Overview

overview

7

Static

static

7

56943fda4e...59.exe

windows7-x64

7

56943fda4e...59.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2023, 05:05 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    56943fda4e1e5fb623bfde74d81b4659.exe

  • Size

    144KB

  • MD5

    56943fda4e1e5fb623bfde74d81b4659

  • SHA1

    53cc932db48aaaae4b80e39b7efe00b6d8816046

  • SHA256

    dc08ed32f50ce0d2109e580e911d46f1ac2f11327c64217ef97bc71dd07c3161

  • SHA512

    54c831ff86a88cbd7ba08dc90d66ea77ac569fcbd229ef8e4bbbce6afb5d3041853ede0fe1dc448b087802ba7274d82692c6edf60f86e7e9b969b5191a11b825

  • SSDEEP

    3072:iabbqevyyHDnla6YR0nArsclYQcqsaEupjnnto65X8mOKGEVa8d:i6W6LlPnAVzXE+ntFXgKGEVr

Score
7/10
vmprotect

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • VMProtect packed file 8 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\56943fda4e1e5fb623bfde74d81b4659.exe
    "C:\Users\Admin\AppData\Local\Temp\56943fda4e1e5fb623bfde74d81b4659.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4996
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\56943F~1.EXE > nul
      2⤵
        PID:3384
    • C:\Windows\SysWOW64\ayws.exe
      C:\Windows\SysWOW64\ayws.exe
      1⤵
      • Executes dropped EXE
      PID:2840

    Network

    • flag-us
      DNS
      tx3698.3322.Org
      ayws.exe
      Remote address:
      8.8.8.8:53
      Request
      tx3698.3322.Org
      IN A
      Response
      tx3698.3322.Org
      IN A
      157.122.62.205
    • flag-us
      DNS
      tx3698.3322.Org
      ayws.exe
      Remote address:
      8.8.8.8:53
      Request
      tx3698.3322.Org
      IN A
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
      Response
      g.bing.com
      IN CNAME
      g-bing-com.a-0001.a-msedge.net
      g-bing-com.a-0001.a-msedge.net
      IN CNAME
      dual-a-0001.a-msedge.net
      dual-a-0001.a-msedge.net
      IN A
      204.79.197.200
      dual-a-0001.a-msedge.net
      IN A
      13.107.21.200
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4faa49a5979048ca9e5fb24a490db9c0&localId=w:F83E3474-2937-F57B-08FA-577E7DA14C95&deviceId=6896190588109571&anid=
      Remote address:
      204.79.197.200:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4faa49a5979048ca9e5fb24a490db9c0&localId=w:F83E3474-2937-F57B-08FA-577E7DA14C95&deviceId=6896190588109571&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MUID=1A8ABF872EB560FE2BACAC7A2F55618A; domain=.bing.com; expires=Wed, 29-Jan-2025 22:54:16 GMT; path=/; SameSite=None; Secure; Priority=High;
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 6215E59CC38D4CBEB109BC5EACB316F9 Ref B: LON04EDGE1108 Ref C: 2024-01-05T22:54:16Z
      date: Fri, 05 Jan 2024 22:54:16 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=4faa49a5979048ca9e5fb24a490db9c0&localId=w:F83E3474-2937-F57B-08FA-577E7DA14C95&deviceId=6896190588109571&anid=
      Remote address:
      204.79.197.200:443
      Request
      GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=4faa49a5979048ca9e5fb24a490db9c0&localId=w:F83E3474-2937-F57B-08FA-577E7DA14C95&deviceId=6896190588109571&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=1A8ABF872EB560FE2BACAC7A2F55618A
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MSPTC=aWZ-H6_bEDbl3jDsZZuXmDc-zH20hb_VFHxtFmmDw8w; domain=.bing.com; expires=Wed, 29-Jan-2025 22:54:16 GMT; path=/; Partitioned; secure; SameSite=None
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: AF4E87398B264ED4914C6995FF658614 Ref B: LON04EDGE1108 Ref C: 2024-01-05T22:54:16Z
      date: Fri, 05 Jan 2024 22:54:16 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4faa49a5979048ca9e5fb24a490db9c0&localId=w:F83E3474-2937-F57B-08FA-577E7DA14C95&deviceId=6896190588109571&anid=
      Remote address:
      204.79.197.200:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4faa49a5979048ca9e5fb24a490db9c0&localId=w:F83E3474-2937-F57B-08FA-577E7DA14C95&deviceId=6896190588109571&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=1A8ABF872EB560FE2BACAC7A2F55618A; MSPTC=aWZ-H6_bEDbl3jDsZZuXmDc-zH20hb_VFHxtFmmDw8w
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 806B5E93C0144010B9EF45DC6088B14A Ref B: LON04EDGE1108 Ref C: 2024-01-05T22:54:17Z
      date: Fri, 05 Jan 2024 22:54:17 GMT
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      68.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      68.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      158.240.127.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      158.240.127.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      158.240.127.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      158.240.127.40.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      158.240.127.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      158.240.127.40.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      32.113.50.184.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      32.113.50.184.in-addr.arpa
      IN PTR
      Response
      32.113.50.184.in-addr.arpa
      IN PTR
      a184-50-113-32deploystaticakamaitechnologiescom
    • flag-us
      DNS
      9.228.82.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      9.228.82.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      9.228.82.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      9.228.82.20.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      11.2.37.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      11.2.37.23.in-addr.arpa
      IN PTR
      Response
      11.2.37.23.in-addr.arpa
      IN PTR
      a23-37-2-11deploystaticakamaitechnologiescom
    • flag-us
      DNS
      tx3698.3322.Org
      ayws.exe
      Remote address:
      8.8.8.8:53
      Request
      tx3698.3322.Org
      IN A
      Response
      tx3698.3322.Org
      IN A
      157.122.62.205
    • flag-us
      DNS
      tse1.mm.bing.net
      Remote address:
      8.8.8.8:53
      Request
      tse1.mm.bing.net
      IN A
      Response
      tse1.mm.bing.net
      IN CNAME
      mm-mm.bing.net.trafficmanager.net
      mm-mm.bing.net.trafficmanager.net
      IN CNAME
      dual-a-0001.a-msedge.net
      dual-a-0001.a-msedge.net
      IN A
      204.79.197.200
      dual-a-0001.a-msedge.net
      IN A
      13.107.21.200
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301174_1DZVP9RMU2XGXAR8U&pid=21.2&w=1920&h=1080&c=4
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239317301174_1DZVP9RMU2XGXAR8U&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 278820
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: B46CD70F09144D9DBB3EF0214A9B5953 Ref B: LON04EDGE0621 Ref C: 2024-01-05T22:56:02Z
      date: Fri, 05 Jan 2024 22:56:01 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301287_1U7X9BQKXX1CUMUTC&pid=21.2&w=1920&h=1080&c=4
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239317301287_1U7X9BQKXX1CUMUTC&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 409993
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 3E950B4F64804955A869E5B552BDF87E Ref B: LON04EDGE0621 Ref C: 2024-01-05T22:56:02Z
      date: Fri, 05 Jan 2024 22:56:01 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301696_1Q8MJV8QG3PLKIW77&pid=21.2&w=1080&h=1920&c=4
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239317301696_1Q8MJV8QG3PLKIW77&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 360653
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 060663EC274A407CA3CE953A266DABF0 Ref B: LON04EDGE0621 Ref C: 2024-01-05T22:56:02Z
      date: Fri, 05 Jan 2024 22:56:01 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301583_1IGYRX9U1IBYYG0PV&pid=21.2&w=1080&h=1920&c=4
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239317301583_1IGYRX9U1IBYYG0PV&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 363285
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 7C6CA32061794D2AB26FF5773513CD38 Ref B: LON04EDGE0621 Ref C: 2024-01-05T22:56:02Z
      date: Fri, 05 Jan 2024 22:56:01 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301560_1VYM1AB1UOOH4QGUY&pid=21.2&w=1080&h=1920&c=4
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239317301560_1VYM1AB1UOOH4QGUY&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 270131
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 0A908A494E3A40EE903E040E626D1F9F Ref B: LON04EDGE0621 Ref C: 2024-01-05T22:56:02Z
      date: Fri, 05 Jan 2024 22:56:01 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301151_191TZ1ARIUD05NY0D&pid=21.2&w=1920&h=1080&c=4
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239317301151_191TZ1ARIUD05NY0D&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    • 204.79.197.200:443
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4faa49a5979048ca9e5fb24a490db9c0&localId=w:F83E3474-2937-F57B-08FA-577E7DA14C95&deviceId=6896190588109571&anid=
      tls, http2
      2.5kB
       9.4kB
       23
      18

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4faa49a5979048ca9e5fb24a490db9c0&localId=w:F83E3474-2937-F57B-08FA-577E7DA14C95&deviceId=6896190588109571&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=4faa49a5979048ca9e5fb24a490db9c0&localId=w:F83E3474-2937-F57B-08FA-577E7DA14C95&deviceId=6896190588109571&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4faa49a5979048ca9e5fb24a490db9c0&localId=w:F83E3474-2937-F57B-08FA-577E7DA14C95&deviceId=6896190588109571&anid=

      HTTP Response

      204
    • 157.122.62.205:8883
      tx3698.3322.Org
      ayws.exe
      208 B
       4
    • 20.73.194.208:443
    • 157.122.62.205:8883
      ayws.exe
    • 20.73.194.208:443
    • 4.231.128.59:443
    • 20.114.59.183:443
    • 4.231.128.59:443
    • 52.165.164.15:443
    • 20.114.59.183:443
    • 20.114.59.183:443
    • 88.221.135.217:80
    • 157.122.62.205:8883
      ayws.exe
    • 96.17.178.204:80
      92 B
       40 B
       2
      1
    • 96.17.178.204:80
      92 B
       40 B
       2
      1
    • 96.17.178.204:80
      138 B
       80 B
       3
      2
    • 20.74.47.205:443
    • 157.122.62.205:8883
      ayws.exe
    • 52.111.229.43:443
    • 157.122.62.205:8883
      tx3698.3322.Org
      ayws.exe
      260 B
       5
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.4kB
       8.3kB
       16
      14
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.6kB
       9.1kB
       17
      13
    • 204.79.197.200:443
      https://tse1.mm.bing.net/th?id=OADD2.10239317301151_191TZ1ARIUD05NY0D&pid=21.2&w=1920&h=1080&c=4
      tls, http2
      66.5kB
       1.7MB
       1260
      1256

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301174_1DZVP9RMU2XGXAR8U&pid=21.2&w=1920&h=1080&c=4

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301287_1U7X9BQKXX1CUMUTC&pid=21.2&w=1920&h=1080&c=4

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301696_1Q8MJV8QG3PLKIW77&pid=21.2&w=1080&h=1920&c=4

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301583_1IGYRX9U1IBYYG0PV&pid=21.2&w=1080&h=1920&c=4

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301560_1VYM1AB1UOOH4QGUY&pid=21.2&w=1080&h=1920&c=4

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301151_191TZ1ARIUD05NY0D&pid=21.2&w=1920&h=1080&c=4

      HTTP Response

      200

      HTTP Response

      200
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.4kB
       9.2kB
       16
      14
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.4kB
       8.3kB
       16
      14
    • 157.122.62.205:8883
      tx3698.3322.Org
      ayws.exe
      260 B
       5
    • 157.122.62.205:8883
      ayws.exe
    • 8.8.8.8:53
      tx3698.3322.Org
      dns
      ayws.exe
      122 B
       77 B
       2
      1

      DNS Request

      tx3698.3322.Org

      DNS Request

      tx3698.3322.Org

      DNS Response

      157.122.62.205

    • 8.8.8.8:53
      g.bing.com
      dns
      56 B
       158 B
       1
      1

      DNS Request

      g.bing.com

      DNS Response

      204.79.197.200
      13.107.21.200

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      68.159.190.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      68.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      158.240.127.40.in-addr.arpa
      dns
      219 B
       147 B
       3
      1

      DNS Request

      158.240.127.40.in-addr.arpa

      DNS Request

      158.240.127.40.in-addr.arpa

      DNS Request

      158.240.127.40.in-addr.arpa

    • 8.8.8.8:53
      32.113.50.184.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      32.113.50.184.in-addr.arpa

    • 8.8.8.8:53
      9.228.82.20.in-addr.arpa
      dns
      140 B
       156 B
       2
      1

      DNS Request

      9.228.82.20.in-addr.arpa

      DNS Request

      9.228.82.20.in-addr.arpa

    • 8.8.8.8:53
      11.2.37.23.in-addr.arpa
      dns
      69 B
       131 B
       1
      1

      DNS Request

      11.2.37.23.in-addr.arpa

    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
      tx3698.3322.Org
      dns
      ayws.exe
      61 B
       77 B
       1
      1

      DNS Request

      tx3698.3322.Org

      DNS Response

      157.122.62.205

    • 8.8.8.8:53
      tse1.mm.bing.net
      dns
      62 B
       173 B
       1
      1

      DNS Request

      tse1.mm.bing.net

      DNS Response

      204.79.197.200
      13.107.21.200

    • 8.8.8.8:53

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\ayws.exe
      Filesize

      144KB

      MD5

      56943fda4e1e5fb623bfde74d81b4659

      SHA1

      53cc932db48aaaae4b80e39b7efe00b6d8816046

      SHA256

      dc08ed32f50ce0d2109e580e911d46f1ac2f11327c64217ef97bc71dd07c3161

      SHA512

      54c831ff86a88cbd7ba08dc90d66ea77ac569fcbd229ef8e4bbbce6afb5d3041853ede0fe1dc448b087802ba7274d82692c6edf60f86e7e9b969b5191a11b825

      Download Submit

    • C:\Windows\SysWOW64\ayws.exe
      Filesize

      85KB

      MD5

      e147cfe8f60e623edbf8313c087ea1b8

      SHA1

      f536eb65215e55be80a6a32c29a8fa2456cf9aaa

      SHA256

      b83fa64ea2a829afdcf40b8cfb9c88e739b8b224b95ac701b2f1012282866727

      SHA512

      601beb325e550c9a619af85cd02bc4e7498e037429dbe7a20db511c5d9cc5c610de01584d0d61972c0d77f5f01b26e849d4b966f0182e228fffeeb1b577961f2

      Download Submit

    • memory/2840-5-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

      Download

    • memory/2840-6-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

      Download

    • memory/2840-8-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

      Download

    • memory/4996-0-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

      Download

    • memory/4996-7-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

      Download

    • memory/4996-1-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.