File name:

.exe

Full analysis: https://app.any.run/tasks/7fabf29d-1292-45c7-97ba-10ff17739e61
Verdict: Malicious activity
Threats:

Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely.

Malware Trends Tracker     >>>
Analysis date: December 16, 2024, 13:19:05
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
autoit
rat
quasar
remote
autoit-loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

A6BE8A62C7F7D595DB6AC9DC6E93DA02

SHA1:

5F2E5D543B91A01055AB1263611C9DF49E2A5E45

SHA256:

4FA2387A8A7D3C19888B5A07B5897F344BE8E4364D5F5130F257715AD2A97FCA

SSDEEP:

98304:WPEL9qSytNpIkNtOQXFQem6VpLUL1MF6scvZFlnLk6WB0ZPvK0gCOYtd4HLI0aC+:fSe/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • AutoIt loader has been detected (YARA)

      • Interviews.com (PID: 2448)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 2676)

    • Create files in the Startup directory

      • cmd.exe (PID: 6204)

    • QUASAR has been detected (SURICATA)

      • RegAsm.exe (PID: 5536)

    • Connects to the CnC server

      • RegAsm.exe (PID: 5536)

    • QUASAR has been detected (YARA)

      • RegAsm.exe (PID: 5536)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 7fabf29d-1292-45c7-97ba-10ff17739e61.exe (PID: 6480)
      • RegAsm.exe (PID: 5536)

    • Starts CMD.EXE for commands execution

      • 7fabf29d-1292-45c7-97ba-10ff17739e61.exe (PID: 6480)
      • cmd.exe (PID: 6584)

    • Executing commands from ".cmd" file

      • 7fabf29d-1292-45c7-97ba-10ff17739e61.exe (PID: 6480)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 6584)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 6584)
      • Interviews.com (PID: 2448)

    • Get information on the list of running processes

      • cmd.exe (PID: 6584)

    • Application launched itself

      • cmd.exe (PID: 6584)

    • The executable file from the user directory is run by the CMD process

      • Interviews.com (PID: 2448)

    • Starts application with an unusual extension

      • cmd.exe (PID: 6584)

    • Starts the AutoIt3 executable file

      • cmd.exe (PID: 6584)

    • Contacting a server suspected of hosting an CnC

      • RegAsm.exe (PID: 5536)

    • The process creates files with name similar to system file names

      • Interviews.com (PID: 2448)

    • Process drops legitimate windows executable

      • Interviews.com (PID: 2448)

    • Starts a Microsoft application from unusual location

      • RegAsm.exe (PID: 5536)

    • Connects to unusual port

      • RegAsm.exe (PID: 5536)

  • INFO

    • Checks supported languages

      • 7fabf29d-1292-45c7-97ba-10ff17739e61.exe (PID: 6480)
      • Interviews.com (PID: 2448)
      • RegAsm.exe (PID: 5536)

    • Reads the computer name

      • 7fabf29d-1292-45c7-97ba-10ff17739e61.exe (PID: 6480)
      • RegAsm.exe (PID: 5536)

    • Process checks computer location settings

      • 7fabf29d-1292-45c7-97ba-10ff17739e61.exe (PID: 6480)

    • The sample compiled with english language support

      • Interviews.com (PID: 2448)

    • Creates a new folder

      • cmd.exe (PID: 7160)

    • Create files in a temporary directory

      • 7fabf29d-1292-45c7-97ba-10ff17739e61.exe (PID: 6480)
      • Interviews.com (PID: 2448)

    • Reads mouse settings

      • Interviews.com (PID: 2448)

    • Manual execution by a user

      • cmd.exe (PID: 2676)
      • cmd.exe (PID: 6204)
      • RegAsm.exe (PID: 5536)

    • Creates files or folders in the user directory

      • Interviews.com (PID: 2448)

    • Reads the machine GUID from the registry

      • RegAsm.exe (PID: 5536)

    • Reads Microsoft Office registry keys

      • RegAsm.exe (PID: 5536)

    • Sends debugging messages

      • WINWORD.EXE (PID: 3620)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:02:24 19:20:04+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 29696
InitializedDataSize: 682496
UninitializedDataSize: 16896
EntryPoint: 0x38af
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
148
Monitored processes
21
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 7fabf29d-1292-45c7-97ba-10ff17739e61.exe no specs cmd.exe conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs interviews.com choice.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe conhost.exe no specs #QUASAR regasm.exe winword.exe ai.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
524cmd /c copy /b ..\Live + ..\Tales + ..\Wrestling + ..\Probe + ..\Maiden + ..\Becomes + ..\Revolution + ..\Solved + ..\Jesus + ..\Occasional + ..\Aluminum + ..\Cited + ..\Shades + ..\Increased + ..\Constitutional + ..\Camel + ..\Margaret + ..\Diana + ..\Similarly + ..\Attachment + ..\Curves + ..\Beginners + ..\Meaning + ..\Searchcom + ..\Counties + ..\Hammer + ..\Relevance + ..\Arg + ..\Hydraulic + ..\Prot + ..\Router + ..\Photographic + ..\Water + ..\Caution + ..\Plants + ..\Market + ..\Worlds + ..\Countries + ..\Tool U C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2448Interviews.com U C:\Users\admin\AppData\Local\Temp\638390\Interviews.com
cmd.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script (Beta)
Version:
3, 3, 15, 5
Modules
Images
c:\users\admin\appdata\local\temp\638390\interviews.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\version.dll
2676cmd /c schtasks.exe /create /tn "Aluminium" /tr "wscript //B 'C:\Users\admin\AppData\Local\SecureInno Technologies Co\InnoSecureX.js'" /sc minute /mo 5 /FC:\Windows\SysWOW64\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3608choice /d y /t 5C:\Windows\SysWOW64\choice.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Offers the user a choice
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\choice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3620"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Долговая нагрузка.docx" /o ""C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
RegAsm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4052schtasks.exe /create /tn "Aluminium" /tr "wscript //B 'C:\Users\admin\AppData\Local\SecureInno Technologies Co\InnoSecureX.js'" /sc minute /mo 5 /FC:\Windows\SysWOW64\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5004"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "C5CD63B4-2C09-4D12-BD7D-F5AA3A8C6CF4" "3295A138-B0B4-4C39-A0BC-5068BFB3F056" "3620"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.
Version:
0.12.2.0
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
5032\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5536C:\Users\admin\AppData\Local\Temp\638390\RegAsm.exe C:\Users\admin\AppData\Local\Temp\638390\RegAsm.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\users\admin\appdata\local\temp\638390\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
18 367
Read events
18 019
Write events
327
Delete events
21

Modification events

(PID) Process:(5536) RegAsm.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids
Operation:writeName:Word.Document.12
Value:
(PID) Process:(5536) RegAsm.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF
Value:
01000000000000007F977F38BD4FDB01
(PID) Process:(3620) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:0
Value:
017012000000001000B24E9A3E02000000000000000600000000000000
(PID) Process:(3620) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:tr-tr
Value:
1
(PID) Process:(3620) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems
Operation:writeName:wn)
Value:
776E2900240E00000100000000000000E1C8D738BD4FDB0100000000
(PID) Process:(3620) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\3620
Operation:writeName:0
Value:
0B0E104D1901B956575546A53AF6ED06C73861230046F189A6C6D3F7D3ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511A41CD2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(3620) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(3620) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(3620) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(3620) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
Executable files
31
Suspicious files
166
Text files
24
Unknown types
2

Dropped files

PID
Process
Filename
Type
64807fabf29d-1292-45c7-97ba-10ff17739e61.exeC:\Users\admin\AppData\Local\Temp\Becomesbinary
MD5:4C31648FA2BC40EBF69D4C41C380FEFF
SHA256:3F517210B9EC4E9DD4D532BD5CDC77E50AE7EA608421EFF61DAB96BC46A6D4B7
64807fabf29d-1292-45c7-97ba-10ff17739e61.exeC:\Users\admin\AppData\Local\Temp\Routerbinary
MD5:A6FFF6B593061C3E8B9EB350CD5A35A7
SHA256:2E9524F350DE758E373D0BA1BECEE240AEC4671EC14BEDEAB842F91EA555A9F0
64807fabf29d-1292-45c7-97ba-10ff17739e61.exeC:\Users\admin\AppData\Local\Temp\Revolutionbinary
MD5:9BCA27A16DE1F72D6D2109E993FB11AA
SHA256:C9DAE25354959733BE8F437EABF8ECBB913277D45BD3BB3C6F8D860B1B83E1A4
64807fabf29d-1292-45c7-97ba-10ff17739e61.exeC:\Users\admin\AppData\Local\Temp\Increasedbinary
MD5:8408F0D3CC03EB46518463558144E5C0
SHA256:0DCB4132A9C354337F70A26EF9A2517A4078669C6184382E1D055014A7E7FA64
64807fabf29d-1292-45c7-97ba-10ff17739e61.exeC:\Users\admin\AppData\Local\Temp\Awesomebinary
MD5:04004EA6D57F002898B42A39518EAA2C
SHA256:F337E6B745F20D333DF0C78EFE71CB6D5C5E180F6E4F2111B28C8D0E6C6DB75A
64807fabf29d-1292-45c7-97ba-10ff17739e61.exeC:\Users\admin\AppData\Local\Temp\Talesbinary
MD5:8233AEF38E2CE4F31CA31F320458305E
SHA256:1CF9E56D1050FFD23EA569DAE2529079B7DD5C7C2F1FE7D560915AFB571AD8DA
64807fabf29d-1292-45c7-97ba-10ff17739e61.exeC:\Users\admin\AppData\Local\Temp\Cleartext
MD5:186213091BAB1BCAA1E01A594553EE57
SHA256:6465BB2DAAA40ACE47C20FB2039F509C00A2329AE944960CC8DC782236555E3E
64807fabf29d-1292-45c7-97ba-10ff17739e61.exeC:\Users\admin\AppData\Local\Temp\Countriesbinary
MD5:36616874CECC8BE4A08896A872E44981
SHA256:9F922F54206685D67BD969EC5DDDA75958B7460A32C3B231ABC0143D848BBA5D
64807fabf29d-1292-45c7-97ba-10ff17739e61.exeC:\Users\admin\AppData\Local\Temp\Protbinary
MD5:7DEDA2E884103266D6FE4A7934344D46
SHA256:CE9F479F36C1CD62ED8DAFA3ABCBCB802B541258306C923EC0CCEB7E80226454
64807fabf29d-1292-45c7-97ba-10ff17739e61.exeC:\Users\admin\AppData\Local\Temp\Constitutionalbinary
MD5:841B390C0A2C4D0908124F5854DBD8F6
SHA256:26D123B0E76FEAC09051FA8A7B81D1B05957419C04E6B971EA53DC39CE724F3F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
71
TCP/UDP connections
110
DNS requests
19
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2092
RUXIMICS.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5732
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2092
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
52.109.32.97:443
https://officeclient.microsoft.com/config16/?syslcid=1033&build=16.0.16026&crev=3
unknown
xml
178 Kb
whitelisted
GET
200
52.113.194.132:443
https://ecs.office.com/config/v2/Office/word/16.0.16026.20146/Production/CC?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=word&Platform=win32&Version=16.0.16026.20146&MsoVersion=16.0.16026.20002&SDX=fa000000002.2.0.1907.31003&SDX=fa000000005.1.0.1909.30011&SDX=fa000000006.1.0.1909.13002&SDX=fa000000008.1.0.1908.16006&SDX=fa000000009.1.0.1908.6002&SDX=fa000000016.1.0.1810.13001&SDX=fa000000029.1.0.1906.25001&SDX=fa000000033.1.0.1908.24001&SDX=wa104381125.1.0.1810.9001&ProcessName=winword.exe&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&LicenseCategory=6&LicenseSKU=Professional2019Retail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7bB901194D-5756-4655-A53A-F6ED06C73861%7d&LabMachine=false
unknown
binary
398 Kb
whitelisted
GET
200
23.48.23.6:443
https://omex.cdn.office.net/addinclassifier/officesharedentities
unknown
text
314 Kb
whitelisted
GET
200
52.111.243.12:443
https://messaging.lifecycle.office.com/getcustommessage16?app=0&ui=en-US&src=BizBar&messagetype=BizBar&hwid=04111-083-043729&ver=16.0.16026&lc=en-US&platform=10%3A0%3A19045%3A2%3A0%3A0%3A256%3A1%3A&productid=%7B1717C1E0-47D3-4899-A6D3-1022DB7415E0%7D%3A00411-10830-43729-AA720%3AOffice%2019%2C%20Office19Professional2019R_Retail%20edition&clientsessionid=%7BB901194D-5756-4655-A53A-F6ED06C73861%7D&datapropertybag=%7B%22Audience%22%3A%22Production%22%2C%22AudienceGroup%22%3A%22Production%22%2C%22AudienceChannel%22%3A%22CC%22%2C%22Flight%22%3A%22ofsh6c2b1tla1a31%2Cofcrui4yvdulbf31%2Cofhpex3jznepoo31%2Cofpioygfqmufst31%2Cofjhlwlmoc1pz531%22%7D
unknown
text
542 b
whitelisted
GET
200
23.53.43.83:443
https://metadata.templates.cdn.office.net/client/templates/gallery?lcid=1033&syslcid=1033&uilcid=1033&app=0&ver=16&tl=2&build=16.0.16026&gtype=0%2C1%2C2%2C5%2C
unknown
xml
10.7 Kb
whitelisted
GET
200
184.24.77.4:443
https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851223.cab
unknown
compressed
32.0 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
2092
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
92.123.104.19:443
www.bing.com
Akamai International B.V.
DE
whitelisted
5732
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:138
whitelisted
5732
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2092
RUXIMICS.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2092
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 92.123.104.19
  • 92.123.104.29
  • 92.123.104.17
  • 92.123.104.21
  • 92.123.104.23
  • 92.123.104.31
  • 92.123.104.20
  • 92.123.104.18
  • 92.123.104.16
  • 92.123.104.45
  • 92.123.104.35
  • 92.123.104.37
  • 92.123.104.43
  • 92.123.104.39
  • 92.123.104.38
  • 92.123.104.46
  • 92.123.104.36
  • 92.123.104.42
whitelisted
google.com
  • 172.217.16.142
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 88.221.169.152
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
LONkxZSODhNO.LONkxZSODhNO
unknown
crostech.ru
  • 5.8.11.91
malicious
officeclient.microsoft.com
  • 52.109.28.46
whitelisted
omex.cdn.office.net
  • 23.48.23.66
  • 23.48.23.63
  • 23.48.23.65
  • 23.48.23.52
  • 23.48.23.18
  • 23.48.23.42
  • 23.48.23.25
  • 23.48.23.11
  • 23.48.23.6
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted

Threats

PID
Process
Class
Message
5536
RegAsm.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Malicious SSL Cert (Quasar CnC)
Process
Message
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.