glupteba | 8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
19/05/2024, 11:35 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe
Size

4.1MB
MD5

8792fffdee93c4e1663c7c6a5bfa9ef6
SHA1

d6ba1c4d9e73da8020b891292cd20bd270ed2ff1
SHA256

8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f
SHA512

d0e15f7a4f88c4cb220ac387546beb170d34fffba3dbc7a5a671291d923ab514820721fcaebf8abe853049d6c9188532c4ef77f422cdf3ba7f4ae94ca7f4fefe
SSDEEP

98304:Ok/C6baF9NNXYvR+SQPyohxfWe3/GY9pAEj6Q:On6bazjovoyoHfX3/GYHX

Score

10^/10

glupteba discovery dropper evasion execution loader persistence rootkit upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 19 IoCs

resource	yara_rule
behavioral1/memory/3260-2-0x0000000004450000-0x0000000004D3B000-memory.dmp	family_glupteba
behavioral1/memory/3260-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3260-56-0x0000000004450000-0x0000000004D3B000-memory.dmp	family_glupteba
behavioral1/memory/3260-57-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3260-55-0x0000000000400000-0x0000000002364000-memory.dmp	family_glupteba
behavioral1/memory/3724-136-0x0000000000400000-0x0000000002364000-memory.dmp	family_glupteba
behavioral1/memory/4944-219-0x0000000000400000-0x0000000002364000-memory.dmp	family_glupteba
behavioral1/memory/4944-229-0x0000000000400000-0x0000000002364000-memory.dmp	family_glupteba
behavioral1/memory/4944-231-0x0000000000400000-0x0000000002364000-memory.dmp	family_glupteba
behavioral1/memory/4944-233-0x0000000000400000-0x0000000002364000-memory.dmp	family_glupteba
behavioral1/memory/4944-235-0x0000000000400000-0x0000000002364000-memory.dmp	family_glupteba
behavioral1/memory/4944-237-0x0000000000400000-0x0000000002364000-memory.dmp	family_glupteba
behavioral1/memory/4944-239-0x0000000000400000-0x0000000002364000-memory.dmp	family_glupteba
behavioral1/memory/4944-241-0x0000000000400000-0x0000000002364000-memory.dmp	family_glupteba
behavioral1/memory/4944-243-0x0000000000400000-0x0000000002364000-memory.dmp	family_glupteba
behavioral1/memory/4944-245-0x0000000000400000-0x0000000002364000-memory.dmp	family_glupteba
behavioral1/memory/4944-247-0x0000000000400000-0x0000000002364000-memory.dmp	family_glupteba
behavioral1/memory/4944-249-0x0000000000400000-0x0000000002364000-memory.dmp	family_glupteba
behavioral1/memory/4944-251-0x0000000000400000-0x0000000002364000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4572	netsh.exe

Executes dropped EXE 4 IoCs

pid	Process
4944	csrss.exe
4292	injector.exe
4252	windefender.exe
636	windefender.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000023415-223.dat	upx
behavioral1/memory/636-227-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/4252-228-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/4252-224-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/636-230-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/636-234-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\rss	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe
File created	C:\Windows\rss\csrss.exe	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3752	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
464	powershell.exe
1584	powershell.exe
4864	powershell.exe
1324	powershell.exe
1376	powershell.exe
528	powershell.exe
4840	powershell.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
720	3260	WerFault.exe	81
4548	3724	WerFault.exe	92

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2740	schtasks.exe
1888	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-491 = "India Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time"	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-352 = "FLE Standard Time"	windefender.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1324	powershell.exe
1324	powershell.exe
3260	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe
3260	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe
1376	powershell.exe
1376	powershell.exe
3724	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe
3724	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe
3724	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe
3724	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe
3724	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe
3724	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe
3724	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe
3724	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe
3724	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe
3724	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe
528	powershell.exe
528	powershell.exe
4840	powershell.exe
4840	powershell.exe
4840	powershell.exe
464	powershell.exe
464	powershell.exe
464	powershell.exe
1584	powershell.exe
1584	powershell.exe
4864	powershell.exe
4864	powershell.exe
4292	injector.exe
4292	injector.exe
4292	injector.exe
4292	injector.exe
4292	injector.exe
4292	injector.exe
4944	csrss.exe
4944	csrss.exe
4292	injector.exe
4292	injector.exe
4292	injector.exe
4292	injector.exe
4292	injector.exe
4292	injector.exe
4944	csrss.exe
4944	csrss.exe
4292	injector.exe
4292	injector.exe
4292	injector.exe
4292	injector.exe
4944	csrss.exe
4944	csrss.exe
4292	injector.exe
4292	injector.exe
4292	injector.exe
4292	injector.exe
4292	injector.exe
4292	injector.exe
4292	injector.exe
4292	injector.exe
4292	injector.exe
4292	injector.exe
4292	injector.exe
4292	injector.exe
4292	injector.exe
4292	injector.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	3260	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe
Token: SeImpersonatePrivilege	3260	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	528	powershell.exe
Token: SeDebugPrivilege	4840	powershell.exe
Token: SeDebugPrivilege	464	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	4864	powershell.exe
Token: SeSystemEnvironmentPrivilege	4944	csrss.exe
Token: SeSecurityPrivilege	3752	sc.exe
Token: SeSecurityPrivilege	3752	sc.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3260 wrote to memory of 1324	3260	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe	84
PID 3260 wrote to memory of 1324	3260	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe	84
PID 3260 wrote to memory of 1324	3260	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe	84
PID 3724 wrote to memory of 1376	3724	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe	96
PID 3724 wrote to memory of 1376	3724	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe	96
PID 3724 wrote to memory of 1376	3724	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe	96
PID 3724 wrote to memory of 3288	3724	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe	101
PID 3724 wrote to memory of 3288	3724	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe	101
PID 3288 wrote to memory of 4572	3288	cmd.exe	103
PID 3288 wrote to memory of 4572	3288	cmd.exe	103
PID 3724 wrote to memory of 528	3724	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe	104
PID 3724 wrote to memory of 528	3724	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe	104
PID 3724 wrote to memory of 528	3724	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe	104
PID 3724 wrote to memory of 4840	3724	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe	108
PID 3724 wrote to memory of 4840	3724	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe	108
PID 3724 wrote to memory of 4840	3724	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe	108
PID 3724 wrote to memory of 4944	3724	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe	110
PID 3724 wrote to memory of 4944	3724	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe	110
PID 3724 wrote to memory of 4944	3724	8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe	110
PID 4944 wrote to memory of 464	4944	csrss.exe	113
PID 4944 wrote to memory of 464	4944	csrss.exe	113
PID 4944 wrote to memory of 464	4944	csrss.exe	113
PID 4944 wrote to memory of 1584	4944	csrss.exe	118
PID 4944 wrote to memory of 1584	4944	csrss.exe	118
PID 4944 wrote to memory of 1584	4944	csrss.exe	118
PID 4944 wrote to memory of 4864	4944	csrss.exe	121
PID 4944 wrote to memory of 4864	4944	csrss.exe	121
PID 4944 wrote to memory of 4864	4944	csrss.exe	121
PID 4944 wrote to memory of 4292	4944	csrss.exe	123
PID 4944 wrote to memory of 4292	4944	csrss.exe	123
PID 4252 wrote to memory of 2508	4252	windefender.exe	129
PID 4252 wrote to memory of 2508	4252	windefender.exe	129
PID 4252 wrote to memory of 2508	4252	windefender.exe	129
PID 2508 wrote to memory of 3752	2508	cmd.exe	130
PID 2508 wrote to memory of 3752	2508	cmd.exe	130
PID 2508 wrote to memory of 3752	2508	cmd.exe	130

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe
"C:\Users\Admin\AppData\Local\Temp\8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1324
- C:\Users\Admin\AppData\Local\Temp\8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe
  "C:\Users\Admin\AppData\Local\Temp\8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe"
  2⤵
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3724
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1376
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3288
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:4572
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:528
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4840
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Manipulates WinMonFS driver.
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4944
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:464
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2740
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:2648
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1584
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4864
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4292
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:1888
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4252
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2508
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:3752
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 864
    3⤵
    - Program crash
    PID:4548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 952
  2⤵
  - Program crash
  PID:720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3260 -ip 3260
1⤵
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3724 -ip 3724
1⤵
PID:3140

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:636

Network

DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8zjwuZz-GKb4O1UdGgG973zVUCUzbtxkLGtjeepRHT2eYr8EXaPUp8Hp4sdlCk8TflZTjdQfzBKbVQJFfnRbdF0VVdeU9ynqU46TzflVE5aMPOLsy7tVim4n2w95lfrXzJPu6tPSP-7RouaNartZjbeCISgIvUZzINssrTmNDBaj7lhFO%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D9972c90b239618a31e3aaf2091708c7c&TIME=20240426T135829Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8zjwuZz-GKb4O1UdGgG973zVUCUzbtxkLGtjeepRHT2eYr8EXaPUp8Hp4sdlCk8TflZTjdQfzBKbVQJFfnRbdF0VVdeU9ynqU46TzflVE5aMPOLsy7tVim4n2w95lfrXzJPu6tPSP-7RouaNartZjbeCISgIvUZzINssrTmNDBaj7lhFO%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D9972c90b239618a31e3aaf2091708c7c&TIME=20240426T135829Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=1345946F6F5864BB39AB80EB6EB86568; domain=.bing.com; expires=Fri, 13-Jun-2025 11:36:08 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A9C165A46C6F4ED485B26660F3F23140 Ref B: LON04EDGE1206 Ref C: 2024-05-19T11:36:08Z
date: Sun, 19 May 2024 11:36:08 GMT
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8zjwuZz-GKb4O1UdGgG973zVUCUzbtxkLGtjeepRHT2eYr8EXaPUp8Hp4sdlCk8TflZTjdQfzBKbVQJFfnRbdF0VVdeU9ynqU46TzflVE5aMPOLsy7tVim4n2w95lfrXzJPu6tPSP-7RouaNartZjbeCISgIvUZzINssrTmNDBaj7lhFO%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D9972c90b239618a31e3aaf2091708c7c&TIME=20240426T135829Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8zjwuZz-GKb4O1UdGgG973zVUCUzbtxkLGtjeepRHT2eYr8EXaPUp8Hp4sdlCk8TflZTjdQfzBKbVQJFfnRbdF0VVdeU9ynqU46TzflVE5aMPOLsy7tVim4n2w95lfrXzJPu6tPSP-7RouaNartZjbeCISgIvUZzINssrTmNDBaj7lhFO%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D9972c90b239618a31e3aaf2091708c7c&TIME=20240426T135829Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=1345946F6F5864BB39AB80EB6EB86568; _EDGE_S=SID=3EF7D66F419A64A01A0FC2EB405A656F

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=eqDWACr1k0mztmi3n-6o7oU0vSNGq-Vk6pIvibmJdPY; domain=.bing.com; expires=Fri, 13-Jun-2025 11:36:09 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 3FBCB5CC9CAD41588E00AA3C715699B4 Ref B: LON04EDGE1206 Ref C: 2024-05-19T11:36:09Z
date: Sun, 19 May 2024 11:36:09 GMT
GET

https://www.bing.com/aes/c.gif?RG=0a018e8082d94d07ad552b0327603ad3&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T135829Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038

Remote address:

23.62.61.129:443

Request

GET /aes/c.gif?RG=0a018e8082d94d07ad552b0327603ad3&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T135829Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=1345946F6F5864BB39AB80EB6EB86568

Response

HTTP/2.0 200

cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0A444E318F894A26BC270037B4377D40 Ref B: DUS30EDGE0314 Ref C: 2024-05-19T11:36:09Z
content-length: 0
date: Sun, 19 May 2024 11:36:09 GMT
set-cookie: _EDGE_S=SID=3EF7D66F419A64A01A0FC2EB405A656F; path=/; httponly; domain=bing.com
set-cookie: MUIDB=1345946F6F5864BB39AB80EB6EB86568; path=/; httponly; expires=Fri, 13-Jun-2025 11:36:09 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.7d3d3e17.1716118569.e7c92c9
DNS

20.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

20.160.190.20.in-addr.arpa

IN PTR

Response
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

129.61.62.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

129.61.62.23.in-addr.arpa

IN PTR

Response

129.61.62.23.in-addr.arpa

IN PTR

a23-62-61-129deploystaticakamaitechnologiescom
GET

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

Remote address:

23.62.61.129:443

Request

GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=1345946F6F5864BB39AB80EB6EB86568; _EDGE_S=SID=3EF7D66F419A64A01A0FC2EB405A656F; MSPTC=eqDWACr1k0mztmi3n-6o7oU0vSNGq-Vk6pIvibmJdPY; MUIDB=1345946F6F5864BB39AB80EB6EB86568
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Sun, 19 May 2024 11:36:11 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.7d3d3e17.1716118571.e7c9a9f
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

de3edac4-8096-4511-90f6-74cacd4e2eae.uuid.thestatsfiles.ru

csrss.exe

Remote address:

8.8.8.8:53

Request

de3edac4-8096-4511-90f6-74cacd4e2eae.uuid.thestatsfiles.ru

IN TXT

Response
DNS

stun.ipfire.org

csrss.exe

Remote address:

8.8.8.8:53

Request

stun.ipfire.org

IN A

Response

stun.ipfire.org

IN CNAME

xmpp.ipfire.org

xmpp.ipfire.org

IN A

81.3.27.44
DNS

cdn.discordapp.com

csrss.exe

Remote address:

8.8.8.8:53

Request

cdn.discordapp.com

IN A

Response

cdn.discordapp.com

IN A

162.159.133.233

cdn.discordapp.com

IN A

162.159.129.233

cdn.discordapp.com

IN A

162.159.134.233

cdn.discordapp.com

IN A

162.159.135.233

cdn.discordapp.com

IN A

162.159.130.233
DNS

server12.thestatsfiles.ru

csrss.exe

Remote address:

8.8.8.8:53

Request

server12.thestatsfiles.ru

IN A

Response

server12.thestatsfiles.ru

IN A

185.82.216.96
DNS

carsalessystem.com

csrss.exe

Remote address:

8.8.8.8:53

Request

carsalessystem.com

IN A

Response

carsalessystem.com

IN A

172.67.221.71

carsalessystem.com

IN A

104.21.94.82
DNS

233.133.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

233.133.159.162.in-addr.arpa

IN PTR

Response
DNS

44.27.3.81.in-addr.arpa

Remote address:

8.8.8.8:53

Request

44.27.3.81.in-addr.arpa

IN PTR

Response

44.27.3.81.in-addr.arpa

IN PTR

xmppipfireorg
DNS

71.221.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

71.221.67.172.in-addr.arpa

IN PTR

Response
DNS

96.216.82.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

96.216.82.185.in-addr.arpa

IN PTR

Response

96.216.82.185.in-addr.arpa

IN PTR

dedic-mariadebommarez-1201693hosted-by-itldccom
DNS

183.59.114.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.59.114.20.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

205.47.74.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

205.47.74.20.in-addr.arpa

IN PTR

Response
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239371372356_1N2G93XRLJ1Y5GWC9&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239371372356_1N2G93XRLJ1Y5GWC9&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 329579
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 63E7B75B8BFC41F0A8CB50EA5AF5C90F Ref B: LON04EDGE0709 Ref C: 2024-05-19T11:37:48Z
date: Sun, 19 May 2024 11:37:48 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239371372355_1WLRVFTZ079W9XPFC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239371372355_1WLRVFTZ079W9XPFC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 381531
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D45354A857264BF3BC78CF206A9382C8 Ref B: LON04EDGE0709 Ref C: 2024-05-19T11:37:48Z
date: Sun, 19 May 2024 11:37:48 GMT
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR

Response

200.197.79.204.in-addr.arpa

IN PTR

a-0001a-msedgenet

204.79.197.237:443

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8zjwuZz-GKb4O1UdGgG973zVUCUzbtxkLGtjeepRHT2eYr8EXaPUp8Hp4sdlCk8TflZTjdQfzBKbVQJFfnRbdF0VVdeU9ynqU46TzflVE5aMPOLsy7tVim4n2w95lfrXzJPu6tPSP-7RouaNartZjbeCISgIvUZzINssrTmNDBaj7lhFO%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D9972c90b239618a31e3aaf2091708c7c&TIME=20240426T135829Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949

tls, http2

2.5kB
9.0kB
19
17

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8zjwuZz-GKb4O1UdGgG973zVUCUzbtxkLGtjeepRHT2eYr8EXaPUp8Hp4sdlCk8TflZTjdQfzBKbVQJFfnRbdF0VVdeU9ynqU46TzflVE5aMPOLsy7tVim4n2w95lfrXzJPu6tPSP-7RouaNartZjbeCISgIvUZzINssrTmNDBaj7lhFO%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D9972c90b239618a31e3aaf2091708c7c&TIME=20240426T135829Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8zjwuZz-GKb4O1UdGgG973zVUCUzbtxkLGtjeepRHT2eYr8EXaPUp8Hp4sdlCk8TflZTjdQfzBKbVQJFfnRbdF0VVdeU9ynqU46TzflVE5aMPOLsy7tVim4n2w95lfrXzJPu6tPSP-7RouaNartZjbeCISgIvUZzINssrTmNDBaj7lhFO%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D9972c90b239618a31e3aaf2091708c7c&TIME=20240426T135829Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949

HTTP Response

204
23.62.61.129:443

https://www.bing.com/aes/c.gif?RG=0a018e8082d94d07ad552b0327603ad3&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T135829Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038

tls, http2

1.4kB
5.3kB
16
11

HTTP Request

GET https://www.bing.com/aes/c.gif?RG=0a018e8082d94d07ad552b0327603ad3&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T135829Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038

HTTP Response

200
23.62.61.129:443

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

tls, http2

1.7kB
7.6kB
18
13

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

HTTP Response

200
162.159.133.233:443

cdn.discordapp.com

tls

csrss.exe

1.4kB
6.1kB
18
21
185.82.216.96:443

server12.thestatsfiles.ru

tls

csrss.exe

1.4kB
5.1kB
13
15
172.67.221.71:443

carsalessystem.com

tls

csrss.exe

77.2kB
1.7MB
1305
1283
185.82.216.96:443

server12.thestatsfiles.ru

tls

csrss.exe

1.3kB
4.8kB
11
14
185.82.216.96:443

server12.thestatsfiles.ru

tls

csrss.exe

1.9kB
4.7kB
11
13
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
13
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239371372355_1WLRVFTZ079W9XPFC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

tls, http2

27.4kB
743.8kB
551
548

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239371372356_1N2G93XRLJ1Y5GWC9&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239371372355_1WLRVFTZ079W9XPFC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200
185.82.216.96:443

server12.thestatsfiles.ru

tls

csrss.exe

2.0kB
4.7kB
12
13
127.0.0.1:31465

csrss.exe

8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

20.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

20.160.190.20.in-addr.arpa
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

129.61.62.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

129.61.62.23.in-addr.arpa
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

de3edac4-8096-4511-90f6-74cacd4e2eae.uuid.thestatsfiles.ru

dns

csrss.exe

104 B
177 B
1
1

DNS Request

de3edac4-8096-4511-90f6-74cacd4e2eae.uuid.thestatsfiles.ru
8.8.8.8:53

stun.ipfire.org

dns

csrss.exe

61 B
96 B
1
1

DNS Request

stun.ipfire.org

DNS Response

81.3.27.44
8.8.8.8:53

cdn.discordapp.com

dns

csrss.exe

64 B
144 B
1
1

DNS Request

cdn.discordapp.com

DNS Response

162.159.133.233

162.159.129.233

162.159.134.233

162.159.135.233

162.159.130.233
8.8.8.8:53

server12.thestatsfiles.ru

dns

csrss.exe

71 B
87 B
1
1

DNS Request

server12.thestatsfiles.ru

DNS Response

185.82.216.96
81.3.27.44:3478

stun.ipfire.org

csrss.exe

48 B
80 B
1
1
8.8.8.8:53

carsalessystem.com

dns

csrss.exe

64 B
96 B
1
1

DNS Request

carsalessystem.com

DNS Response

172.67.221.71

104.21.94.82
8.8.8.8:53

233.133.159.162.in-addr.arpa

dns

74 B
136 B
1
1

DNS Request

233.133.159.162.in-addr.arpa
8.8.8.8:53

44.27.3.81.in-addr.arpa

dns

69 B
98 B
1
1

DNS Request

44.27.3.81.in-addr.arpa
8.8.8.8:53

71.221.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

71.221.67.172.in-addr.arpa
8.8.8.8:53

96.216.82.185.in-addr.arpa

dns

72 B
135 B
1
1

DNS Request

96.216.82.185.in-addr.arpa
8.8.8.8:53

183.59.114.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

183.59.114.20.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

205.47.74.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

205.47.74.20.in-addr.arpa
8.8.8.8:53

14.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.227.111.52.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

200.197.79.204.in-addr.arpa

dns

73 B
106 B
1
1

DNS Request

200.197.79.204.in-addr.arpa
8.8.8.8:53

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_osrqtuj5.peu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
b28e77566441fd2624b54b9fd1a59e4b

SHA1
e49b0c59dfdba991dbb4b137d046cac5da1806d8

SHA256
e92a336873b3279ca278d2b62894a157c6e45dec079897ecf600babb18306098

SHA512
01c2c0a1f3e1c018416f6ef667a3a74b5fffdeb722c859266c72fdccc0ce9d9cb75bfd935e0081e2b41d5219cec8a9323a4d9ae8793c73a6af9dae340d4b5018

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
abf3a2d51e1d1932a06f7090ca02f324

SHA1
a1ef3ab7f12b433f9631fec8f7989f83b1d5e7d6

SHA256
0f8fb9e9e3f4759a4b53d0d369ff520b9abd18c1e8ce25ea0307f06cc167c86a

SHA512
f94ae7ee9bf49943e058970b738c6c50a4ebbc7a02cc9ed1251abdac2fdfeaf92c811db4e455f5a3b39b9d9660fa3a9926d47068675f040b90557784472d17fd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
43a9dcfbaeae2ddfc8289be9d10d3dd3

SHA1
7828b20a973294310e11e46b56ce78e471e0785d

SHA256
383fa356f6d607de0a2bbb7d5855651125252e9e9da2b6673787794bbb61c6b9

SHA512
c113ccee4ba527240ae766fefb594a36a36372c797801b821e60644c4ac2b0b3abb5845c649a4a01e706335f3d0be2a6bfb1f003c804cc8952347487dbf7c37b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
53889e8e7a66c097671a392765843473

SHA1
32652d7a3accc1d43a8028817f8acb88bebdcd1f

SHA256
3e1e2ed8a1811cadef2aa7af68a1717390d52e0f5d96780fa7ba9d947dc0f9a8

SHA512
ac4591a84c9085f67249e5693190807ea4216ac4450bacdc0ead78fd862ee3b6e7f15aec01ae2ae255364cbf25ad0945b893ef81af254c6f91d98121b81ae469

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
6bb99a179e48454a87ed283adb248634

SHA1
a4cc1a9f092daf97ca7aabf51fa38f07660b3960

SHA256
df62be3ecd3627ecfac0f46f0be4a091fcf80c4658e49aa24cd4cf52b1d85629

SHA512
3ccd9262a8f0f5146e7516bc80cd3bc795123644897188f330a3def8da47a435f3aa6a166060474e62a024a9ea4739631885512650c4c118ffeb37c733f00489

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
8792fffdee93c4e1663c7c6a5bfa9ef6

SHA1
d6ba1c4d9e73da8020b891292cd20bd270ed2ff1

SHA256
8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f

SHA512
d0e15f7a4f88c4cb220ac387546beb170d34fffba3dbc7a5a671291d923ab514820721fcaebf8abe853049d6c9188532c4ef77f422cdf3ba7f4ae94ca7f4fefe

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/464-149-0x0000000070800000-0x000000007084C000-memory.dmp

Filesize
304KB

Download
memory/464-161-0x0000000007830000-0x0000000007841000-memory.dmp

Filesize
68KB

Download
memory/464-148-0x00000000068A0000-0x00000000068EC000-memory.dmp

Filesize
304KB

Download
memory/464-162-0x00000000061D0000-0x00000000061E4000-memory.dmp

Filesize
80KB

Download
memory/464-146-0x0000000005D40000-0x0000000006094000-memory.dmp

Filesize
3.3MB

Download
memory/464-160-0x0000000007690000-0x0000000007733000-memory.dmp

Filesize
652KB

Download
memory/464-150-0x0000000070C40000-0x0000000070F94000-memory.dmp

Filesize
3.3MB

Download
memory/528-97-0x00000000708A0000-0x00000000708EC000-memory.dmp

Filesize
304KB

Download
memory/528-98-0x0000000070CD0000-0x0000000071024000-memory.dmp

Filesize
3.3MB

Download
memory/528-95-0x0000000005C60000-0x0000000005FB4000-memory.dmp

Filesize
3.3MB

Download
memory/636-230-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/636-234-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/636-227-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1324-43-0x0000000008080000-0x000000000808A000-memory.dmp

Filesize
40KB

Download
memory/1324-5-0x00000000033D0000-0x0000000003406000-memory.dmp

Filesize
216KB

Download
memory/1324-28-0x0000000007F30000-0x0000000007F62000-memory.dmp

Filesize
200KB

Download
memory/1324-44-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/1324-45-0x0000000008190000-0x0000000008226000-memory.dmp

Filesize
600KB

Download
memory/1324-46-0x0000000008090000-0x00000000080A1000-memory.dmp

Filesize
68KB

Download
memory/1324-47-0x00000000080D0000-0x00000000080DE000-memory.dmp

Filesize
56KB

Download
memory/1324-48-0x00000000080F0000-0x0000000008104000-memory.dmp

Filesize
80KB

Download
memory/1324-50-0x0000000008130000-0x0000000008138000-memory.dmp

Filesize
32KB

Download
memory/1324-49-0x0000000008140000-0x000000000815A000-memory.dmp

Filesize
104KB

Download
memory/1324-53-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/1324-4-0x000000007490E000-0x000000007490F000-memory.dmp

Filesize
4KB

Download
memory/1324-30-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/1324-7-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/1324-6-0x0000000005B20000-0x0000000006148000-memory.dmp

Filesize
6.2MB

Download
memory/1324-8-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/1324-9-0x0000000005AE0000-0x0000000005B02000-memory.dmp

Filesize
136KB

Download
memory/1324-10-0x00000000062C0000-0x0000000006326000-memory.dmp

Filesize
408KB

Download
memory/1324-13-0x00000000063A0000-0x0000000006406000-memory.dmp

Filesize
408KB

Download
memory/1324-21-0x0000000006510000-0x0000000006864000-memory.dmp

Filesize
3.3MB

Download
memory/1324-22-0x00000000069B0000-0x00000000069CE000-memory.dmp

Filesize
120KB

Download
memory/1324-23-0x00000000069E0000-0x0000000006A2C000-memory.dmp

Filesize
304KB

Download
memory/1324-42-0x0000000007F90000-0x0000000008033000-memory.dmp

Filesize
652KB

Download
memory/1324-31-0x0000000070920000-0x0000000070C74000-memory.dmp

Filesize
3.3MB

Download
memory/1324-41-0x0000000007F70000-0x0000000007F8E000-memory.dmp

Filesize
120KB

Download
memory/1324-29-0x00000000707A0000-0x00000000707EC000-memory.dmp

Filesize
304KB

Download
memory/1324-27-0x0000000007D70000-0x0000000007D8A000-memory.dmp

Filesize
104KB

Download
memory/1324-24-0x0000000006F40000-0x0000000006F84000-memory.dmp

Filesize
272KB

Download
memory/1324-25-0x0000000007CD0000-0x0000000007D46000-memory.dmp

Filesize
472KB

Download
memory/1324-26-0x00000000083D0000-0x0000000008A4A000-memory.dmp

Filesize
6.5MB

Download
memory/1376-67-0x0000000006270000-0x00000000065C4000-memory.dmp

Filesize
3.3MB

Download
memory/1376-70-0x0000000070A20000-0x0000000070D74000-memory.dmp

Filesize
3.3MB

Download
memory/1376-68-0x00000000067A0000-0x00000000067EC000-memory.dmp

Filesize
304KB

Download
memory/1376-69-0x00000000708A0000-0x00000000708EC000-memory.dmp

Filesize
304KB

Download
memory/1376-82-0x0000000007D30000-0x0000000007D44000-memory.dmp

Filesize
80KB

Download
memory/1376-81-0x0000000007CE0000-0x0000000007CF1000-memory.dmp

Filesize
68KB

Download
memory/1376-80-0x00000000079C0000-0x0000000007A63000-memory.dmp

Filesize
652KB

Download
memory/1584-176-0x0000000070720000-0x000000007076C000-memory.dmp

Filesize
304KB

Download
memory/1584-189-0x00000000065F0000-0x0000000006604000-memory.dmp

Filesize
80KB

Download
memory/1584-164-0x0000000006150000-0x00000000064A4000-memory.dmp

Filesize
3.3MB

Download
memory/1584-187-0x0000000007A20000-0x0000000007AC3000-memory.dmp

Filesize
652KB

Download
memory/1584-175-0x0000000006970000-0x00000000069BC000-memory.dmp

Filesize
304KB

Download
memory/1584-188-0x0000000007D60000-0x0000000007D71000-memory.dmp

Filesize
68KB

Download
memory/1584-177-0x0000000070EC0000-0x0000000071214000-memory.dmp

Filesize
3.3MB

Download
memory/3260-55-0x0000000000400000-0x0000000002364000-memory.dmp

Filesize
31.4MB

Download
memory/3260-1-0x0000000003F40000-0x0000000004345000-memory.dmp

Filesize
4.0MB

Download
memory/3260-2-0x0000000004450000-0x0000000004D3B000-memory.dmp

Filesize
8.9MB

Download
memory/3260-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3260-57-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3260-56-0x0000000004450000-0x0000000004D3B000-memory.dmp

Filesize
8.9MB

Download
memory/3724-136-0x0000000000400000-0x0000000002364000-memory.dmp

Filesize
31.4MB

Download
memory/4252-228-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4252-224-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4840-120-0x0000000070A20000-0x0000000070D74000-memory.dmp

Filesize
3.3MB

Download
memory/4840-119-0x00000000708A0000-0x00000000708EC000-memory.dmp

Filesize
304KB

Download
memory/4864-202-0x0000000070720000-0x000000007076C000-memory.dmp

Filesize
304KB

Download
memory/4864-203-0x0000000070D10000-0x0000000071064000-memory.dmp

Filesize
3.3MB

Download
memory/4864-200-0x0000000005980000-0x0000000005CD4000-memory.dmp

Filesize
3.3MB

Download
memory/4944-235-0x0000000000400000-0x0000000002364000-memory.dmp

Filesize
31.4MB

Download
memory/4944-231-0x0000000000400000-0x0000000002364000-memory.dmp

Filesize
31.4MB

Download
memory/4944-233-0x0000000000400000-0x0000000002364000-memory.dmp

Filesize
31.4MB

Download
memory/4944-229-0x0000000000400000-0x0000000002364000-memory.dmp

Filesize
31.4MB

Download
memory/4944-219-0x0000000000400000-0x0000000002364000-memory.dmp

Filesize
31.4MB

Download
memory/4944-237-0x0000000000400000-0x0000000002364000-memory.dmp

Filesize
31.4MB

Download
memory/4944-239-0x0000000000400000-0x0000000002364000-memory.dmp

Filesize
31.4MB

Download
memory/4944-241-0x0000000000400000-0x0000000002364000-memory.dmp

Filesize
31.4MB

Download
memory/4944-243-0x0000000000400000-0x0000000002364000-memory.dmp

Filesize
31.4MB

Download
memory/4944-245-0x0000000000400000-0x0000000002364000-memory.dmp

Filesize
31.4MB

Download
memory/4944-247-0x0000000000400000-0x0000000002364000-memory.dmp

Filesize
31.4MB

Download
memory/4944-249-0x0000000000400000-0x0000000002364000-memory.dmp

Filesize
31.4MB

Download
memory/4944-251-0x0000000000400000-0x0000000002364000-memory.dmp

Filesize
31.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.