:\Windows\SysWOW64\yfrftrflb.exe	wufgwhdei.exe
File created	C:\Windows\SysWOW64\uirhcnckq.exe	aazvuuyiw.exe
File opened for modification	C:\Windows\SysWOW64\rtcezsrhd.exe	trvxttigh.exe
File created	C:\Windows\SysWOW64\hjiihbhjl.exe	rtcezsrhd.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 4376	1604	0e26b78b82d3242f897bf0bf79b7d97b.exe	92
PID 1604 wrote to memory of 4376	1604	0e26b78b82d3242f897bf0bf79b7d97b.exe	92
PID 1604 wrote to memory of 4376	1604	0e26b78b82d3242f897bf0bf79b7d97b.exe	92
PID 4376 wrote to memory of 1872	4376	sqasgmwlk.exe	93
PID 4376 wrote to memory of 1872	4376	sqasgmwlk.exe	93
PID 4376 wrote to memory of 1872	4376	sqasgmwlk.exe	93
PID 1872 wrote to memory of 2392	1872	dmblogwqx.exe	94
PID 1872 wrote to memory of 2392	1872	dmblogwqx.exe	94
PID 1872 wrote to memory of 2392	1872	dmblogwqx.exe	94
PID 2392 wrote to memory of 4256	2392	slcppfrzc.exe	95
PID 2392 wrote to memory of 4256	2392	slcppfrzc.exe	95
PID 2392 wrote to memory of 4256	2392	slcppfrzc.exe	95
PID 4256 wrote to memory of 388	4256	dgdzwzswp.exe	96
PID 4256 wrote to memory of 388	4256	dgdzwzswp.exe	96
PID 4256 wrote to memory of 388	4256	dgdzwzswp.exe	96
PID 388 wrote to memory of 736	388	pijpidefd.exe	97
PID 388 wrote to memory of 736	388	pijpidefd.exe	97
PID 388 wrote to memory of 736	388	pijpidefd.exe	97
PID 736 wrote to memory of 4556	736	aazvuuyiw.exe	98
PID 736 wrote to memory of 4556	736	aazvuuyiw.exe	98
PID 736 wrote to memory of 4556	736	aazvuuyiw.exe	98
PID 4556 wrote to memory of 2116	4556	uirhcnckq.exe	99
PID 4556 wrote to memory of 2116	4556	uirhcnckq.exe	99
PID 4556 wrote to memory of 2116	4556	uirhcnckq.exe	99
PID 2116 wrote to memory of 5000	2116	xbvofkuad.exe	100
PID 2116 wrote to memory of 5000	2116	xbvofkuad.exe	100
PID 2116 wrote to memory of 5000	2116	xbvofkuad.exe	100
PID 5000 wrote to memory of 1012	5000	pgyulrgvw.exe	101
PID 5000 wrote to memory of 1012	5000	pgyulrgvw.exe	101
PID 5000 wrote to memory of 1012	5000	pgyulrgvw.exe	101
PID 1012 wrote to memory of 4600	1012	zrzixozpm.exe	102
PID 1012 wrote to memory of 4600	1012	zrzixozpm.exe	102
PID 1012 wrote to memory of 4600	1012	zrzixozpm.exe	102
PID 4600 wrote to memory of 4292	4600	rfzstxeii.exe	103
PID 4600 wrote to memory of 4292	4600	rfzstxeii.exe	103
PID 4600 wrote to memory of 4292	4600	rfzstxeii.exe	103
PID 4292 wrote to memory of 1136	4292	hdvhwlfbh.exe	105
PID 4292 wrote to memory of 1136	4292	hdvhwlfbh.exe	105
PID 4292 wrote to memory of 1136	4292	hdvhwlfbh.exe	105
PID 1136 wrote to memory of 1228	1136	trvxttigh.exe	108
PID 1136 wrote to memory of 1228	1136	trvxttigh.exe	108
PID 1136 wrote to memory of 1228	1136	trvxttigh.exe	108
PID 1228 wrote to memory of 1840	1228	rtcezsrhd.exe	109
PID 1228 wrote to memory of 1840	1228	rtcezsrhd.exe	109
PID 1228 wrote to memory of 1840	1228	rtcezsrhd.exe	109
PID 1840 wrote to memory of 3432	1840	hjiihbhjl.exe	110
PID 1840 wrote to memory of 3432	1840	hjiihbhjl.exe	110
PID 1840 wrote to memory of 3432	1840	hjiihbhjl.exe	110
PID 3432 wrote to memory of 1468	3432	ogeaprbrv.exe	111
PID 3432 wrote to memory of 1468	3432	ogeaprbrv.exe	111
PID 3432 wrote to memory of 1468	3432	ogeaprbrv.exe	111
PID 1468 wrote to memory of 5028	1468	lewdhstgz.exe	113
PID 1468 wrote to memory of 5028	1468	lewdhstgz.exe	113
PID 1468 wrote to memory of 5028	1468	lewdhstgz.exe	113
PID 5028 wrote to memory of 3252	5028	eftrjaplx.exe	115
PID 5028 wrote to memory of 3252	5028	eftrjaplx.exe	115
PID 5028 wrote to memory of 3252	5028	eftrjaplx.exe	115
PID 3252 wrote to memory of 2240	3252	wufgwhdei.exe	116
PID 3252 wrote to memory of 2240	3252	wufgwhdei.exe	116
PID 3252 wrote to memory of 2240	3252	wufgwhdei.exe	116

C:\Users\Admin\AppData\Local\Temp\0e26b78b82d3242f897bf0bf79b7d97b.exe
"C:\Users\Admin\AppData\Local\Temp\0e26b78b82d3242f897bf0bf79b7d97b.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Windows\SysWOW64\sqasgmwlk.exe
  C:\Windows\system32\sqasgmwlk.exe 1128 "C:\Users\Admin\AppData\Local\Temp\0e26b78b82d3242f897bf0bf79b7d97b.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Windows\SysWOW64\dmblogwqx.exe
    C:\Windows\system32\dmblogwqx.exe 1152 "C:\Windows\SysWOW64\sqasgmwlk.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1872
  - - C:\Windows\SysWOW64\slcppfrzc.exe
      C:\Windows\system32\slcppfrzc.exe 1156 "C:\Windows\SysWOW64\dmblogwqx.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2392
    - - C:\Windows\SysWOW64\dgdzwzswp.exe
        
        C:\Windows\system32\dgdzwzswp.exe 1164 "C:\Windows\SysWOW64\slcppfrzc.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4256
      - C:\Windows\SysWOW64\pijpidefd.exe
        
        C:\Windows\system32\pijpidefd.exe 1160 "C:\Windows\SysWOW64\dgdzwzswp.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Windows\SysWOW64\aazvuuyiw.exe
        
        C:\Windows\system32\aazvuuyiw.exe 1168 "C:\Windows\SysWOW64\pijpidefd.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\SysWOW64\uirhcnckq.exe
        
        C:\Windows\system32\uirhcnckq.exe 1176 "C:\Windows\SysWOW64\aazvuuyiw.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\xbvofkuad.exe
        
        C:\Windows\system32\xbvofkuad.exe 1172 "C:\Windows\SysWOW64\uirhcnckq.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\pgyulrgvw.exe
        
        C:\Windows\system32\pgyulrgvw.exe 1180 "C:\Windows\SysWOW64\xbvofkuad.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\zrzixozpm.exe
        
        C:\Windows\system32\zrzixozpm.exe 1184 "C:\Windows\SysWOW64\pgyulrgvw.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\SysWOW64\rfzstxeii.exe
        
        C:\Windows\system32\rfzstxeii.exe 1188 "C:\Windows\SysWOW64\zrzixozpm.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\SysWOW64\hdvhwlfbh.exe
        
        C:\Windows\system32\hdvhwlfbh.exe 1192 "C:\Windows\SysWOW64\rfzstxeii.exe"
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\trvxttigh.exe
        
        C:\Windows\system32\trvxttigh.exe 1200 "C:\Windows\SysWOW64\hdvhwlfbh.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\rtcezsrhd.exe
        
        C:\Windows\system32\rtcezsrhd.exe 1208 "C:\Windows\SysWOW64\trvxttigh.exe"
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\SysWOW64\hjiihbhjl.exe
        
        C:\Windows\system32\hjiihbhjl.exe 1212 "C:\Windows\SysWOW64\rtcezsrhd.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\SysWOW64\ogeaprbrv.exe
        
        C:\Windows\system32\ogeaprbrv.exe 1196 "C:\Windows\SysWOW64\hjiihbhjl.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\lewdhstgz.exe
        
        C:\Windows\system32\lewdhstgz.exe 1204 "C:\Windows\SysWOW64\ogeaprbrv.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\eftrjaplx.exe
        
        C:\Windows\system32\eftrjaplx.exe 1216 "C:\Windows\SysWOW64\lewdhstgz.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\wufgwhdei.exe
        
        C:\Windows\system32\wufgwhdei.exe 1224 "C:\Windows\SysWOW64\eftrjaplx.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\yfrftrflb.exe
        
        C:\Windows\system32\yfrftrflb.exe 1044 "C:\Windows\SysWOW64\wufgwhdei.exe"
        21⤵
        Executes dropped EXE
        
        PID:2240
        
        C:\Windows\SysWOW64\lxjjqlfoz.exe
        
        C:\Windows\system32\lxjjqlfoz.exe 1236 "C:\Windows\SysWOW64\yfrftrflb.exe"
        22⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\fetwnoixj.exe
        
        C:\Windows\system32\fetwnoixj.exe 1028 "C:\Windows\SysWOW64\lxjjqlfoz.exe"
        23⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\ydwbshkbd.exe
        
        C:\Windows\system32\ydwbshkbd.exe 1052 "C:\Windows\SysWOW64\fetwnoixj.exe"
        24⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\ypithlovs.exe
        
        C:\Windows\system32\ypithlovs.exe 1244 "C:\Windows\SysWOW64\ydwbshkbd.exe"
        25⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\lflwptmcl.exe
        
        C:\Windows\system32\lflwptmcl.exe 1248 "C:\Windows\SysWOW64\ypithlovs.exe"
        26⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\nmrhfkvyn.exe
        
        C:\Windows\system32\nmrhfkvyn.exe 1256 "C:\Windows\SysWOW64\lflwptmcl.exe"
        27⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\aqyntnofc.exe
        
        C:\Windows\system32\aqyntnofc.exe 1228 "C:\Windows\SysWOW64\nmrhfkvyn.exe"
        28⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cxvehiwci.exe
        
        C:\Windows\system32\cxvehiwci.exe 1032 "C:\Windows\SysWOW64\aqyntnofc.exe"
        29⤵
        
        PID:460
        
        C:\Windows\SysWOW64\vqkcsmcaj.exe
        
        C:\Windows\system32\vqkcsmcaj.exe 1268 "C:\Windows\SysWOW64\cxvehiwci.exe"
        30⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\pcrezormr.exe
        
        C:\Windows\system32\pcrezormr.exe 1272 "C:\Windows\SysWOW64\vqkcsmcaj.exe"
        31⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\wrnncortv.exe
        
        C:\Windows\system32\wrnncortv.exe 1276 "C:\Windows\SysWOW64\pcrezormr.exe"
        32⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\tmnletmcm.exe
        
        C:\Windows\system32\tmnletmcm.exe 1260 "C:\Windows\SysWOW64\wrnncortv.exe"
        33⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\jcjwkwurj.exe
        
        C:\Windows\system32\jcjwkwurj.exe 1280 "C:\Windows\SysWOW64\tmnletmcm.exe"
        34⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\wptmqatex.exe
        
        C:\Windows\system32\wptmqatex.exe 1288 "C:\Windows\SysWOW64\jcjwkwurj.exe"
        35⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\hofjbzbex.exe
        
        C:\Windows\system32\hofjbzbex.exe 1060 "C:\Windows\SysWOW64\wptmqatex.exe"
        36⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\adnehcgwx.exe
        
        C:\Windows\system32\adnehcgwx.exe 1284 "C:\Windows\SysWOW64\hofjbzbex.exe"
        37⤵
        
        PID:4800

Network

DNS

183.59.114.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.59.114.20.in-addr.arpa

IN PTR

Response
DNS

180.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

180.178.17.96.in-addr.arpa

IN PTR

Response

180.178.17.96.in-addr.arpa

IN PTR

a96-17-178-180deploystaticakamaitechnologiescom
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

www.microsoft.com

Remote address:

8.8.8.8:53

Request

www.microsoft.com

IN A

Response

www.microsoft.com

IN CNAME

www.microsoft.com-c-3.edgekey.net

www.microsoft.com-c-3.edgekey.net

IN CNAME

www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net

www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net

IN CNAME

e13678.dscb.akamaiedge.net

e13678.dscb.akamaiedge.net

IN A

92.123.241.137
GET

http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crt

Remote address:

92.123.241.137:80

Request

GET /pkiops/certs/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crt HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: www.microsoft.com

Response

HTTP/1.1 200 OK

Content-Length: 1126
Content-Type: application/octet-stream
Content-MD5: YAUaFgF7vUODUG8XQQW6BQ==
Last-Modified: Fri, 28 Sep 2018 22:50:05 GMT
ETag: 0x8D62594BC0C84D8
x-ms-request-id: 9327f1ba-601e-004f-4648-1536e4000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Sun, 24 Dec 2023 23:41:50 GMT
Connection: keep-alive
TLS_version: UNKNOWN
ms-cv: CASMicrosoftCV52ac588a.0
ms-cv-esi: CASMicrosoftCV52ac588a.0
X-RTag: RT
DNS

137.241.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

137.241.123.92.in-addr.arpa

IN PTR

Response

137.241.123.92.in-addr.arpa

IN PTR

a92-123-241-137deploystaticakamaitechnologiescom
DNS

137.241.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

137.241.123.92.in-addr.arpa

IN PTR
GET

http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crt

Remote address:

92.123.241.137:80

Request

GET /pkiops/certs/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crt HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: www.microsoft.com

Response

HTTP/1.1 200 OK

Content-Length: 1126
Content-Type: application/octet-stream
Content-MD5: YAUaFgF7vUODUG8XQQW6BQ==
Last-Modified: Fri, 28 Sep 2018 22:50:05 GMT
ETag: 0x8D62594BC0C84D8
x-ms-request-id: 9327f1ba-601e-004f-4648-1536e4000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Sun, 24 Dec 2023 23:41:53 GMT
Connection: keep-alive
TLS_version: UNKNOWN
ms-cv: CASMicrosoftCV52ac7e84.0
ms-cv-esi: CASMicrosoftCV52ac7e84.0
X-RTag: RT
DNS

21.53.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.53.126.40.in-addr.arpa

IN PTR

Response
DNS

208.194.73.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

208.194.73.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

18.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.134.221.88.in-addr.arpa

IN PTR

Response

18.134.221.88.in-addr.arpa

IN PTR

a88-221-134-18deploystaticakamaitechnologiescom
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

57.169.31.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

57.169.31.20.in-addr.arpa

IN PTR

Response
DNS

57.169.31.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

57.169.31.20.in-addr.arpa

IN PTR
DNS

21.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.236.111.52.in-addr.arpa

IN PTR

Response
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

241.154.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.154.82.20.in-addr.arpa

IN PTR

Response
DNS

194.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.178.17.96.in-addr.arpa

IN PTR

Response

194.178.17.96.in-addr.arpa

IN PTR

a96-17-178-194deploystaticakamaitechnologiescom
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200

138.91.171.81:80

52 B
1
92.123.241.137:80

http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crt

http

418 B
1.8kB
5
4

HTTP Request

GET http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crt

HTTP Response

200
92.123.241.137:80

http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crt

http

470 B
1.8kB
6
4

HTTP Request

GET http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crt

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls

46.1kB
1.3MB
935
932
204.79.197.200:443

tse1.mm.bing.net

tls

1.2kB
8.3kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls

1.2kB
8.3kB
15
14

8.8.8.8:53

183.59.114.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

183.59.114.20.in-addr.arpa
8.8.8.8:53

180.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

180.178.17.96.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

www.microsoft.com

dns

63 B
230 B
1
1

DNS Request

www.microsoft.com

DNS Response

92.123.241.137
8.8.8.8:53

137.241.123.92.in-addr.arpa

dns

146 B
139 B
2
1

DNS Request

137.241.123.92.in-addr.arpa

DNS Request

137.241.123.92.in-addr.arpa
8.8.8.8:53

21.53.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

21.53.126.40.in-addr.arpa
8.8.8.8:53

208.194.73.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

208.194.73.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

18.134.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

18.134.221.88.in-addr.arpa
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

57.169.31.20.in-addr.arpa

dns

142 B
157 B
2
1

DNS Request

57.169.31.20.in-addr.arpa

DNS Request

57.169.31.20.in-addr.arpa
8.8.8.8:53

21.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

21.236.111.52.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

241.154.82.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.154.82.20.in-addr.arpa
8.8.8.8:53

194.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

194.178.17.96.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\cxvehiwci.exe

Filesize
64KB

MD5
ea38d19442ec0030836a051da40aca97

SHA1
c8169df4346283762715f90bba97f9e168d08880

SHA256
ace12b6b0e8ecfa3b29dff75545b5557dacf3f8c06660ea3009fcbf9adbe81ff

SHA512
7ffed2aea982e0c7f9388e2e3ef83e942c05acd736cc1ad5f9a253fdea9142a3d0514f939527cec4348095fcb6056bb0e9e2af76af47bfc28d065ea00f2423a8

Download Submit
C:\Windows\SysWOW64\cxvehiwci.exe

Filesize
104KB

MD5
a7bddb3eb01f0497f7b7c65f800a65de

SHA1
489978c88c25a265b7dcc8044e81afa33f6bf101

SHA256
11400eeb177c9454eb63ebf9373cfe01a5623624a4b663e0a561f93da3311f11

SHA512
a62caf9c629614e298a8212eb586fb0007d11ff2fc62c66008c2b664948aafcb18cf9511b817c12846f4010c1f8910d627e6135079cdd4f026cc8df9915fd88f

Download Submit
C:\Windows\SysWOW64\dgdzwzswp.exe

Filesize
105KB

MD5
a28d40f09228328992a0b524daaf011b

SHA1
faa8c1db184a5a32d5c7274598870f41700a82cc

SHA256
65628ba4fbf8f033399a7882092d6f7a2ca4be738b4b6e7c71974202038d9224

SHA512
ce005fbeb3f998c2d290f8a8f094fb67e4d5b9942b64771166614c29553809c006a6f95e4c2fa85a9a4b27b03f8d74996a1183c7eca0a431e139bad6f78c5790

Download Submit
C:\Windows\SysWOW64\sqasgmwlk.exe

Filesize
108KB

MD5
0e26b78b82d3242f897bf0bf79b7d97b

SHA1
5596ae05c4e3324f350d517f850824dd02c3ee09

SHA256
b797da06023ce45d205951c01118c58b96eddb6d43ea6db3b0a197c7b024fe51

SHA512
fff0a6793014d3f2fb4560f76806ece4e97b78b553e6e1d58e89dee7a8425304d891b573b6b0be6a02a098aca992ed68da425e4f54da802e2dd26e6b5859e544

Download Submit
C:\Windows\SysWOW64\vqkcsmcaj.exe

Filesize
27KB

MD5
c56664cc51aace320820189282c4534c

SHA1
acb66120f02db5e33b7d9288d748b9988c95f62d

SHA256
fa47ccaaf94f4cf6ecfc7467085dd1ed4a09517c1e0e9a2997bbfb6ab551a928

SHA512
7f304956eed20f83e2a69e43561321d5d3294424dda6b0db2936d39d27e0bffb18e3a8291c3db01ea2cf2e5128c62bd5f8a7450440ffd373f1e269e90a0b4dab

Download Submit
C:\Windows\SysWOW64\vqkcsmcaj.exe

Filesize
90KB

MD5
cb73c2ce2adde7933f66d83a73e4b0ea

SHA1
0059f6d39507abc0ea18716b70e2036ee696f501

SHA256
bad779d1bf39942f93d05819a8af392e223fc5f4b582287a052bd99b2a2251fc

SHA512
3b51cafe74567c3ee7432d916c5d6aaff3baf7bb4c20ff2e1abffbe4c4572e19e82585d996094f7f75fbb7677fce9ba5bc341db7988b62fae2772c06e23cbdab

Download Submit
memory/388-35-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/388-42-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/460-185-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/736-43-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/736-50-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1012-74-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1136-92-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1228-98-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1468-117-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1604-0-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1604-8-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1636-196-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1840-104-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1872-23-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1872-15-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2116-62-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2240-133-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2392-22-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2392-31-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2792-165-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2920-179-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/3144-205-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/3180-154-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/3180-161-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/3252-129-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/3260-172-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/3432-110-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/3720-213-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/3720-207-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/3844-191-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/3864-212-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/3864-214-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/3924-142-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/4256-36-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/4292-86-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/4376-7-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/4376-19-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/4420-208-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/4556-55-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/4600-80-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/4840-219-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/4840-224-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/5000-68-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/5020-150-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/5020-141-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/5028-123-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/5028-116-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/5036-157-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.