glupteba | 81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
19/05/2024, 11:35 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe
Size

4.1MB
MD5

cb6a29e08314289f9331972b48abf960
SHA1

44fab7c4febffeed8f0a677fbfed75f0fa941db2
SHA256

81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e
SHA512

06ccc47678e0a177ef0a395113327420c8f9638a07682913d9d9835ab1acccd3c4e2d51515d3441e3bf4d75f6f38e2a8f2435026ebb7dd53cc929998fca8a7c2
SSDEEP

98304:Wk/C6baF9NNXYvR+SQPyohxfWe3/GY9pAEj6j:Wn6bazjovoyoHfX3/GYHk

Score

10^/10

glupteba discovery dropper evasion execution loader persistence rootkit upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 19 IoCs

resource	yara_rule
behavioral1/memory/3584-2-0x0000000004500000-0x0000000004DEB000-memory.dmp	family_glupteba
behavioral1/memory/3584-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3584-47-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3584-48-0x0000000004500000-0x0000000004DEB000-memory.dmp	family_glupteba
behavioral1/memory/3584-46-0x0000000000400000-0x0000000002364000-memory.dmp	family_glupteba
behavioral1/memory/3352-131-0x0000000000400000-0x0000000002364000-memory.dmp	family_glupteba
behavioral1/memory/3036-214-0x0000000000400000-0x0000000002364000-memory.dmp	family_glupteba
behavioral1/memory/3036-223-0x0000000000400000-0x0000000002364000-memory.dmp	family_glupteba
behavioral1/memory/3036-225-0x0000000000400000-0x0000000002364000-memory.dmp	family_glupteba
behavioral1/memory/3036-227-0x0000000000400000-0x0000000002364000-memory.dmp	family_glupteba
behavioral1/memory/3036-229-0x0000000000400000-0x0000000002364000-memory.dmp	family_glupteba
behavioral1/memory/3036-231-0x0000000000400000-0x0000000002364000-memory.dmp	family_glupteba
behavioral1/memory/3036-233-0x0000000000400000-0x0000000002364000-memory.dmp	family_glupteba
behavioral1/memory/3036-235-0x0000000000400000-0x0000000002364000-memory.dmp	family_glupteba
behavioral1/memory/3036-237-0x0000000000400000-0x0000000002364000-memory.dmp	family_glupteba
behavioral1/memory/3036-239-0x0000000000400000-0x0000000002364000-memory.dmp	family_glupteba
behavioral1/memory/3036-241-0x0000000000400000-0x0000000002364000-memory.dmp	family_glupteba
behavioral1/memory/3036-243-0x0000000000400000-0x0000000002364000-memory.dmp	family_glupteba
behavioral1/memory/3036-245-0x0000000000400000-0x0000000002364000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3592	netsh.exe

Executes dropped EXE 4 IoCs

pid	Process
3036	csrss.exe
3920	injector.exe
1360	windefender.exe
404	windefender.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000800000002342b-217.dat	upx
behavioral1/memory/1360-218-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/404-222-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1360-221-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/404-224-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/404-228-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rss\csrss.exe	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\rss	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1880	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3252	powershell.exe
4844	powershell.exe
4300	powershell.exe
400	powershell.exe
2680	powershell.exe
2468	powershell.exe
516	powershell.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3116	516	WerFault.exe	85
1836	3584	WerFault.exe	81
1284	3352	WerFault.exe	93

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4340	schtasks.exe
3536	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3142 = "South Sudan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-362 = "GTB Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time"	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-571 = "China Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
516	powershell.exe
516	powershell.exe
3584	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe
3584	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe
3252	powershell.exe
3252	powershell.exe
3352	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe
3352	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe
3352	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe
3352	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe
3352	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe
3352	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe
3352	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe
3352	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe
3352	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe
3352	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe
4844	powershell.exe
4844	powershell.exe
4300	powershell.exe
4300	powershell.exe
400	powershell.exe
400	powershell.exe
2680	powershell.exe
2680	powershell.exe
2468	powershell.exe
2468	powershell.exe
2468	powershell.exe
3920	injector.exe
3920	injector.exe
3920	injector.exe
3920	injector.exe
3920	injector.exe
3920	injector.exe
3036	csrss.exe
3036	csrss.exe
3920	injector.exe
3920	injector.exe
3920	injector.exe
3920	injector.exe
3920	injector.exe
3920	injector.exe
3036	csrss.exe
3036	csrss.exe
3920	injector.exe
3920	injector.exe
3920	injector.exe
3920	injector.exe
3920	injector.exe
3920	injector.exe
3036	csrss.exe
3036	csrss.exe
3920	injector.exe
3920	injector.exe
3920	injector.exe
3920	injector.exe
3920	injector.exe
3920	injector.exe
3920	injector.exe
3920	injector.exe
3920	injector.exe
3920	injector.exe
3920	injector.exe
3920	injector.exe
3920	injector.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	516	powershell.exe
Token: SeDebugPrivilege	3584	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe
Token: SeImpersonatePrivilege	3584	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe
Token: SeDebugPrivilege	3252	powershell.exe
Token: SeDebugPrivilege	4844	powershell.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeDebugPrivilege	400	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeSystemEnvironmentPrivilege	3036	csrss.exe
Token: SeSecurityPrivilege	1880	sc.exe
Token: SeSecurityPrivilege	1880	sc.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3584 wrote to memory of 516	3584	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe	85
PID 3584 wrote to memory of 516	3584	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe	85
PID 3584 wrote to memory of 516	3584	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe	85
PID 3352 wrote to memory of 3252	3352	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe	96
PID 3352 wrote to memory of 3252	3352	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe	96
PID 3352 wrote to memory of 3252	3352	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe	96
PID 3352 wrote to memory of 2496	3352	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe	98
PID 3352 wrote to memory of 2496	3352	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe	98
PID 2496 wrote to memory of 3592	2496	cmd.exe	100
PID 2496 wrote to memory of 3592	2496	cmd.exe	100
PID 3352 wrote to memory of 4844	3352	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe	101
PID 3352 wrote to memory of 4844	3352	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe	101
PID 3352 wrote to memory of 4844	3352	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe	101
PID 3352 wrote to memory of 4300	3352	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe	105
PID 3352 wrote to memory of 4300	3352	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe	105
PID 3352 wrote to memory of 4300	3352	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe	105
PID 3352 wrote to memory of 3036	3352	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe	108
PID 3352 wrote to memory of 3036	3352	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe	108
PID 3352 wrote to memory of 3036	3352	81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe	108
PID 3036 wrote to memory of 400	3036	csrss.exe	111
PID 3036 wrote to memory of 400	3036	csrss.exe	111
PID 3036 wrote to memory of 400	3036	csrss.exe	111
PID 3036 wrote to memory of 2680	3036	csrss.exe	117
PID 3036 wrote to memory of 2680	3036	csrss.exe	117
PID 3036 wrote to memory of 2680	3036	csrss.exe	117
PID 3036 wrote to memory of 2468	3036	csrss.exe	121
PID 3036 wrote to memory of 2468	3036	csrss.exe	121
PID 3036 wrote to memory of 2468	3036	csrss.exe	121
PID 3036 wrote to memory of 3920	3036	csrss.exe	123
PID 3036 wrote to memory of 3920	3036	csrss.exe	123
PID 1360 wrote to memory of 4728	1360	windefender.exe	129
PID 1360 wrote to memory of 4728	1360	windefender.exe	129
PID 1360 wrote to memory of 4728	1360	windefender.exe	129
PID 4728 wrote to memory of 1880	4728	cmd.exe	130
PID 4728 wrote to memory of 1880	4728	cmd.exe	130
PID 4728 wrote to memory of 1880	4728	cmd.exe	130

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe
"C:\Users\Admin\AppData\Local\Temp\81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3584
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:516
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 2492
    3⤵
    - Program crash
    PID:3116
- C:\Users\Admin\AppData\Local\Temp\81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe
  "C:\Users\Admin\AppData\Local\Temp\81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e.exe"
  2⤵
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3352
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3252
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:3592
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4844
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4300
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Manipulates WinMonFS driver.
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:400
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:4340
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:4788
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2680
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2468
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3920
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:3536
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1360
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4728
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 740
    3⤵
    - Program crash
    PID:1284
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 632
  2⤵
  - Program crash
  PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 516 -ip 516
1⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3584 -ip 3584
1⤵
PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3352 -ip 3352
1⤵
PID:4904

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:404

Network

DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8gO4dDztiGiM8aPZizSZ9ZDVUCUyH5PgadmUVv90yHNADrpIQCQvFs707XEQZLaUtIZ0OeLKL-RsgwAd3epnwMmDX0XGHpa4k_diEQJGzBEZCzCPKAPVvzcS-BH7NNe1BaYkPCpFmxyQ_bzj08CzZQfpKBGBakjIeTsJD8Xq6aspi05Th%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D452cfe3d74d11eecd4919816dd637671&TIME=20240426T131914Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8gO4dDztiGiM8aPZizSZ9ZDVUCUyH5PgadmUVv90yHNADrpIQCQvFs707XEQZLaUtIZ0OeLKL-RsgwAd3epnwMmDX0XGHpa4k_diEQJGzBEZCzCPKAPVvzcS-BH7NNe1BaYkPCpFmxyQ_bzj08CzZQfpKBGBakjIeTsJD8Xq6aspi05Th%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D452cfe3d74d11eecd4919816dd637671&TIME=20240426T131914Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=3D518310A6ED628515E69794A70D6371; domain=.bing.com; expires=Fri, 13-Jun-2025 11:35:18 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E8C6C11CDBDB4EADB4553FC877E48083 Ref B: LON04EDGE1109 Ref C: 2024-05-19T11:35:18Z
date: Sun, 19 May 2024 11:35:18 GMT
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8gO4dDztiGiM8aPZizSZ9ZDVUCUyH5PgadmUVv90yHNADrpIQCQvFs707XEQZLaUtIZ0OeLKL-RsgwAd3epnwMmDX0XGHpa4k_diEQJGzBEZCzCPKAPVvzcS-BH7NNe1BaYkPCpFmxyQ_bzj08CzZQfpKBGBakjIeTsJD8Xq6aspi05Th%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D452cfe3d74d11eecd4919816dd637671&TIME=20240426T131914Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8gO4dDztiGiM8aPZizSZ9ZDVUCUyH5PgadmUVv90yHNADrpIQCQvFs707XEQZLaUtIZ0OeLKL-RsgwAd3epnwMmDX0XGHpa4k_diEQJGzBEZCzCPKAPVvzcS-BH7NNe1BaYkPCpFmxyQ_bzj08CzZQfpKBGBakjIeTsJD8Xq6aspi05Th%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D452cfe3d74d11eecd4919816dd637671&TIME=20240426T131914Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3D518310A6ED628515E69794A70D6371; _EDGE_S=SID=28890C608B2569EA020E18E48A49683D

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=ajYnteCLN6X9WsfRgx6EzKPlyzDz2pqNuqMylpsjb0c; domain=.bing.com; expires=Fri, 13-Jun-2025 11:35:19 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E14BC06B991A462B859A831EFB569C5C Ref B: LON04EDGE1109 Ref C: 2024-05-19T11:35:19Z
date: Sun, 19 May 2024 11:35:19 GMT
DNS

82.90.14.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

82.90.14.23.in-addr.arpa

IN PTR

Response

82.90.14.23.in-addr.arpa

IN PTR

a23-14-90-82deploystaticakamaitechnologiescom
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
GET

https://www.bing.com/aes/c.gif?RG=c3c14100360d44aebe46e58efe237d6a&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131914Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038

Remote address:

23.62.61.129:443

Request

GET /aes/c.gif?RG=c3c14100360d44aebe46e58efe237d6a&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131914Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3D518310A6ED628515E69794A70D6371

Response

HTTP/2.0 200

cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 4E29FA07A74847099BA33E7C94ADE700 Ref B: BRU30EDGE0618 Ref C: 2024-05-19T11:35:19Z
content-length: 0
date: Sun, 19 May 2024 11:35:19 GMT
set-cookie: _EDGE_S=SID=28890C608B2569EA020E18E48A49683D; path=/; httponly; domain=bing.com
set-cookie: MUIDB=3D518310A6ED628515E69794A70D6371; path=/; httponly; expires=Fri, 13-Jun-2025 11:35:19 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.7d3d3e17.1716118519.e7bd0c2
DNS

68.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

68.159.190.20.in-addr.arpa

IN PTR

Response
DNS

129.61.62.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

129.61.62.23.in-addr.arpa

IN PTR

Response

129.61.62.23.in-addr.arpa

IN PTR

a23-62-61-129deploystaticakamaitechnologiescom
DNS

241.150.49.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.150.49.20.in-addr.arpa

IN PTR

Response
DNS

ef579e38-871d-4356-a028-15948f9253d2.uuid.myfastupdate.org

csrss.exe

Remote address:

8.8.8.8:53

Request

ef579e38-871d-4356-a028-15948f9253d2.uuid.myfastupdate.org

IN TXT

Response
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

stun1.l.google.com

csrss.exe

Remote address:

8.8.8.8:53

Request

stun1.l.google.com

IN A

Response

stun1.l.google.com

IN A

74.125.250.129
DNS

server7.myfastupdate.org

csrss.exe

Remote address:

8.8.8.8:53

Request

server7.myfastupdate.org

IN A

Response

server7.myfastupdate.org

IN A

185.82.216.111
DNS

cdn.discordapp.com

csrss.exe

Remote address:

8.8.8.8:53

Request

cdn.discordapp.com

IN A

Response

cdn.discordapp.com

IN A

162.159.129.233

cdn.discordapp.com

IN A

162.159.130.233

cdn.discordapp.com

IN A

162.159.133.233

cdn.discordapp.com

IN A

162.159.135.233

cdn.discordapp.com

IN A

162.159.134.233
DNS

129.250.125.74.in-addr.arpa

Remote address:

8.8.8.8:53

Request

129.250.125.74.in-addr.arpa

IN PTR

Response
DNS

carsalessystem.com

csrss.exe

Remote address:

8.8.8.8:53

Request

carsalessystem.com

IN A

Response

carsalessystem.com

IN A

104.21.94.82

carsalessystem.com

IN A

172.67.221.71
DNS

carsalessystem.com

csrss.exe

Remote address:

8.8.8.8:53

Request

carsalessystem.com

IN A
DNS

233.129.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

233.129.159.162.in-addr.arpa

IN PTR

Response
DNS

111.216.82.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

111.216.82.185.in-addr.arpa

IN PTR

Response

111.216.82.185.in-addr.arpa

IN PTR

dedic-mariadebommarez-1201693hosted-by-itldccom
DNS

82.94.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

82.94.21.104.in-addr.arpa

IN PTR

Response
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

200.254.1.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.254.1.23.in-addr.arpa

IN PTR

Response

200.254.1.23.in-addr.arpa

IN PTR

a23-1-254-200deploystaticakamaitechnologiescom
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 659775
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F052B7D4DA354CA4B2106ED692259337 Ref B: LON04EDGE1009 Ref C: 2024-05-19T11:37:04Z
date: Sun, 19 May 2024 11:37:03 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 792794
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C0BE436957944724ADE5665303AE85F4 Ref B: LON04EDGE1009 Ref C: 2024-05-19T11:37:04Z
date: Sun, 19 May 2024 11:37:03 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 621794
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: BE8AAC141666428886649C83360B19BC Ref B: LON04EDGE1009 Ref C: 2024-05-19T11:37:04Z
date: Sun, 19 May 2024 11:37:03 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 627437
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 746D8ACB08A8420584261B36F2798408 Ref B: LON04EDGE1009 Ref C: 2024-05-19T11:37:04Z
date: Sun, 19 May 2024 11:37:03 GMT
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR

Response

200.197.79.204.in-addr.arpa

IN PTR

a-0001a-msedgenet

204.79.197.237:443

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8gO4dDztiGiM8aPZizSZ9ZDVUCUyH5PgadmUVv90yHNADrpIQCQvFs707XEQZLaUtIZ0OeLKL-RsgwAd3epnwMmDX0XGHpa4k_diEQJGzBEZCzCPKAPVvzcS-BH7NNe1BaYkPCpFmxyQ_bzj08CzZQfpKBGBakjIeTsJD8Xq6aspi05Th%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D452cfe3d74d11eecd4919816dd637671&TIME=20240426T131914Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949

tls, http2

2.6kB
9.4kB
20
16

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8gO4dDztiGiM8aPZizSZ9ZDVUCUyH5PgadmUVv90yHNADrpIQCQvFs707XEQZLaUtIZ0OeLKL-RsgwAd3epnwMmDX0XGHpa4k_diEQJGzBEZCzCPKAPVvzcS-BH7NNe1BaYkPCpFmxyQ_bzj08CzZQfpKBGBakjIeTsJD8Xq6aspi05Th%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D452cfe3d74d11eecd4919816dd637671&TIME=20240426T131914Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8gO4dDztiGiM8aPZizSZ9ZDVUCUyH5PgadmUVv90yHNADrpIQCQvFs707XEQZLaUtIZ0OeLKL-RsgwAd3epnwMmDX0XGHpa4k_diEQJGzBEZCzCPKAPVvzcS-BH7NNe1BaYkPCpFmxyQ_bzj08CzZQfpKBGBakjIeTsJD8Xq6aspi05Th%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D452cfe3d74d11eecd4919816dd637671&TIME=20240426T131914Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949

HTTP Response

204
23.62.61.129:443

https://www.bing.com/aes/c.gif?RG=c3c14100360d44aebe46e58efe237d6a&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131914Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038

tls, http2

2.6kB
5.3kB
20
11

HTTP Request

GET https://www.bing.com/aes/c.gif?RG=c3c14100360d44aebe46e58efe237d6a&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131914Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038

HTTP Response

200
162.159.129.233:443

cdn.discordapp.com

tls

csrss.exe

1.4kB
6.2kB
18
21
185.82.216.111:443

server7.myfastupdate.org

tls

csrss.exe

1.4kB
5.1kB
13
14
104.21.94.82:443

carsalessystem.com

tls

csrss.exe

87.3kB
2.2MB
1652
1638
185.82.216.111:443

server7.myfastupdate.org

tls

csrss.exe

1.3kB
4.7kB
11
13
185.82.216.111:443

server7.myfastupdate.org

tls

csrss.exe

1.9kB
4.7kB
11
13
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.0kB
16
12
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

96.3kB
2.8MB
2043
2037

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200
185.82.216.111:443

server7.myfastupdate.org

tls

csrss.exe

1.9kB
4.7kB
11
13
127.0.0.1:31465

csrss.exe

8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

82.90.14.23.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

82.90.14.23.in-addr.arpa
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

68.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

68.159.190.20.in-addr.arpa
8.8.8.8:53

129.61.62.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

129.61.62.23.in-addr.arpa
8.8.8.8:53

241.150.49.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.150.49.20.in-addr.arpa
8.8.8.8:53

ef579e38-871d-4356-a028-15948f9253d2.uuid.myfastupdate.org

dns

csrss.exe

104 B
165 B
1
1

DNS Request

ef579e38-871d-4356-a028-15948f9253d2.uuid.myfastupdate.org
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

stun1.l.google.com

dns

csrss.exe

64 B
80 B
1
1

DNS Request

stun1.l.google.com

DNS Response

74.125.250.129
8.8.8.8:53

server7.myfastupdate.org

dns

csrss.exe

70 B
86 B
1
1

DNS Request

server7.myfastupdate.org

DNS Response

185.82.216.111
8.8.8.8:53

cdn.discordapp.com

dns

csrss.exe

64 B
144 B
1
1

DNS Request

cdn.discordapp.com

DNS Response

162.159.129.233

162.159.130.233

162.159.133.233

162.159.135.233

162.159.134.233
74.125.250.129:19302

stun1.l.google.com

csrss.exe

48 B
60 B
1
1
8.8.8.8:53

129.250.125.74.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

129.250.125.74.in-addr.arpa
8.8.8.8:53

carsalessystem.com

dns

csrss.exe

128 B
96 B
2
1

DNS Request

carsalessystem.com

DNS Request

carsalessystem.com

DNS Response

104.21.94.82

172.67.221.71
8.8.8.8:53

233.129.159.162.in-addr.arpa

dns

74 B
136 B
1
1

DNS Request

233.129.159.162.in-addr.arpa
8.8.8.8:53

111.216.82.185.in-addr.arpa

dns

73 B
136 B
1
1

DNS Request

111.216.82.185.in-addr.arpa
8.8.8.8:53

82.94.21.104.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

82.94.21.104.in-addr.arpa
8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

200.254.1.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

200.254.1.23.in-addr.arpa
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

14.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.227.111.52.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

200.197.79.204.in-addr.arpa

dns

73 B
106 B
1
1

DNS Request

200.197.79.204.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sc5h4wc3.me2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
87e6c62647bfe0381498754e60cb02ea

SHA1
bb7b98fc66bb73f23b2262c4962fc90a798b9257

SHA256
641e0c3b978326b07a56d98f137737f713dddae57bb8b8a433ea553bf6e14053

SHA512
9858af1e21d3e3a7cac2d43404bc9a5fa078c002f44ffa44a8a696e8c68ddaac5e144f475a2ed5a1cf16ba0900c0f93c618269e1a5a88a4de05e42b70c79a5c8

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
e4a892d299f4ef084ebd65eed57ab078

SHA1
124e3575928154dca0339daf1f6eafd699a397ad

SHA256
ce2119396c1a9577f55b2cffd6e4bb1456b1fe819ec59e71d00c435138c7d295

SHA512
518f5e52886dfbbf67eb58009332f633815a73998681f952d257a4624f5201a8343384ae54994ffe9574f26ba4ebd7915f52dca66ea6ba70c9f0781c50e0e41b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
b3e54ed320793b1dcbdf870cab196480

SHA1
db61794d118f8b5662888488cefd4df90fdb7efe

SHA256
7d767eb32248e1b09be726d630c048a93b993314437aa5684282b6cd670f3c82

SHA512
a37e58405432345e32cfe59ac17e368dec4c21dd47c19787fbbbc3ef5055ad6789f4b5f37a710fd6c9e575568059f7bf34b97134c5d3d312290c31aac768ab7a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
0f4b6302d707fe2c973955b850e5a6e7

SHA1
bc00c3966b3ab1f31c03129f6b227692e48ead60

SHA256
b56bd5d22732cc2d97d7618cba71f15a9268a473d92bdc2734be7dd3fbc039f0

SHA512
b1385b30d1ac89acaea4e5345461426416520a1390f6bf537afbacbfe139517a343fb98f3b717a06d5387c008954d58d3cb0e10ec467c6c6ebc5dbb64a3e4957

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
d995aa2f469ad85aef68747aeba04449

SHA1
31543613b2247dbe4ae59cc69072d5318b8190cc

SHA256
d7ab761690bae521fed0ab31043177111c237e4a48c3cb723f7b60b8dede5a35

SHA512
b7b90be1e811569acba22218f0e8c31f33fc736ab1eaba43e82a4251f10c4a57f945ca9ee412f50289f7e58abff3a17d5161858d796378cf5b10b7b94027d76d

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
cb6a29e08314289f9331972b48abf960

SHA1
44fab7c4febffeed8f0a677fbfed75f0fa941db2

SHA256
81ea76eb362accf3cf44a9320fecd2e8c473c6b3b6ff570bc938ff663012fb4e

SHA512
06ccc47678e0a177ef0a395113327420c8f9638a07682913d9d9835ab1acccd3c4e2d51515d3441e3bf4d75f6f38e2a8f2435026ebb7dd53cc929998fca8a7c2

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/400-145-0x0000000070CD0000-0x0000000071024000-memory.dmp

Filesize
3.3MB

Download
memory/400-144-0x0000000070B50000-0x0000000070B9C000-memory.dmp

Filesize
304KB

Download
memory/400-155-0x0000000006F90000-0x0000000007033000-memory.dmp

Filesize
652KB

Download
memory/400-156-0x0000000007310000-0x0000000007321000-memory.dmp

Filesize
68KB

Download
memory/400-157-0x0000000005760000-0x0000000005774000-memory.dmp

Filesize
80KB

Download
memory/400-143-0x0000000005DD0000-0x0000000005E1C000-memory.dmp

Filesize
304KB

Download
memory/400-141-0x0000000005970000-0x0000000005CC4000-memory.dmp

Filesize
3.3MB

Download
memory/404-222-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/404-224-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/404-228-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/516-21-0x0000000006080000-0x00000000063D4000-memory.dmp

Filesize
3.3MB

Download
memory/516-27-0x00000000078C0000-0x00000000078DA000-memory.dmp

Filesize
104KB

Download
memory/516-29-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

Filesize
304KB

Download
memory/516-28-0x0000000007A80000-0x0000000007AB2000-memory.dmp

Filesize
200KB

Download
memory/516-42-0x0000000007AE0000-0x0000000007B83000-memory.dmp

Filesize
652KB

Download
memory/516-43-0x0000000007BD0000-0x0000000007BDA000-memory.dmp

Filesize
40KB

Download
memory/516-44-0x0000000074C50000-0x0000000075400000-memory.dmp

Filesize
7.7MB

Download
memory/516-41-0x0000000007AC0000-0x0000000007ADE000-memory.dmp

Filesize
120KB

Download
memory/516-30-0x0000000070C70000-0x0000000070FC4000-memory.dmp

Filesize
3.3MB

Download
memory/516-4-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

Filesize
4KB

Download
memory/516-31-0x0000000074C50000-0x0000000075400000-memory.dmp

Filesize
7.7MB

Download
memory/516-8-0x0000000074C50000-0x0000000075400000-memory.dmp

Filesize
7.7MB

Download
memory/516-5-0x0000000004F40000-0x0000000004F76000-memory.dmp

Filesize
216KB

Download
memory/516-6-0x00000000055B0000-0x0000000005BD8000-memory.dmp

Filesize
6.2MB

Download
memory/516-26-0x0000000007F20000-0x000000000859A000-memory.dmp

Filesize
6.5MB

Download
memory/516-7-0x0000000074C50000-0x0000000075400000-memory.dmp

Filesize
7.7MB

Download
memory/516-25-0x0000000007820000-0x0000000007896000-memory.dmp

Filesize
472KB

Download
memory/516-24-0x0000000007670000-0x00000000076B4000-memory.dmp

Filesize
272KB

Download
memory/516-23-0x0000000006720000-0x000000000676C000-memory.dmp

Filesize
304KB

Download
memory/516-22-0x0000000006500000-0x000000000651E000-memory.dmp

Filesize
120KB

Download
memory/516-11-0x0000000005F10000-0x0000000005F76000-memory.dmp

Filesize
408KB

Download
memory/516-10-0x0000000005E30000-0x0000000005E96000-memory.dmp

Filesize
408KB

Download
memory/516-9-0x0000000005C60000-0x0000000005C82000-memory.dmp

Filesize
136KB

Download
memory/1360-221-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1360-218-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2468-195-0x0000000006410000-0x0000000006764000-memory.dmp

Filesize
3.3MB

Download
memory/2468-197-0x0000000070A70000-0x0000000070ABC000-memory.dmp

Filesize
304KB

Download
memory/2468-198-0x0000000070BF0000-0x0000000070F44000-memory.dmp

Filesize
3.3MB

Download
memory/2680-183-0x0000000007580000-0x0000000007591000-memory.dmp

Filesize
68KB

Download
memory/2680-168-0x0000000005AC0000-0x0000000005E14000-memory.dmp

Filesize
3.3MB

Download
memory/2680-184-0x0000000005E40000-0x0000000005E54000-memory.dmp

Filesize
80KB

Download
memory/2680-182-0x0000000007260000-0x0000000007303000-memory.dmp

Filesize
652KB

Download
memory/2680-171-0x0000000070A70000-0x0000000070ABC000-memory.dmp

Filesize
304KB

Download
memory/2680-172-0x0000000071200000-0x0000000071554000-memory.dmp

Filesize
3.3MB

Download
memory/2680-170-0x0000000006170000-0x00000000061BC000-memory.dmp

Filesize
304KB

Download
memory/3036-239-0x0000000000400000-0x0000000002364000-memory.dmp

Filesize
31.4MB

Download
memory/3036-233-0x0000000000400000-0x0000000002364000-memory.dmp

Filesize
31.4MB

Download
memory/3036-231-0x0000000000400000-0x0000000002364000-memory.dmp

Filesize
31.4MB

Download
memory/3036-229-0x0000000000400000-0x0000000002364000-memory.dmp

Filesize
31.4MB

Download
memory/3036-227-0x0000000000400000-0x0000000002364000-memory.dmp

Filesize
31.4MB

Download
memory/3036-235-0x0000000000400000-0x0000000002364000-memory.dmp

Filesize
31.4MB

Download
memory/3036-237-0x0000000000400000-0x0000000002364000-memory.dmp

Filesize
31.4MB

Download
memory/3036-214-0x0000000000400000-0x0000000002364000-memory.dmp

Filesize
31.4MB

Download
memory/3036-241-0x0000000000400000-0x0000000002364000-memory.dmp

Filesize
31.4MB

Download
memory/3036-243-0x0000000000400000-0x0000000002364000-memory.dmp

Filesize
31.4MB

Download
memory/3036-225-0x0000000000400000-0x0000000002364000-memory.dmp

Filesize
31.4MB

Download
memory/3036-245-0x0000000000400000-0x0000000002364000-memory.dmp

Filesize
31.4MB

Download
memory/3036-223-0x0000000000400000-0x0000000002364000-memory.dmp

Filesize
31.4MB

Download
memory/3252-73-0x0000000007610000-0x0000000007621000-memory.dmp

Filesize
68KB

Download
memory/3252-74-0x0000000007650000-0x000000000765E000-memory.dmp

Filesize
56KB

Download
memory/3252-60-0x0000000070BF0000-0x0000000070C3C000-memory.dmp

Filesize
304KB

Download
memory/3252-59-0x0000000006140000-0x000000000618C000-memory.dmp

Filesize
304KB

Download
memory/3252-71-0x0000000007310000-0x00000000073B3000-memory.dmp

Filesize
652KB

Download
memory/3252-58-0x0000000005AB0000-0x0000000005E04000-memory.dmp

Filesize
3.3MB

Download
memory/3252-61-0x0000000071380000-0x00000000716D4000-memory.dmp

Filesize
3.3MB

Download
memory/3252-77-0x0000000007690000-0x0000000007698000-memory.dmp

Filesize
32KB

Download
memory/3252-72-0x00000000076F0000-0x0000000007786000-memory.dmp

Filesize
600KB

Download
memory/3252-76-0x00000000076A0000-0x00000000076BA000-memory.dmp

Filesize
104KB

Download
memory/3252-75-0x0000000007660000-0x0000000007674000-memory.dmp

Filesize
80KB

Download
memory/3352-131-0x0000000000400000-0x0000000002364000-memory.dmp

Filesize
31.4MB

Download
memory/3584-46-0x0000000000400000-0x0000000002364000-memory.dmp

Filesize
31.4MB

Download
memory/3584-2-0x0000000004500000-0x0000000004DEB000-memory.dmp

Filesize
8.9MB

Download
memory/3584-1-0x0000000004100000-0x00000000044FE000-memory.dmp

Filesize
4.0MB

Download
memory/3584-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3584-47-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3584-48-0x0000000004500000-0x0000000004DEB000-memory.dmp

Filesize
8.9MB

Download
memory/4300-115-0x0000000070D80000-0x00000000710D4000-memory.dmp

Filesize
3.3MB

Download
memory/4300-112-0x0000000005640000-0x0000000005994000-memory.dmp

Filesize
3.3MB

Download
memory/4300-114-0x0000000070BF0000-0x0000000070C3C000-memory.dmp

Filesize
304KB

Download
memory/4844-92-0x0000000071380000-0x00000000716D4000-memory.dmp

Filesize
3.3MB

Download
memory/4844-91-0x0000000070BF0000-0x0000000070C3C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.