Malware Analysis Report

2024-12-08 02:05

Sample ID 240516-mdsx1sfh5x
Target add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99
SHA256 add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99

Threat Level: Known bad

The file add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Manipulates WinMonFS driver.

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 10:21

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 10:21

Reported

2024-05-16 10:24

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-492 = "India Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1424 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1424 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1424 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe C:\Windows\System32\Conhost.exe
PID 2872 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe C:\Windows\System32\Conhost.exe
PID 2872 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe C:\Windows\System32\Conhost.exe
PID 2872 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe C:\Windows\system32\cmd.exe
PID 2872 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe C:\Windows\system32\cmd.exe
PID 4376 wrote to memory of 3940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4376 wrote to memory of 3940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2872 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe C:\Windows\rss\csrss.exe
PID 2872 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe C:\Windows\rss\csrss.exe
PID 2872 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe C:\Windows\rss\csrss.exe
PID 2332 wrote to memory of 860 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2332 wrote to memory of 860 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2332 wrote to memory of 860 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2332 wrote to memory of 2804 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2332 wrote to memory of 2804 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2332 wrote to memory of 2804 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2332 wrote to memory of 3084 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2332 wrote to memory of 3084 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2332 wrote to memory of 3084 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2332 wrote to memory of 4584 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2332 wrote to memory of 4584 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2492 wrote to memory of 1496 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 1496 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 1496 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 4196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1496 wrote to memory of 4196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1496 wrote to memory of 4196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe

"C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe

"C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
BE 88.221.83.242:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 242.83.221.88.in-addr.arpa udp
BE 88.221.83.242:443 www.bing.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 1519c465-0d02-41ea-9992-869f09ea379d.uuid.databaseupgrade.ru udp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 server16.databaseupgrade.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server16.databaseupgrade.ru tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 52.165.165.26:443 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 52.165.165.26:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 13.95.31.18:443 tcp
US 8.8.8.8:53 udp
US 52.165.165.26:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
BG 185.82.216.108:443 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
BG 185.82.216.108:443 server16.databaseupgrade.ru tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
N/A 127.0.0.1:31465 tcp

Files

memory/1424-1-0x0000000002930000-0x0000000002D32000-memory.dmp

memory/1424-2-0x0000000002D40000-0x000000000362B000-memory.dmp

memory/1424-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2224-4-0x000000007466E000-0x000000007466F000-memory.dmp

memory/2224-5-0x00000000025A0000-0x00000000025D6000-memory.dmp

memory/2224-7-0x0000000004E00000-0x0000000005428000-memory.dmp

memory/2224-6-0x0000000074660000-0x0000000074E10000-memory.dmp

memory/2224-9-0x0000000004CC0000-0x0000000004CE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5yvtnrmw.knd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2224-10-0x00000000054A0000-0x0000000005506000-memory.dmp

memory/2224-21-0x0000000005580000-0x00000000058D4000-memory.dmp

memory/2224-11-0x0000000005510000-0x0000000005576000-memory.dmp

memory/2224-8-0x0000000074660000-0x0000000074E10000-memory.dmp

memory/2224-22-0x0000000005B70000-0x0000000005B8E000-memory.dmp

memory/2224-23-0x0000000005BC0000-0x0000000005C0C000-memory.dmp

memory/2224-24-0x0000000006110000-0x0000000006154000-memory.dmp

memory/2224-25-0x0000000006EA0000-0x0000000006F16000-memory.dmp

memory/2224-27-0x0000000006F40000-0x0000000006F5A000-memory.dmp

memory/2224-26-0x00000000075A0000-0x0000000007C1A000-memory.dmp

memory/2224-28-0x00000000070F0000-0x0000000007122000-memory.dmp

memory/2224-42-0x0000000007150000-0x00000000071F3000-memory.dmp

memory/2224-43-0x0000000007240000-0x000000000724A000-memory.dmp

memory/2224-44-0x0000000074660000-0x0000000074E10000-memory.dmp

memory/2224-41-0x0000000074660000-0x0000000074E10000-memory.dmp

memory/2224-45-0x0000000007300000-0x0000000007396000-memory.dmp

memory/2224-46-0x0000000007260000-0x0000000007271000-memory.dmp

memory/2224-40-0x0000000007130000-0x000000000714E000-memory.dmp

memory/2224-30-0x0000000070680000-0x00000000709D4000-memory.dmp

memory/2224-29-0x0000000070500000-0x000000007054C000-memory.dmp

memory/2224-48-0x00000000072B0000-0x00000000072C4000-memory.dmp

memory/2224-47-0x00000000072A0000-0x00000000072AE000-memory.dmp

memory/2224-49-0x00000000073A0000-0x00000000073BA000-memory.dmp

memory/2224-50-0x00000000072F0000-0x00000000072F8000-memory.dmp

memory/2224-53-0x0000000074660000-0x0000000074E10000-memory.dmp

memory/2872-55-0x0000000002930000-0x0000000002D29000-memory.dmp

memory/2872-56-0x0000000002D30000-0x000000000361B000-memory.dmp

memory/1264-57-0x0000000005580000-0x00000000058D4000-memory.dmp

memory/1264-78-0x0000000006E50000-0x0000000006EF3000-memory.dmp

memory/1264-68-0x0000000070C80000-0x0000000070FD4000-memory.dmp

memory/1264-67-0x0000000070500000-0x000000007054C000-memory.dmp

memory/1264-79-0x0000000007150000-0x0000000007161000-memory.dmp

memory/1264-80-0x00000000071A0000-0x00000000071B4000-memory.dmp

memory/1424-83-0x0000000002930000-0x0000000002D32000-memory.dmp

memory/1424-84-0x0000000002D40000-0x000000000362B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/3268-95-0x00000000057D0000-0x0000000005B24000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 42f62ca91f3cf73a4e85eabd9218de1b
SHA1 3ded8e7ee928974a7ee0f70e01a453686793d75a
SHA256 71f9fe5f5673d05ac3a143ad051ea8deec187ffcc90db1282329862ad9964eed
SHA512 3ec40f595ceccd8756f5f26912ce98b02e3ce45d35c6a05846a88c52dfc46723e5753241d0d7996e94fb0ea45e7be0c03316a426c185d6c6b6eeef62e7adf1d7

memory/3268-97-0x0000000070500000-0x000000007054C000-memory.dmp

memory/3268-98-0x00000000706A0000-0x00000000709F4000-memory.dmp

memory/4800-118-0x00000000054F0000-0x0000000005844000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 895e77dcff7b7f107a90ce85f163c3eb
SHA1 abd9419f07023c295602df1f5dfc1ab0568c644f
SHA256 9f05d137dae367c7e4c2b35e55d5e8b40750b1ff15815bae63d49ff5d2130893
SHA512 5b85152442cbbf735f4fef05b5e20743c9e9461ba43b9d89bdf28a2a9bedc98ae78e7126229f421b0674186fcc43c1e2987c522e8a1238c0e340ce86d6c83fae

memory/4800-121-0x0000000070CB0000-0x0000000071004000-memory.dmp

memory/4800-120-0x0000000070500000-0x000000007054C000-memory.dmp

memory/1424-131-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 8a6c3c694c9790eaa3d189f69deff029
SHA1 dbe2367e9aae0205f09a469cda78e31092d95e51
SHA256 1edb40fcf5428108537a638017aaaaf694c6697f9e384037aa6a698cb8af59f7
SHA512 355bf35bf0171c2cc3eb26364f475b798db882fb7fa0aa1b5e3c2b8fcd8877e8878c9a3c0b7c02abf3f07a1169aaa981ea5a0bdbbf673ee76ef0daecf4afa53d

memory/2872-136-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 aa887cfcfdce6d4fc8c1e660e79c9d20
SHA1 250af7a7bacb40895084c5bc5ae29ca2bf116d73
SHA256 add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99
SHA512 b51c288309137e33b41707890ba6d8a2788ea2220f43de27df45244633b02c70cbf0d1e3f39e1a7185600a5e90e27817d5c4872e3868769c0f7d173277aaa42b

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1f992334db0cbb46a68334cdbb3bf90a
SHA1 c76b66a3da8e2d383b659a3a9b79b2a1f2e63be6
SHA256 c46d2b6925b88e69b11b87cdb3fde8eed6ce3398c147028f32b7da910809b03b
SHA512 1ca8a447612d3273b027bb288c0110da3a356df740a5521f85a01bf40a27d7b615c07b68003ca55e2b4cc7084a0123a32e95fdd932597ce9e1f6bf0865686047

memory/860-149-0x0000000070500000-0x000000007054C000-memory.dmp

memory/860-150-0x0000000070680000-0x00000000709D4000-memory.dmp

memory/2804-169-0x0000000006050000-0x00000000063A4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a189602d73acd19be1aae51caea3d740
SHA1 9a14239441323efa1e0196561f3758ef68d06bea
SHA256 45ac2f2023a21fa6cdcfb5e090aebd1b1b265e485a1a713233076d05d4408c92
SHA512 20b74f4181b202914f3bcfdedd29cb50e810858a6d55c7fa6babfb6be9e84d837ff49c10fd458bbda079705e984676a920b69a6a81abfeaa185d05a21c49c558

memory/2804-172-0x0000000006C70000-0x0000000006CBC000-memory.dmp

memory/2804-173-0x0000000070420000-0x000000007046C000-memory.dmp

memory/2804-184-0x0000000007950000-0x00000000079F3000-memory.dmp

memory/2804-174-0x0000000070BB0000-0x0000000070F04000-memory.dmp

memory/2804-185-0x0000000007C70000-0x0000000007C81000-memory.dmp

memory/2804-186-0x0000000006500000-0x0000000006514000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 82e3c9fc284aa89c1c6f76d3691bd565
SHA1 27ed372a473d713ae1d73c8e7193f21c438283ba
SHA256 21e7cf148f4e76222ed66b5ae7587c79351c764a910c1ed66eae5c1ad4cddeb8
SHA512 0043e5c40ecf49e49f734c3577eeabe97619851a667ac22aaa610ef8d70b2e207e4dc8aa37b8d20721e6efd8fc5822a93be83c28803f26a6f01c3507651ed4c5

memory/3084-199-0x0000000070BB0000-0x0000000070F04000-memory.dmp

memory/3084-198-0x0000000070420000-0x000000007046C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2332-216-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2492-221-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2492-223-0x0000000000400000-0x00000000008DF000-memory.dmp

C:\Windows\windefender.exe

MD5 eac3c94e166a4ac3e7d3dbf26d505ebb
SHA1 c231e723ad6077f9b6bd12c5e7bd3fd208f7fa45
SHA256 662eb9030b85d481e53772eb13a1b747a62bc68a862e0e4ba90f4e6acb3fe124
SHA512 b5b0f2d3205ebf43593ae73318cc078b5eafed92be6c8d113cf0e7dbef9f84da759301393b9528ac7f11b2f82dd8a190ad5c2b9066c84afbc1c9fb775fcff1a0

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2332-225-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3676-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2332-228-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2332-231-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3676-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2332-234-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2332-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2332-240-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3676-241-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2332-243-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2332-246-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2332-249-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2332-252-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2332-255-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2332-258-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 10:21

Reported

2024-05-16 10:23

Platform

win11-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2528 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe C:\Windows\system32\cmd.exe
PID 2644 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe C:\Windows\system32\cmd.exe
PID 2736 wrote to memory of 1552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2736 wrote to memory of 1552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2644 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe C:\Windows\rss\csrss.exe
PID 2644 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe C:\Windows\rss\csrss.exe
PID 2644 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe C:\Windows\rss\csrss.exe
PID 3484 wrote to memory of 4052 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3484 wrote to memory of 4052 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3484 wrote to memory of 4052 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3484 wrote to memory of 4688 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3484 wrote to memory of 4688 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3484 wrote to memory of 4688 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3484 wrote to memory of 3572 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3484 wrote to memory of 3572 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3484 wrote to memory of 3572 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3484 wrote to memory of 2528 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3484 wrote to memory of 2528 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1188 wrote to memory of 3180 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1188 wrote to memory of 3180 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1188 wrote to memory of 3180 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3180 wrote to memory of 3264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3180 wrote to memory of 3264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3180 wrote to memory of 3264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe

"C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe

"C:\Users\Admin\AppData\Local\Temp\add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 2b754c86-91e1-40d5-b610-f762491f313a.uuid.databaseupgrade.ru udp
US 8.8.8.8:53 server9.databaseupgrade.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun3.l.google.com udp
BG 185.82.216.108:443 server9.databaseupgrade.ru tcp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.108:443 server9.databaseupgrade.ru tcp
BG 185.82.216.108:443 server9.databaseupgrade.ru tcp
BG 185.82.216.108:443 server9.databaseupgrade.ru tcp

Files

memory/2528-1-0x0000000002A40000-0x0000000002E3E000-memory.dmp

memory/2528-2-0x0000000002E40000-0x000000000372B000-memory.dmp

memory/2528-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3308-4-0x000000007451E000-0x000000007451F000-memory.dmp

memory/3308-5-0x0000000005310000-0x0000000005346000-memory.dmp

memory/3308-6-0x0000000005A60000-0x000000000608A000-memory.dmp

memory/3308-7-0x0000000074510000-0x0000000074CC1000-memory.dmp

memory/3308-8-0x00000000058F0000-0x0000000005912000-memory.dmp

memory/3308-10-0x0000000006270000-0x00000000062D6000-memory.dmp

memory/3308-9-0x0000000006200000-0x0000000006266000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_avile5b0.210.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3308-19-0x00000000062E0000-0x0000000006637000-memory.dmp

memory/3308-20-0x0000000074510000-0x0000000074CC1000-memory.dmp

memory/3308-21-0x0000000006790000-0x00000000067AE000-memory.dmp

memory/3308-22-0x00000000067C0000-0x000000000680C000-memory.dmp

memory/3308-23-0x0000000006D00000-0x0000000006D46000-memory.dmp

memory/3308-24-0x0000000007BB0000-0x0000000007BE4000-memory.dmp

memory/3308-25-0x0000000070780000-0x00000000707CC000-memory.dmp

memory/3308-27-0x0000000074510000-0x0000000074CC1000-memory.dmp

memory/3308-37-0x0000000007C10000-0x0000000007CB4000-memory.dmp

memory/3308-36-0x0000000007BF0000-0x0000000007C0E000-memory.dmp

memory/3308-26-0x0000000070990000-0x0000000070CE7000-memory.dmp

memory/3308-38-0x0000000074510000-0x0000000074CC1000-memory.dmp

memory/3308-39-0x0000000008380000-0x00000000089FA000-memory.dmp

memory/3308-40-0x0000000005600000-0x000000000561A000-memory.dmp

memory/3308-41-0x0000000007DA0000-0x0000000007DAA000-memory.dmp

memory/3308-42-0x0000000007EB0000-0x0000000007F46000-memory.dmp

memory/3308-43-0x0000000007DC0000-0x0000000007DD1000-memory.dmp

memory/3308-44-0x0000000007E10000-0x0000000007E1E000-memory.dmp

memory/3308-45-0x0000000007E20000-0x0000000007E35000-memory.dmp

memory/3308-46-0x0000000007E70000-0x0000000007E8A000-memory.dmp

memory/3308-47-0x0000000007E90000-0x0000000007E98000-memory.dmp

memory/3308-50-0x0000000074510000-0x0000000074CC1000-memory.dmp

memory/2528-51-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2528-52-0x0000000002E40000-0x000000000372B000-memory.dmp

memory/2644-54-0x0000000002A20000-0x0000000002E1C000-memory.dmp

memory/4308-60-0x0000000005BB0000-0x0000000005F07000-memory.dmp

memory/4308-64-0x0000000006140000-0x000000000618C000-memory.dmp

memory/4308-65-0x0000000070890000-0x00000000708DC000-memory.dmp

memory/4308-66-0x0000000070AA0000-0x0000000070DF7000-memory.dmp

memory/4308-75-0x00000000072F0000-0x0000000007394000-memory.dmp

memory/4308-76-0x0000000007640000-0x0000000007651000-memory.dmp

memory/4308-77-0x0000000007690000-0x00000000076A5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/2888-89-0x0000000005590000-0x00000000058E7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 962a70ae430b2d9274b28646598a9955
SHA1 52e585c0a424778d4fe8f00fdb346c9a18d4d944
SHA256 8a9f9de75bc2c6dc2989671586e577e03b8d7b443b45aa8f49e51178bc01f996
SHA512 edaa13c6c3509cd5fd603df10c5a2b089431120114b64bfadc2d15f85ca0c35060ff29ceab404efa8b304e7201b5cc2cdfc5436e2ba361917d995da160f55d5f

memory/2888-91-0x0000000070890000-0x00000000708DC000-memory.dmp

memory/2888-92-0x0000000070AE0000-0x0000000070E37000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 507ac14439da68443aeb53c1b8e30ae8
SHA1 9a1b32f06387890fbe8c7578305612fdd44a2567
SHA256 e1e31fd823592012454a8b6da363e4e91d000171dd88347b55bcad6d9030a01c
SHA512 77ff09c32f063e6c8f243ae20cee215764383b55116e2c2998aa296742e0af82e968e29c7612dc9de95ffd3d3ad82af22c32cd61f0dd386fcb9d47ff540cfe20

memory/2644-111-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4996-113-0x0000000070AE0000-0x0000000070E37000-memory.dmp

memory/4996-112-0x0000000070890000-0x00000000708DC000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 aa887cfcfdce6d4fc8c1e660e79c9d20
SHA1 250af7a7bacb40895084c5bc5ae29ca2bf116d73
SHA256 add7fae0e7fe64f0c31959e317bdecc7b640bf0a99065e2d277ac1827c1b3f99
SHA512 b51c288309137e33b41707890ba6d8a2788ea2220f43de27df45244633b02c70cbf0d1e3f39e1a7185600a5e90e27817d5c4872e3868769c0f7d173277aaa42b

memory/2644-126-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 fd6283757f1bb62b68b926904e6b24b0
SHA1 4610fb743afdb1766eec9fe4defbe27a4c4a461b
SHA256 a79c8aeb999ead7565299e0b9957e4e91d36d265a658bfaca648837f04cbfe74
SHA512 da58da4ec188504dc4b1e19c282e73a0446825288987896222e4b1fc5ff7974d0b5edbf2b01c58489a9c8a1a024b3d8d78a320ad4d26c3a315c2dfc8b2dfe399

memory/4052-138-0x0000000006990000-0x00000000069DC000-memory.dmp

memory/4052-139-0x00000000707F0000-0x000000007083C000-memory.dmp

memory/4052-140-0x0000000070990000-0x0000000070CE7000-memory.dmp

memory/4052-149-0x0000000007BC0000-0x0000000007C64000-memory.dmp

memory/4052-150-0x0000000007F30000-0x0000000007F41000-memory.dmp

memory/4052-151-0x00000000063B0000-0x00000000063C5000-memory.dmp

memory/4688-162-0x0000000006440000-0x0000000006797000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0205cce6540be77b80236ccc7fa22b7d
SHA1 9b7ae3aa7efb1f78c7564d18f3c3c2ad4ef6c8f3
SHA256 2b8b2889cde00039c0db3f33a4d96628b39ab590f9214d20d984fe9bbddb34fe
SHA512 0975e5748b00c11fb1cb3e090bbb8701c392ff910f10c93c103374293adce2e44bf50cc96acbb1f1e958d0eb34998d853fe69e45b98e3349b328829549e22bfc

memory/4688-163-0x0000000006E90000-0x0000000006EDC000-memory.dmp

memory/4688-165-0x0000000070890000-0x0000000070BE7000-memory.dmp

memory/4688-164-0x0000000070710000-0x000000007075C000-memory.dmp

memory/4688-174-0x0000000007BA0000-0x0000000007C44000-memory.dmp

memory/4688-175-0x0000000007F30000-0x0000000007F41000-memory.dmp

memory/4688-176-0x00000000062A0000-0x00000000062B5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b02368121e82d8d474a5644b1723b5d8
SHA1 c1faf102bf50322123bc93016f53d09d009641e0
SHA256 56e8dff835406a3142aed714edad713796d451e12024767dd52e5803993daac6
SHA512 e0dc97ef0989bc2248d56bb37e71ac24dbea64ecb4f47969d2765f87d309aac498b17a71cec7be949045c48a6bd407c0d032c7bf403abd2ff2a72487c4dc4c6c

memory/3572-187-0x0000000070710000-0x000000007075C000-memory.dmp

memory/3572-188-0x0000000070890000-0x0000000070BE7000-memory.dmp

memory/3484-197-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3484-207-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1188-208-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4208-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1188-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3484-214-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4208-215-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3484-216-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4208-219-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3484-218-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3484-220-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3484-222-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3484-224-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3484-226-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3484-228-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3484-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3484-232-0x0000000000400000-0x0000000000D1C000-memory.dmp