Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    162s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    19/05/2024, 01:46 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c229ceb8141a9c4882c0fb113eb18e4e8518d5a327c904b463d60b6aaf3a345b.exe

  • Size

    4.1MB

  • MD5

    5596ce92b5b7512c4e67adc4b283cbe1

  • SHA1

    93013cc30e72a9c0052b0e69dcad323d1ce3706a

  • SHA256

    c229ceb8141a9c4882c0fb113eb18e4e8518d5a327c904b463d60b6aaf3a345b

  • SHA512

    d5a966ec48baee74ce6eaa827e36981883b3f2de14793027d2f723967a45b95a98c2558d2d33082d8d3f7e0c9cd60c040b91f446e7875f339fc9ca085515e53a

  • SSDEEP

    98304:CQGLdTw13YmTlGi/xMFRAVNS6wnhY59m5e0z8345y:CLpT0YNaxn5wu5s59Yr

Score
10/10
gluptebadiscoverydropperevasionexecutionloaderpersistencerootkitupx

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 19 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Using powershell.exe command.

    execution
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\c229ceb8141a9c4882c0fb113eb18e4e8518d5a327c904b463d60b6aaf3a345b.exe
    "C:\Users\Admin\AppData\Local\Temp\c229ceb8141a9c4882c0fb113eb18e4e8518d5a327c904b463d60b6aaf3a345b.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:540
    • C:\Users\Admin\AppData\Local\Temp\c229ceb8141a9c4882c0fb113eb18e4e8518d5a327c904b463d60b6aaf3a345b.exe
      "C:\Users\Admin\AppData\Local\Temp\c229ceb8141a9c4882c0fb113eb18e4e8518d5a327c904b463d60b6aaf3a345b.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2092
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4604
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1760
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:3596
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3728
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3524
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2468
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Command and Scripting Interpreter: PowerShell
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3404
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:1172
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:2200
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1892
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4948
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:2688
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:4740
          • C:\Windows\windefender.exe
            "C:\Windows\windefender.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3728
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3908
              • C:\Windows\SysWOW64\sc.exe
                sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                6⤵
                • Launches sc.exe
                • Suspicious use of AdjustPrivilegeToken
                PID:2956
    • C:\Windows\windefender.exe
      C:\Windows\windefender.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      PID:2164

    Network

    • flag-us
      DNS
      134.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      134.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      200.197.79.204.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      200.197.79.204.in-addr.arpa
      IN PTR
      Response
      200.197.79.204.in-addr.arpa
      IN PTR
      a-0001a-msedgenet
    • flag-us
      DNS
      server7.alldatadump.org
      Remote address:
      8.8.8.8:53
      Request
      server7.alldatadump.org
      IN A
      Response
      server7.alldatadump.org
      IN A
      185.82.216.108
    • flag-us
      DNS
      233.130.159.162.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      233.130.159.162.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      129.250.125.74.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      129.250.125.74.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      ctldl.windowsupdate.com
      Remote address:
      8.8.8.8:53
      Request
      ctldl.windowsupdate.com
      IN A
      Response
      ctldl.windowsupdate.com
      IN CNAME
      ctldl.windowsupdate.com.delivery.microsoft.com
      ctldl.windowsupdate.com.delivery.microsoft.com
      IN CNAME
      wu-b-net.trafficmanager.net
      wu-b-net.trafficmanager.net
      IN CNAME
      download.windowsupdate.com.edgesuite.net
      download.windowsupdate.com.edgesuite.net
      IN CNAME
      a767.dspw65.akamai.net
      a767.dspw65.akamai.net
      IN A
      23.1.254.216
      a767.dspw65.akamai.net
      IN A
      23.1.254.200
    • flag-us
      DNS
      205.47.74.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      205.47.74.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      arc.msn.com
      Remote address:
      8.8.8.8:53
      Request
      arc.msn.com
      IN A
      Response
      arc.msn.com
      IN CNAME
      arc.trafficmanager.net
      arc.trafficmanager.net
      IN CNAME
      iris-de-prod-azsc-v2-weu-b.westeurope.cloudapp.azure.com
      iris-de-prod-azsc-v2-weu-b.westeurope.cloudapp.azure.com
      IN A
      20.31.169.57
    • flag-us
      DNS
      57.169.31.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      57.169.31.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      90.16.208.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      90.16.208.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      79.190.18.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      79.190.18.2.in-addr.arpa
      IN PTR
      Response
      79.190.18.2.in-addr.arpa
      IN PTR
      a2-18-190-79deploystaticakamaitechnologiescom
    • flag-us
      DNS
      arc.msn.com
      Remote address:
      8.8.8.8:53
      Request
      arc.msn.com
      IN A
      Response
      arc.msn.com
      IN CNAME
      arc.trafficmanager.net
      arc.trafficmanager.net
      IN CNAME
      iris-de-prod-azsc-v2-neu.northeurope.cloudapp.azure.com
      iris-de-prod-azsc-v2-neu.northeurope.cloudapp.azure.com
      IN A
      20.223.35.26
    • flag-us
      DNS
      arc.msn.com
      Remote address:
      8.8.8.8:53
      Request
      arc.msn.com
      IN A
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      tse1.mm.bing.net
      Remote address:
      8.8.8.8:53
      Request
      tse1.mm.bing.net
      IN A
      Response
      tse1.mm.bing.net
      IN CNAME
      mm-mm.bing.net.trafficmanager.net
      mm-mm.bing.net.trafficmanager.net
      IN CNAME
      dual-a-0001.a-msedge.net
      dual-a-0001.a-msedge.net
      IN A
      204.79.197.200
      dual-a-0001.a-msedge.net
      IN A
      13.107.21.200
    • flag-us
      DNS
      stun1.l.google.com
      Remote address:
      8.8.8.8:53
      Request
      stun1.l.google.com
      IN A
      Response
      stun1.l.google.com
      IN A
      74.125.250.129
    • flag-us
      DNS
      stun1.l.google.com
      Remote address:
      8.8.8.8:53
      Request
      stun1.l.google.com
      IN A
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22000
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 555746
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 759BF79A5A224F4BBF49FAAA3F4C917D Ref B: LON04EDGE1207 Ref C: 2024-05-19T01:46:27Z
      date: Sun, 19 May 2024 01:46:26 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22000
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 638730
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 565E78D63C4B4B30A7555AB8E88B97CE Ref B: LON04EDGE1207 Ref C: 2024-05-19T01:46:27Z
      date: Sun, 19 May 2024 01:46:26 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22000
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 659775
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: A5BE275CE7F14AFBBFDD0CAECBB37A98 Ref B: LON04EDGE1207 Ref C: 2024-05-19T01:46:27Z
      date: Sun, 19 May 2024 01:46:26 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22000
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 621794
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 979F37023D9E4E21991D30BED58689EB Ref B: LON04EDGE1207 Ref C: 2024-05-19T01:46:28Z
      date: Sun, 19 May 2024 01:46:27 GMT
    • flag-us
      DNS
      82.94.21.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      82.94.21.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      arc.msn.com
      Remote address:
      8.8.8.8:53
      Request
      arc.msn.com
      IN A
      Response
      arc.msn.com
      IN CNAME
      arc.trafficmanager.net
      arc.trafficmanager.net
      IN CNAME
      iris-de-prod-azsc-v2-neu-b.northeurope.cloudapp.azure.com
      iris-de-prod-azsc-v2-neu-b.northeurope.cloudapp.azure.com
      IN A
      20.223.36.55
    • flag-us
      DNS
      216.254.1.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      216.254.1.23.in-addr.arpa
      IN PTR
      Response
      216.254.1.23.in-addr.arpa
      IN PTR
      a23-1-254-216deploystaticakamaitechnologiescom
    • flag-us
      DNS
      nexusrules.officeapps.live.com
      Remote address:
      8.8.8.8:53
      Request
      nexusrules.officeapps.live.com
      IN A
      Response
      nexusrules.officeapps.live.com
      IN CNAME
      prod.nexusrules.live.com.akadns.net
      prod.nexusrules.live.com.akadns.net
      IN A
      52.111.236.21
    • flag-us
      DNS
      ris.api.iris.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      ris.api.iris.microsoft.com
      IN A
      Response
      ris.api.iris.microsoft.com
      IN CNAME
      ris-prod.trafficmanager.net
      ris-prod.trafficmanager.net
      IN CNAME
      asf-ris-prod-neu-azsc.northeurope.cloudapp.azure.com
      asf-ris-prod-neu-azsc.northeurope.cloudapp.azure.com
      IN A
      20.234.120.54
    • flag-us
      DNS
      self.events.data.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      self.events.data.microsoft.com
      IN A
      Response
      self.events.data.microsoft.com
      IN CNAME
      self-events-data.trafficmanager.net
      self-events-data.trafficmanager.net
      IN CNAME
      onedscolprdcus14.centralus.cloudapp.azure.com
      onedscolprdcus14.centralus.cloudapp.azure.com
      IN A
      104.208.16.90
    • 204.79.197.200:443
      https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      tls, http2
      88.9kB
       2.6MB
       1872
      1865

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Response

      200

      HTTP Response

      200

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Response

      200

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Response

      200
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
       589 B
       11
      8
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.4kB
       8.1kB
       18
      14
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.6kB
       8.1kB
       17
      13
    • 162.159.130.233:443
      cdn.discordapp.com
      tls
      csrss.exe
      1.2kB
       5.2kB
       13
      15
    • 185.82.216.108:443
      server7.alldatadump.org
      tls
      csrss.exe
      1.9kB
       5.9kB
       15
      16
    • 104.21.94.82:443
      carsalessystem.com
      tls
      csrss.exe
      80.8kB
       2.2MB
       1552
      1653
    • 185.82.216.108:443
      server7.alldatadump.org
      tls
      csrss.exe
      1.9kB
       4.7kB
       11
      13
    • 185.82.216.108:443
      server7.alldatadump.org
      tls
      csrss.exe
      1.8kB
       4.5kB
       9
      9
    • 8.8.8.8:53
      134.32.126.40.in-addr.arpa
      dns
      701 B
       1.5kB
       10
      10

      DNS Request

      134.32.126.40.in-addr.arpa

      DNS Request

      200.197.79.204.in-addr.arpa

      DNS Request

      server7.alldatadump.org

      DNS Response

      185.82.216.108

      DNS Request

      233.130.159.162.in-addr.arpa

      DNS Request

      129.250.125.74.in-addr.arpa

      DNS Request

      ctldl.windowsupdate.com

      DNS Response

      23.1.254.216
      23.1.254.200

      DNS Request

      205.47.74.20.in-addr.arpa

      DNS Request

      arc.msn.com

      DNS Response

      20.31.169.57

      DNS Request

      57.169.31.20.in-addr.arpa

      DNS Request

      90.16.208.104.in-addr.arpa

    • 8.8.8.8:53
      79.190.18.2.in-addr.arpa
      dns
      184 B
       308 B
       3
      2

      DNS Request

      79.190.18.2.in-addr.arpa

      DNS Request

      arc.msn.com

      DNS Request

      arc.msn.com

      DNS Response

      20.223.35.26

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      263 B
       397 B
       4
      3

      DNS Request

      95.221.229.192.in-addr.arpa

      DNS Request

      tse1.mm.bing.net

      DNS Response

      204.79.197.200
      13.107.21.200

      DNS Request

      stun1.l.google.com

      DNS Request

      stun1.l.google.com

      DNS Response

      74.125.250.129

    • 8.8.8.8:53
      82.94.21.104.in-addr.arpa
      dns
      423 B
       975 B
       6
      6

      DNS Request

      82.94.21.104.in-addr.arpa

      DNS Request

      arc.msn.com

      DNS Response

      20.223.36.55

      DNS Request

      216.254.1.23.in-addr.arpa

      DNS Request

      nexusrules.officeapps.live.com

      DNS Response

      52.111.236.21

      DNS Request

      ris.api.iris.microsoft.com

      DNS Response

      20.234.120.54

      DNS Request

      self.events.data.microsoft.com

      DNS Response

      104.208.16.90

    • 74.125.250.129:19302
      stun1.l.google.com
      csrss.exe
      48 B
       60 B
       1
      1

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Defense Evasion

    Impair Defenses

    1
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zafxnoti.fvk.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d0c46cad6c0778401e21910bd6b56b70

      SHA1

      7be418951ea96326aca445b8dfe449b2bfa0dca6

      SHA256

      9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

      SHA512

      057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      bb4664952480c2e0bbc8d9b9f055629e

      SHA1

      9ed2002ac05ade639d0b8b3b314c9df266c8ac23

      SHA256

      6c0b6cabdaf92982fa12036ea4f145a81a4772bb1ce06de4601597d698eafa20

      SHA512

      2012da5f9c1162b07ca596a4afcde66ca0cccb86995c09942374c4176c7ce11a2cfa3bb434d8a29349a309cfa20cefb4a42a08092748250e48c18effb4972783

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      6370203556d77656e3bf4682b530c261

      SHA1

      4036d347fffd6d8b57ac56b11374dbe154fe54af

      SHA256

      927c3cec987e5bb4d3998326af431a5b3e091aecfb57781e8b738d7f8a84fec3

      SHA512

      95a69bb0b16590b7ca5eb656f6f5e1241b80b622e9823cd726db73409d4aae7a125e684e893a7955406137e99d0c43df0d34e80e5c03a147c7886f2d723509b3

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      350210f488d65d9326049a43d3ce1787

      SHA1

      b2ff695eaa270ee3c148501ab0cd3590b3afe073

      SHA256

      191f3dd4cf5bd5482ab29a7fb617916c54f67094805739805e068a33d5cbce8f

      SHA512

      f702a41b6a8a924317e8ed3339747fce17b77aa63a09ce6f0259fa49126bae3cbe78f8afeab96baa03e892ced34d387a32adac075ab82bf219a3c8331a257a62

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      92712fbb4b5fdacca257a76245a772e1

      SHA1

      bcaf095ee5e8e1a90c0f7a3e6508c0a00a94604f

      SHA256

      36844742502c87b37459833398acc4c48be13ee6e02252f755e670c99277bca7

      SHA512

      d2e2027cd9226d1f1b422b210cffac0ead12a83e8ea944c0ac569cb0939f3a123b62d0f306c192816f6edb4461de4eae9648d1c28a82586096ee3cc79f9cff20

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      ff9e0881983024fa2a69b88020ff19bb

      SHA1

      74cdf4a71597b0f3cc6ee40fe8b6ceae68720e5c

      SHA256

      e898694cc17b5e0f23f776956a8536f111082ebd64d3ff0e60a2940ab3152218

      SHA512

      761a6df3527f87ec4f952614c5d5e3048c46e222567ca6f75c2dca0f13ae8e783c33b1957f21be7d1c5fefac7094945e39a5833a5239643d2e797b820d2c768e

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.1MB

      MD5

      5596ce92b5b7512c4e67adc4b283cbe1

      SHA1

      93013cc30e72a9c0052b0e69dcad323d1ce3706a

      SHA256

      c229ceb8141a9c4882c0fb113eb18e4e8518d5a327c904b463d60b6aaf3a345b

      SHA512

      d5a966ec48baee74ce6eaa827e36981883b3f2de14793027d2f723967a45b95a98c2558d2d33082d8d3f7e0c9cd60c040b91f446e7875f339fc9ca085515e53a

      Download Submit

    • C:\Windows\windefender.exe
      Filesize

      2.0MB

      MD5

      8e67f58837092385dcf01e8a2b4f5783

      SHA1

      012c49cfd8c5d06795a6f67ea2baf2a082cf8625

      SHA256

      166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

      SHA512

      40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

      Download Submit

    • memory/540-24-0x0000000007930000-0x0000000007964000-memory.dmp

      Filesize

      208KB

      Download

    • memory/540-7-0x0000000005870000-0x0000000005E9A000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/540-22-0x0000000006540000-0x000000000658C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/540-23-0x0000000006A80000-0x0000000006AC6000-memory.dmp

      Filesize

      280KB

      Download

    • memory/540-25-0x0000000070230000-0x000000007027C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/540-20-0x0000000006020000-0x0000000006377000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/540-26-0x0000000070440000-0x0000000070797000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/540-37-0x0000000073FC0000-0x0000000074771000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/540-36-0x0000000007990000-0x0000000007A34000-memory.dmp

      Filesize

      656KB

      Download

    • memory/540-35-0x0000000007970000-0x000000000798E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/540-38-0x0000000073FC0000-0x0000000074771000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/540-40-0x0000000007AC0000-0x0000000007ADA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/540-39-0x0000000008100000-0x000000000877A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/540-41-0x0000000007B00000-0x0000000007B0A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/540-42-0x0000000007BC0000-0x0000000007C56000-memory.dmp

      Filesize

      600KB

      Download

    • memory/540-43-0x0000000007B30000-0x0000000007B41000-memory.dmp

      Filesize

      68KB

      Download

    • memory/540-44-0x0000000007B70000-0x0000000007B7E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/540-45-0x0000000007B80000-0x0000000007B95000-memory.dmp

      Filesize

      84KB

      Download

    • memory/540-46-0x0000000007C80000-0x0000000007C9A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/540-47-0x0000000007C60000-0x0000000007C68000-memory.dmp

      Filesize

      32KB

      Download

    • memory/540-50-0x0000000073FC0000-0x0000000074771000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/540-4-0x0000000073FCE000-0x0000000073FCF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/540-5-0x00000000050A0000-0x00000000050D6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/540-6-0x0000000073FC0000-0x0000000074771000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/540-21-0x0000000006520000-0x000000000653E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/540-8-0x0000000073FC0000-0x0000000074771000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/540-9-0x0000000005650000-0x0000000005672000-memory.dmp

      Filesize

      136KB

      Download

    • memory/540-10-0x00000000056F0000-0x0000000005756000-memory.dmp

      Filesize

      408KB

      Download

    • memory/540-11-0x0000000005760000-0x00000000057C6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1892-171-0x0000000006090000-0x00000000060A5000-memory.dmp

      Filesize

      84KB

      Download

    • memory/1892-170-0x0000000007810000-0x0000000007821000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1892-169-0x00000000074D0000-0x0000000007574000-memory.dmp

      Filesize

      656KB

      Download

    • memory/1892-160-0x0000000070360000-0x00000000706B7000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1892-159-0x0000000070150000-0x000000007019C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1892-158-0x0000000006810000-0x000000000685C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1892-156-0x0000000005CD0000-0x0000000006027000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2092-124-0x0000000000400000-0x0000000002732000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/2164-214-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/2164-208-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/2164-220-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/2468-240-0x0000000000400000-0x0000000002732000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/2468-235-0x0000000000400000-0x0000000002732000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/2468-237-0x0000000000400000-0x0000000002732000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/2468-200-0x0000000000400000-0x0000000002732000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/2468-211-0x0000000000400000-0x0000000002732000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/2468-228-0x0000000000400000-0x0000000002732000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/2468-243-0x0000000000400000-0x0000000002732000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/2468-223-0x0000000000400000-0x0000000002732000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/2468-225-0x0000000000400000-0x0000000002732000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/2468-213-0x0000000000400000-0x0000000002732000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/2468-216-0x0000000000400000-0x0000000002732000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/2468-231-0x0000000000400000-0x0000000002732000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/2468-219-0x0000000000400000-0x0000000002732000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/3020-96-0x0000000000400000-0x0000000002732000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/3020-98-0x0000000004A30000-0x000000000531B000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/3020-1-0x0000000004620000-0x0000000004A26000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/3020-2-0x0000000004A30000-0x000000000531B000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/3020-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/3020-146-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/3020-97-0x0000000004620000-0x0000000004A26000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/3404-136-0x0000000070230000-0x000000007027C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3404-137-0x0000000070440000-0x0000000070797000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3524-100-0x0000000005D10000-0x0000000006067000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3524-111-0x00000000704A0000-0x00000000707F7000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3524-110-0x0000000070230000-0x000000007027C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3728-86-0x0000000070230000-0x000000007027C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3728-210-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/3728-87-0x0000000070440000-0x0000000070797000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3728-205-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/4604-72-0x0000000007C80000-0x0000000007C91000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4604-71-0x0000000007930000-0x00000000079D4000-memory.dmp

      Filesize

      656KB

      Download

    • memory/4604-62-0x0000000070480000-0x00000000707D7000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4604-61-0x0000000070230000-0x000000007027C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4604-52-0x0000000006210000-0x0000000006567000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4604-73-0x0000000007CD0000-0x0000000007CE5000-memory.dmp

      Filesize

      84KB

      Download

    • memory/4948-174-0x0000000006300000-0x0000000006657000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4948-185-0x00000000703A0000-0x00000000706F7000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4948-184-0x0000000070150000-0x000000007019C000-memory.dmp

      Filesize

      304KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.