Malware Analysis Report

2025-01-02 06:28

Sample ID 240516-mfd7msga41
Target d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9
SHA256 d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9

Threat Level: Known bad

The file d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Manipulates WinMonFS driver.

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 10:24

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 10:24

Reported

2024-05-16 10:26

Platform

win11-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-262 = "GMT Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-491 = "India Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4364 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe C:\Windows\system32\cmd.exe
PID 5052 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe C:\Windows\system32\cmd.exe
PID 2532 wrote to memory of 4840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2532 wrote to memory of 4840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5052 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe C:\Windows\rss\csrss.exe
PID 5052 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe C:\Windows\rss\csrss.exe
PID 5052 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe C:\Windows\rss\csrss.exe
PID 2232 wrote to memory of 4616 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2232 wrote to memory of 4616 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2232 wrote to memory of 4616 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2232 wrote to memory of 4896 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2232 wrote to memory of 4896 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2232 wrote to memory of 4896 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2232 wrote to memory of 4168 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2232 wrote to memory of 4168 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2232 wrote to memory of 4168 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2232 wrote to memory of 656 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2232 wrote to memory of 656 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1476 wrote to memory of 3996 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 3996 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 3996 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 3676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3996 wrote to memory of 3676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3996 wrote to memory of 3676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe

"C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe

"C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 6f172b2d-8d01-4a3d-8b86-a722a9b97696.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server1.thestatsfiles.ru udp
US 74.125.250.129:19302 stun1.l.google.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server1.thestatsfiles.ru tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.96:443 server1.thestatsfiles.ru tcp
BG 185.82.216.96:443 server1.thestatsfiles.ru tcp
BG 185.82.216.96:443 server1.thestatsfiles.ru tcp

Files

memory/4364-1-0x0000000002A20000-0x0000000002E26000-memory.dmp

memory/4364-2-0x0000000002E30000-0x000000000371B000-memory.dmp

memory/4364-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4664-4-0x0000000074ADE000-0x0000000074ADF000-memory.dmp

memory/4664-5-0x0000000003420000-0x0000000003456000-memory.dmp

memory/4664-6-0x0000000074AD0000-0x0000000075281000-memory.dmp

memory/4664-7-0x0000000005CC0000-0x00000000062EA000-memory.dmp

memory/4664-8-0x0000000005A90000-0x0000000005AB2000-memory.dmp

memory/4664-9-0x00000000062F0000-0x0000000006356000-memory.dmp

memory/4664-10-0x0000000006360000-0x00000000063C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q5kwekuh.rvv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4664-19-0x00000000063D0000-0x0000000006727000-memory.dmp

memory/4664-20-0x00000000068E0000-0x00000000068FE000-memory.dmp

memory/4664-21-0x0000000006970000-0x00000000069BC000-memory.dmp

memory/4664-22-0x0000000006E50000-0x0000000006E96000-memory.dmp

memory/4664-24-0x0000000070D40000-0x0000000070D8C000-memory.dmp

memory/4664-25-0x0000000074AD0000-0x0000000075281000-memory.dmp

memory/4664-23-0x0000000007CE0000-0x0000000007D14000-memory.dmp

memory/4664-26-0x0000000070ED0000-0x0000000071227000-memory.dmp

memory/4664-35-0x0000000007D40000-0x0000000007D5E000-memory.dmp

memory/4664-36-0x0000000007D60000-0x0000000007E04000-memory.dmp

memory/4664-37-0x0000000074AD0000-0x0000000075281000-memory.dmp

memory/4664-39-0x0000000007E90000-0x0000000007EAA000-memory.dmp

memory/4664-38-0x00000000084D0000-0x0000000008B4A000-memory.dmp

memory/4664-40-0x0000000007ED0000-0x0000000007EDA000-memory.dmp

memory/4664-41-0x0000000007FE0000-0x0000000008076000-memory.dmp

memory/4664-42-0x0000000007EF0000-0x0000000007F01000-memory.dmp

memory/4664-43-0x0000000007F40000-0x0000000007F4E000-memory.dmp

memory/4664-44-0x0000000007F50000-0x0000000007F65000-memory.dmp

memory/4664-45-0x0000000007FA0000-0x0000000007FBA000-memory.dmp

memory/4664-46-0x0000000007FC0000-0x0000000007FC8000-memory.dmp

memory/4664-49-0x0000000074AD0000-0x0000000075281000-memory.dmp

memory/5052-51-0x0000000002A40000-0x0000000002E46000-memory.dmp

memory/3540-60-0x0000000005BA0000-0x0000000005EF7000-memory.dmp

memory/3540-61-0x0000000070D40000-0x0000000070D8C000-memory.dmp

memory/3540-62-0x0000000070F90000-0x00000000712E7000-memory.dmp

memory/3540-71-0x00000000072A0000-0x0000000007344000-memory.dmp

memory/3540-72-0x00000000075D0000-0x00000000075E1000-memory.dmp

memory/4364-74-0x0000000002A20000-0x0000000002E26000-memory.dmp

memory/4364-73-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4364-75-0x0000000002E30000-0x000000000371B000-memory.dmp

memory/3540-76-0x0000000007620000-0x0000000007635000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/1368-88-0x0000000005640000-0x0000000005997000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 58dde185d873e8008048759f98f6b878
SHA1 0bc8d0f1085e8f62dfd29b516eacc90a41c550ad
SHA256 98d4fe3ea33bd5d46791984ae9abbb72649a5ad1e66e9acabf1e01e30c38322c
SHA512 6e2d1e22df56d11f75a268d0d9a63c3a4da11d36b5f8e27404f095ec5a9da3a86229aea1ad36be460048bde95de13e36029385f5d13543c4cb0d6b317593f39a

memory/1368-91-0x0000000070EC0000-0x0000000071217000-memory.dmp

memory/1368-90-0x0000000070D40000-0x0000000070D8C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 10db742160627ff20667294ff476c4d3
SHA1 c75411dd8de08606d264ed34db2ea3e32cee9e35
SHA256 41669a7312c0ea18b68da61b6fd6c8c91f44694659056311a4afd3b61e10bcb8
SHA512 6d71971dab9bee2e9475c461b2e4b08fff44bc09dbe8c775200c3d0b39065fe3d06fedbe382347b2289dacf4871a0f49c81f62cef290d75207c87f9ec1068bdf

memory/4800-111-0x0000000070F90000-0x00000000712E7000-memory.dmp

memory/4800-110-0x0000000070D40000-0x0000000070D8C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 d32b9d6134c9c22d54de56687bcd7a0b
SHA1 76787efd4bf960188b435f6287de1f29988557c9
SHA256 d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9
SHA512 ca8a9f5f1cd97496aeaccd0aa9a96859e7377ecc202ae9d8da167d68c09f89f6643fa6dfa5ff7814931133b582a8cc3414fa4c81a3c4f50dc48ecae3ecce4096

memory/5052-126-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8d4cbecc4b1e34ec63eefb54210f3ba9
SHA1 de8215a5449dff320249db411d605d5ed1e5dc6a
SHA256 2e5d8e3ff152d1284d33bc58e2d7158ba0e0c56e6165c8c2ee67e59640fa3c95
SHA512 34633872f7a8699a527f8ffcd04574b5562bd7b3b5ea7861da0df4575fe6268f68f03c2d2651393accdd3bacce8017d4c6e679eb11fdee8e607fbace2cb4ff63

memory/4616-136-0x0000000070D40000-0x0000000070D8C000-memory.dmp

memory/4616-137-0x0000000070F90000-0x00000000712E7000-memory.dmp

memory/4896-156-0x00000000058A0000-0x0000000005BF7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7568d5c0227a352cec93fccaf17c0399
SHA1 e9b2359665f73412c952f76717295c95dc4b91b3
SHA256 a30c4567b16ea327e08e5738439218cc251a27f284e249b91ad294ddcecb79b2
SHA512 48c7e47fdc15528b57af188e7e6df0876945bb687f49e1555faa80cb5e3521544f1888a2a6c4d1be3169465ce01a71ca6b1838217f42838a83989a62459a09e0

memory/4896-158-0x0000000005EE0000-0x0000000005F2C000-memory.dmp

memory/4896-159-0x0000000070C60000-0x0000000070CAC000-memory.dmp

memory/4896-160-0x0000000070EB0000-0x0000000071207000-memory.dmp

memory/4896-169-0x0000000007070000-0x0000000007114000-memory.dmp

memory/4896-170-0x00000000073C0000-0x00000000073D1000-memory.dmp

memory/4896-171-0x00000000057F0000-0x0000000005805000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6f16f8b3ef0a46fc43c031859e551c46
SHA1 414a804aa9088fb7fc2d49d943abe4a05268f0fa
SHA256 3fa80a76b9f8ee6a72b2804f34462d17f3adf2649f0310299f39918b9fe1eb0a
SHA512 8523e3239f78cae59706034c55e601487ae4802cd5768a77f8ca64e1e89bc1774ff4b30992ad4bf8b84548189f05eab90ff0aaf032878858ea3bc6563e86a3ff

memory/4168-182-0x0000000070C60000-0x0000000070CAC000-memory.dmp

memory/4168-183-0x0000000070EB0000-0x0000000071207000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2232-200-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5052-201-0x0000000002A40000-0x0000000002E46000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1476-205-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3540-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1476-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2232-213-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2232-215-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3540-216-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2232-219-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3540-223-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2232-225-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2232-229-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2232-231-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2232-235-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2232-241-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2232-245-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2232-247-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2232-251-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 10:24

Reported

2024-05-16 10:26

Platform

win10v2004-20240508-en

Max time kernel

38s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4036 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4036 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4036 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4352 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4352 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4352 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4352 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe C:\Windows\system32\cmd.exe
PID 4352 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe C:\Windows\system32\cmd.exe
PID 4412 wrote to memory of 1908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4412 wrote to memory of 1908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4352 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4352 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4352 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4352 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4352 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4352 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4352 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe C:\Windows\rss\csrss.exe
PID 4352 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe C:\Windows\rss\csrss.exe
PID 4352 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe C:\Windows\rss\csrss.exe
PID 4992 wrote to memory of 3548 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4992 wrote to memory of 3548 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4992 wrote to memory of 3548 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4992 wrote to memory of 4972 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4992 wrote to memory of 4972 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4992 wrote to memory of 4972 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4992 wrote to memory of 4360 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4992 wrote to memory of 4360 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4992 wrote to memory of 4360 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4992 wrote to memory of 3400 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4992 wrote to memory of 3400 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe

"C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe

"C:\Users\Admin\AppData\Local\Temp\d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.178:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 178.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
BE 88.221.83.178:443 www.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 76d72277-9668-4b2c-8d4c-d562da56f842.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server16.thestatsfiles.ru udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun2.l.google.com udp
BG 185.82.216.96:443 server16.thestatsfiles.ru tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp

Files

memory/4036-1-0x0000000002960000-0x0000000002D61000-memory.dmp

memory/4036-2-0x0000000002D70000-0x000000000365B000-memory.dmp

memory/4036-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4492-4-0x0000000074EFE000-0x0000000074EFF000-memory.dmp

memory/4492-5-0x0000000002F80000-0x0000000002FB6000-memory.dmp

memory/4492-7-0x0000000074EF0000-0x00000000756A0000-memory.dmp

memory/4492-6-0x0000000005730000-0x0000000005D58000-memory.dmp

memory/4492-8-0x00000000055C0000-0x00000000055E2000-memory.dmp

memory/4492-10-0x0000000005E40000-0x0000000005EA6000-memory.dmp

memory/4492-11-0x0000000074EF0000-0x00000000756A0000-memory.dmp

memory/4492-9-0x0000000005DD0000-0x0000000005E36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sz2pphxy.z2z.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4492-21-0x0000000006170000-0x00000000064C4000-memory.dmp

memory/4492-22-0x0000000006570000-0x000000000658E000-memory.dmp

memory/4492-23-0x0000000006610000-0x000000000665C000-memory.dmp

memory/4492-24-0x0000000006AC0000-0x0000000006B04000-memory.dmp

memory/4492-25-0x00000000076A0000-0x0000000007716000-memory.dmp

memory/4492-26-0x0000000007FA0000-0x000000000861A000-memory.dmp

memory/4492-27-0x0000000007940000-0x000000000795A000-memory.dmp

memory/4492-28-0x0000000007AF0000-0x0000000007B22000-memory.dmp

memory/4492-30-0x0000000070F10000-0x0000000071264000-memory.dmp

memory/4492-29-0x0000000070D90000-0x0000000070DDC000-memory.dmp

memory/4492-37-0x0000000074EF0000-0x00000000756A0000-memory.dmp

memory/4492-41-0x0000000007B30000-0x0000000007B4E000-memory.dmp

memory/4492-42-0x0000000074EF0000-0x00000000756A0000-memory.dmp

memory/4492-43-0x0000000007B50000-0x0000000007BF3000-memory.dmp

memory/4492-44-0x0000000007C60000-0x0000000007C6A000-memory.dmp

memory/4492-45-0x0000000007D20000-0x0000000007DB6000-memory.dmp

memory/4492-46-0x0000000007C80000-0x0000000007C91000-memory.dmp

memory/4492-47-0x0000000007CC0000-0x0000000007CCE000-memory.dmp

memory/4492-48-0x0000000007CD0000-0x0000000007CE4000-memory.dmp

memory/4492-49-0x0000000007DC0000-0x0000000007DDA000-memory.dmp

memory/4492-50-0x0000000007D00000-0x0000000007D08000-memory.dmp

memory/4492-53-0x0000000074EF0000-0x00000000756A0000-memory.dmp

memory/4352-55-0x0000000002960000-0x0000000002D61000-memory.dmp

memory/2956-65-0x0000000070D90000-0x0000000070DDC000-memory.dmp

memory/2956-66-0x0000000070F10000-0x0000000071264000-memory.dmp

memory/2956-76-0x0000000007BC0000-0x0000000007C63000-memory.dmp

memory/2956-77-0x0000000007EE0000-0x0000000007EF1000-memory.dmp

memory/2956-78-0x0000000007F30000-0x0000000007F44000-memory.dmp

memory/4036-82-0x0000000002960000-0x0000000002D61000-memory.dmp

memory/4036-81-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/5096-89-0x0000000005920000-0x0000000005C74000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 155e6042ed15a185372894c78038c811
SHA1 a8c21b81f5cf5b50f4d99f5fce05b958cf1bbdef
SHA256 00f83caf33ded893e31d01e3b4b131d19d6c1018ed7560681987d69a48ab90a8
SHA512 2f63e5c4100805c0e4ff418429d9bded6195a0bf9f0eacdbc8cc069acdcc11798482856e217a0bd5dc38a79a71dc97876c9ea5d268968ecaf474bf2e35d125da

memory/5096-95-0x0000000070D90000-0x0000000070DDC000-memory.dmp

memory/5096-96-0x0000000071510000-0x0000000071864000-memory.dmp

memory/4036-116-0x0000000002D70000-0x000000000365B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4b10f616055d1ed91af8bdcffbe3b886
SHA1 adc790d6fae43a338f56f35a99616ebd4321c18d
SHA256 cc3ab3ed2d3318329f747533d15915d8ed16aededb71a3f8ea4ddf7a8b2faa60
SHA512 4c446e5c658e3f5ad6d37788276d7bcb2ff25d5811550015106dbcfcd1def539d47194febe9370f8052bbfa1433c4b8e3a4b065ea85dfceb2def1c692211d4ae

memory/4500-118-0x0000000070D90000-0x0000000070DDC000-memory.dmp

memory/4500-119-0x0000000071510000-0x0000000071864000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 d32b9d6134c9c22d54de56687bcd7a0b
SHA1 76787efd4bf960188b435f6287de1f29988557c9
SHA256 d869c43edeffa5f506d4d2473c7286430c7600dc99c6c08f6ea224215e79b3c9
SHA512 ca8a9f5f1cd97496aeaccd0aa9a96859e7377ecc202ae9d8da167d68c09f89f6643fa6dfa5ff7814931133b582a8cc3414fa4c81a3c4f50dc48ecae3ecce4096

memory/4352-134-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3548-146-0x00000000063B0000-0x0000000006704000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a56514c3aaf2d087f0e6391821a4a84e
SHA1 ae8cd76eb7aac4e2ed4a746674d869d2678c5ea2
SHA256 f03ec17fdf77917046f01df672adca5e4df56fa7150977c614c0205442a02fcc
SHA512 3bbac0a9699fc985c515de8d679793dd1c773ad62b28d1b0bd066ef4b330580bc3c420c575d15e5c26130857a82e76ed78bc43dd5571d9ecc234c422eafbe547

memory/3548-148-0x0000000070D90000-0x0000000070DDC000-memory.dmp

memory/3548-149-0x0000000070F30000-0x0000000071284000-memory.dmp

memory/4972-169-0x00000000054C0000-0x0000000005814000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 661b0dc024adffed4f626f9f6e5bd1f0
SHA1 fc17d80af88c1ed38210ba0f60b1ecee700ad953
SHA256 10947c4cc5877b49141a7fd1d1c1988b1732217d3ee90d30153354186a73c583
SHA512 738086762fea0809dc2d051660b9b5307e16d588fad3b4e757872d15a149d3af532082fa3d10e234f912c7932d7a6fcb9780e27e5d95721229321bff214531ac

memory/4972-171-0x00000000060F0000-0x000000000613C000-memory.dmp

memory/4972-172-0x0000000070CB0000-0x0000000070CFC000-memory.dmp

memory/4972-173-0x0000000071440000-0x0000000071794000-memory.dmp

memory/4972-183-0x0000000006DC0000-0x0000000006E63000-memory.dmp

memory/4972-184-0x0000000007100000-0x0000000007111000-memory.dmp

memory/4972-185-0x0000000005970000-0x0000000005984000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d279f2e67f76e243c912be1c580c5cba
SHA1 a306d350b0a1ee8395866cbb878537185d574e94
SHA256 40390f312c0b8d55a4c2e837d915228430201f9c79010e19f5eaa2bf260bcefe
SHA512 b95fa66b1161181aa6d2ed2d038fb997d79e9aadcfc32bae952172df35ce98eb3b66f72245a0f0f265571ad21feadedf4f34e1f4bdc924aa5e64482077528709

memory/4360-197-0x0000000070CB0000-0x0000000070CFC000-memory.dmp

memory/4360-198-0x0000000071440000-0x0000000071794000-memory.dmp

memory/4992-208-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4992-216-0x0000000000400000-0x0000000000D1C000-memory.dmp