Malware Analysis Report

2024-12-08 02:06

Sample ID 240516-p3esssdd71
Target ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94
SHA256 ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94

Threat Level: Known bad

The file ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Manipulates WinMonFS driver.

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 12:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 12:50

Reported

2024-05-16 12:53

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3784 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3784 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3784 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4612 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4612 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4612 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4612 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe C:\Windows\system32\cmd.exe
PID 4612 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe C:\Windows\system32\cmd.exe
PID 1880 wrote to memory of 1160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1880 wrote to memory of 1160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4612 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4612 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4612 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4612 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4612 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4612 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4612 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe C:\Windows\rss\csrss.exe
PID 4612 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe C:\Windows\rss\csrss.exe
PID 4612 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe C:\Windows\rss\csrss.exe
PID 3312 wrote to memory of 5104 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3312 wrote to memory of 5104 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3312 wrote to memory of 5104 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3312 wrote to memory of 3992 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3312 wrote to memory of 3992 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3312 wrote to memory of 3992 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3312 wrote to memory of 2624 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3312 wrote to memory of 2624 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3312 wrote to memory of 2624 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3312 wrote to memory of 4312 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3312 wrote to memory of 4312 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2060 wrote to memory of 4480 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 4480 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 4480 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4480 wrote to memory of 4308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4480 wrote to memory of 4308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4480 wrote to memory of 4308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe

"C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe

"C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 88.221.83.241:443 www.bing.com tcp
US 8.8.8.8:53 241.83.221.88.in-addr.arpa udp
BE 88.221.83.241:443 www.bing.com tcp
US 8.8.8.8:53 480e5281-9219-4e5f-97e1-0ad4de73eb24.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 stun.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server12.thestatsfiles.ru udp
US 74.125.250.129:19302 stun.l.google.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
BG 185.82.216.96:443 server12.thestatsfiles.ru tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
BG 185.82.216.96:443 server12.thestatsfiles.ru tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
IE 52.111.236.23:443 tcp
BG 185.82.216.96:443 server12.thestatsfiles.ru tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
BG 185.82.216.96:443 server12.thestatsfiles.ru tcp

Files

memory/3784-1-0x0000000002980000-0x0000000002D80000-memory.dmp

memory/3784-2-0x0000000002D80000-0x000000000366B000-memory.dmp

memory/3784-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1600-4-0x000000007408E000-0x000000007408F000-memory.dmp

memory/1600-5-0x0000000003360000-0x0000000003396000-memory.dmp

memory/1600-7-0x0000000005CB0000-0x00000000062D8000-memory.dmp

memory/1600-6-0x0000000074080000-0x0000000074830000-memory.dmp

memory/1600-8-0x0000000074080000-0x0000000074830000-memory.dmp

memory/1600-9-0x0000000005BA0000-0x0000000005BC2000-memory.dmp

memory/1600-10-0x00000000062E0000-0x0000000006346000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qhsrosmd.hoh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1600-11-0x0000000005C40000-0x0000000005CA6000-memory.dmp

memory/1600-21-0x0000000006350000-0x00000000066A4000-memory.dmp

memory/1600-22-0x0000000006930000-0x000000000694E000-memory.dmp

memory/1600-23-0x0000000006960000-0x00000000069AC000-memory.dmp

memory/1600-24-0x0000000006EE0000-0x0000000006F24000-memory.dmp

memory/1600-25-0x0000000007C50000-0x0000000007CC6000-memory.dmp

memory/1600-26-0x0000000008350000-0x00000000089CA000-memory.dmp

memory/1600-27-0x0000000007CF0000-0x0000000007D0A000-memory.dmp

memory/1600-29-0x000000006FF20000-0x000000006FF6C000-memory.dmp

memory/1600-30-0x00000000700D0000-0x0000000070424000-memory.dmp

memory/1600-40-0x0000000007EF0000-0x0000000007F0E000-memory.dmp

memory/1600-41-0x0000000074080000-0x0000000074830000-memory.dmp

memory/1600-28-0x0000000007EB0000-0x0000000007EE2000-memory.dmp

memory/1600-43-0x0000000074080000-0x0000000074830000-memory.dmp

memory/1600-42-0x0000000007F10000-0x0000000007FB3000-memory.dmp

memory/1600-44-0x0000000008000000-0x000000000800A000-memory.dmp

memory/1600-45-0x0000000008110000-0x00000000081A6000-memory.dmp

memory/1600-46-0x0000000008010000-0x0000000008021000-memory.dmp

memory/1600-47-0x0000000008050000-0x000000000805E000-memory.dmp

memory/1600-48-0x0000000008070000-0x0000000008084000-memory.dmp

memory/1600-49-0x00000000080C0000-0x00000000080DA000-memory.dmp

memory/1600-50-0x00000000080B0000-0x00000000080B8000-memory.dmp

memory/1600-53-0x0000000074080000-0x0000000074830000-memory.dmp

memory/3784-54-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3784-55-0x0000000002D80000-0x000000000366B000-memory.dmp

memory/4612-57-0x0000000002950000-0x0000000002D56000-memory.dmp

memory/1004-63-0x0000000005630000-0x0000000005984000-memory.dmp

memory/1004-68-0x0000000005D50000-0x0000000005D9C000-memory.dmp

memory/1004-69-0x0000000070020000-0x000000007006C000-memory.dmp

memory/1004-70-0x00000000707C0000-0x0000000070B14000-memory.dmp

memory/1004-80-0x0000000006E40000-0x0000000006EE3000-memory.dmp

memory/1004-81-0x0000000007170000-0x0000000007181000-memory.dmp

memory/1004-82-0x00000000071C0000-0x00000000071D4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ab2b2275e89798c3f1220d66976536b2
SHA1 cac8aef65303757a01735544fccdae4799077005
SHA256 6ac06173008326465d07a2c5d2ca932ff4af8b136e7c066d5dd04f77fff78390
SHA512 eda999fc26db3158a784b0b3dde0d4f56d071dad64d160c2e4312a2ce275ee7d1f38083e63c41ac53cf35adacca21445eee371b0c28efe83d1f6dfd7caa9d600

memory/3504-97-0x00000000707C0000-0x0000000070B14000-memory.dmp

memory/3504-96-0x0000000070020000-0x000000007006C000-memory.dmp

memory/1600-117-0x0000000005B50000-0x0000000005EA4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5f85174aeaf14e33f1f80bbe89d563ce
SHA1 e7a6fe7190883a298fa33616b52dd5e78c54e3d5
SHA256 b44d7cc640cfc2cd41cab604764f9040700375b1bade8da3c4ecee868f61eb1b
SHA512 23a6956d78ef7da9fda5f6fb69e799df7e27773e62a545732802b57920c5df052543c5e5b043a029c7715250ac84406613351f39c06b508979d4e52b82a3c571

memory/1600-120-0x00000000701E0000-0x0000000070534000-memory.dmp

memory/1600-119-0x0000000070020000-0x000000007006C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 a94b03843a73d6bfacbb3179f3e36fcd
SHA1 9911f7545a2e8b9fb4c1f22aa3898448f70aa95d
SHA256 ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94
SHA512 fcbc33488c5263821e7f950b9100a4c6934a1190e33be52ebe83044b17fc730dc41c190192acbb06dc434349923983f96b117ff073f5358656612a1a7c61dd9f

memory/5104-142-0x00000000061B0000-0x0000000006504000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0c906781943609f0a05df073e482381c
SHA1 4dda01a155183f8138806914b19adf4b7bdb0a0e
SHA256 6fbbce2dd420f380f46950603a87fe024cc248f47b14f829de9a84195a507be0
SHA512 b5e0eec2bb108651db4e4acb0ecff54bd7a83216850f8615281036782718fd5ee28877397dd9a0f1f680c41bb47959129c463b6c753fa8ffa65aabb8e23f2d5d

memory/5104-147-0x0000000006E10000-0x0000000006E5C000-memory.dmp

memory/5104-148-0x000000006FF80000-0x000000006FFCC000-memory.dmp

memory/5104-159-0x0000000007B30000-0x0000000007BD3000-memory.dmp

memory/5104-149-0x0000000070160000-0x00000000704B4000-memory.dmp

memory/5104-160-0x0000000007DF0000-0x0000000007E01000-memory.dmp

memory/5104-161-0x0000000006640000-0x0000000006654000-memory.dmp

memory/3992-172-0x00000000060D0000-0x0000000006424000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 63eaac66ccf7b5b4cd1f36e96d63b780
SHA1 e4d665faa503b86bd283705dd1b3ebe45d1f5d96
SHA256 765b3fe66e452261392512f3cbd7d7a3c8567b3c1f035412fc9411bf3b8ff7a0
SHA512 ad21fd9cbdaeb7362f12ce9f5ecc1e992dc7e4f6f799fc2f833f1a39ff8933d63e0cbf4c7f0599ea97c69e853ae0c0e0138d0692d56591540610cead40c08386

memory/3992-174-0x00000000067D0000-0x000000000681C000-memory.dmp

memory/3992-175-0x000000006FEA0000-0x000000006FEEC000-memory.dmp

memory/3992-176-0x0000000070640000-0x0000000070994000-memory.dmp

memory/3992-186-0x00000000079C0000-0x0000000007A63000-memory.dmp

memory/3992-187-0x0000000007D10000-0x0000000007D21000-memory.dmp

memory/3992-188-0x00000000065C0000-0x00000000065D4000-memory.dmp

memory/4612-189-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2624-200-0x0000000005F60000-0x00000000062B4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9242a17b533bfc3657131c24c12888d6
SHA1 6c7caf8052d14a43e5a93679a8cd619baa9de980
SHA256 0142cad6d7b8dee9e2c3f4e382888f8034d4f68c8a4fb87b919755b3f5e3fc77
SHA512 bcb39bf4eed107e09e6b4f73e4f032af8dd9df5a5cf76bc43ed9119b659d6574ce503bdefc38e724b6273da2f48b7a4e411f211b4a3f108110e2cced7e63efa6

memory/2624-202-0x000000006FEA0000-0x000000006FEEC000-memory.dmp

memory/2624-203-0x0000000070660000-0x00000000709B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3312-219-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4612-224-0x0000000002950000-0x0000000002D56000-memory.dmp

memory/2060-225-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3708-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2060-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3312-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3708-233-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3312-232-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3312-235-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3708-239-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3312-238-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3312-241-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3312-244-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3312-247-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3312-250-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3312-253-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3312-256-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3312-259-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3312-262-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 12:50

Reported

2024-05-16 12:53

Platform

win11-20240426-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1028 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1028 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1028 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4564 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4564 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4564 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4564 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe C:\Windows\system32\cmd.exe
PID 4564 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe C:\Windows\system32\cmd.exe
PID 3172 wrote to memory of 4276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3172 wrote to memory of 4276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4564 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4564 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4564 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4564 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4564 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4564 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4564 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe C:\Windows\rss\csrss.exe
PID 4564 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe C:\Windows\rss\csrss.exe
PID 4564 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe C:\Windows\rss\csrss.exe
PID 2456 wrote to memory of 1712 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2456 wrote to memory of 1712 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2456 wrote to memory of 1712 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2456 wrote to memory of 3440 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2456 wrote to memory of 3440 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2456 wrote to memory of 3440 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2456 wrote to memory of 3312 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2456 wrote to memory of 3312 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2456 wrote to memory of 3312 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2456 wrote to memory of 3656 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2456 wrote to memory of 3656 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3680 wrote to memory of 1040 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3680 wrote to memory of 1040 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3680 wrote to memory of 1040 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1040 wrote to memory of 432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1040 wrote to memory of 432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1040 wrote to memory of 432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe

"C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe

"C:\Users\Admin\AppData\Local\Temp\ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 e955ef73-4be9-46b2-bd47-a3c50b62b5f2.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server12.thestatsfiles.ru udp
US 74.125.250.129:19302 stun1.l.google.com udp
BG 185.82.216.96:443 server12.thestatsfiles.ru tcp
US 172.67.221.71:443 carsalessystem.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server12.thestatsfiles.ru tcp
NL 52.111.243.30:443 tcp
BG 185.82.216.96:443 server12.thestatsfiles.ru tcp
BG 185.82.216.96:443 server12.thestatsfiles.ru tcp

Files

memory/1028-1-0x0000000002A30000-0x0000000002E36000-memory.dmp

memory/1028-2-0x0000000002E40000-0x000000000372B000-memory.dmp

memory/1028-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4928-4-0x000000007410E000-0x000000007410F000-memory.dmp

memory/4928-5-0x0000000002A10000-0x0000000002A46000-memory.dmp

memory/4928-7-0x0000000074100000-0x00000000748B1000-memory.dmp

memory/4928-6-0x0000000005330000-0x000000000595A000-memory.dmp

memory/4928-8-0x0000000074100000-0x00000000748B1000-memory.dmp

memory/4928-9-0x0000000005230000-0x0000000005252000-memory.dmp

memory/4928-10-0x0000000005960000-0x00000000059C6000-memory.dmp

memory/4928-11-0x00000000059D0000-0x0000000005A36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2eqvybqk.io2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4928-20-0x0000000005A40000-0x0000000005D97000-memory.dmp

memory/4928-21-0x0000000005EF0000-0x0000000005F0E000-memory.dmp

memory/4928-22-0x0000000005F10000-0x0000000005F5C000-memory.dmp

memory/4928-23-0x0000000006460000-0x00000000064A6000-memory.dmp

memory/4928-24-0x00000000072F0000-0x0000000007324000-memory.dmp

memory/4928-25-0x0000000070370000-0x00000000703BC000-memory.dmp

memory/4928-27-0x0000000074100000-0x00000000748B1000-memory.dmp

memory/4928-26-0x0000000070580000-0x00000000708D7000-memory.dmp

memory/4928-36-0x0000000007350000-0x000000000736E000-memory.dmp

memory/4928-37-0x0000000007370000-0x0000000007414000-memory.dmp

memory/4928-38-0x0000000074100000-0x00000000748B1000-memory.dmp

memory/4928-39-0x0000000007AE0000-0x000000000815A000-memory.dmp

memory/4928-40-0x00000000074A0000-0x00000000074BA000-memory.dmp

memory/4928-41-0x00000000074E0000-0x00000000074EA000-memory.dmp

memory/4928-42-0x00000000075F0000-0x0000000007686000-memory.dmp

memory/4928-43-0x0000000007500000-0x0000000007511000-memory.dmp

memory/4928-44-0x0000000007550000-0x000000000755E000-memory.dmp

memory/4928-45-0x0000000007560000-0x0000000007575000-memory.dmp

memory/4928-46-0x00000000075B0000-0x00000000075CA000-memory.dmp

memory/4928-47-0x00000000075A0000-0x00000000075A8000-memory.dmp

memory/4928-50-0x0000000074100000-0x00000000748B1000-memory.dmp

memory/1028-52-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1028-53-0x0000000002E40000-0x000000000372B000-memory.dmp

memory/4564-55-0x0000000002A30000-0x0000000002E34000-memory.dmp

memory/2740-64-0x0000000005C30000-0x0000000005F87000-memory.dmp

memory/2740-65-0x0000000006680000-0x00000000066CC000-memory.dmp

memory/2740-66-0x0000000070480000-0x00000000704CC000-memory.dmp

memory/2740-67-0x0000000070600000-0x0000000070957000-memory.dmp

memory/2740-76-0x0000000007380000-0x0000000007424000-memory.dmp

memory/2740-77-0x00000000076B0000-0x00000000076C1000-memory.dmp

memory/2740-78-0x0000000007700000-0x0000000007715000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/1016-82-0x0000000005CB0000-0x0000000006007000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 61cee76a83c80abe5a5f9426e09f990a
SHA1 06d5d6278631cd2b3c3fd5ca023f3d43af33266c
SHA256 a525e3ddf80a511863903ef0e622d5c8bbf788514232a53170c85d2a05832114
SHA512 e82a0f498473bf58bed40b8f1ff9eb087c30c1a034731001235b88d7d4731bd64781aa0646606324554189034fcbb21f2b64f8e992d1043b0d1c34b0a3552379

memory/1016-92-0x0000000070480000-0x00000000704CC000-memory.dmp

memory/1016-93-0x00000000706D0000-0x0000000070A27000-memory.dmp

memory/3764-111-0x0000000006050000-0x00000000063A7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cc869202de58334121db5614141bdbe4
SHA1 b33a8aac30986bd06bc09ec9fd5d57666c28c4ca
SHA256 e956f642e98682c856aef7864bfe27f21baf21d84d3c4826eb3a05c58bbb9399
SHA512 c80a4fbf8128665f11ae758dc5f3aae0f5f78c3d8ba76b47be3699e455261dca6ef7e75703d614c54943c0aff75d7126a09333c9ca304467eb0e518be760a899

memory/3764-113-0x0000000070480000-0x00000000704CC000-memory.dmp

memory/3764-114-0x0000000070630000-0x0000000070987000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 a94b03843a73d6bfacbb3179f3e36fcd
SHA1 9911f7545a2e8b9fb4c1f22aa3898448f70aa95d
SHA256 ada284a0f504323fd01ec7e7d8857e8d818d9dfed958c547e6f4f8df2e868f94
SHA512 fcbc33488c5263821e7f950b9100a4c6934a1190e33be52ebe83044b17fc730dc41c190192acbb06dc434349923983f96b117ff073f5358656612a1a7c61dd9f

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b60adc83d1bc981a8b0358f6ec5fbafc
SHA1 84828688545dbb7d112106184f8729137136b378
SHA256 f2b1ff0877618450238db00259dfefe2e9700acee057ecc5ae09d2ec907fb620
SHA512 fb54b0e61b06c9ba812e4aff6b752da9442e1cccb5e08f06f157547ba91d88cd48d4382eda6363ec1d9754b54f6ee41f43eec95b69b492c8894978e4e8fa9cf0

memory/1712-138-0x00000000060E0000-0x000000000612C000-memory.dmp

memory/4564-139-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1712-141-0x0000000070630000-0x0000000070987000-memory.dmp

memory/1712-140-0x00000000703E0000-0x000000007042C000-memory.dmp

memory/1712-150-0x00000000072D0000-0x0000000007374000-memory.dmp

memory/1712-151-0x0000000007630000-0x0000000007641000-memory.dmp

memory/1712-152-0x0000000005E70000-0x0000000005E85000-memory.dmp

memory/3440-154-0x0000000006050000-0x00000000063A7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6840dc9f74403153136303155571b63e
SHA1 f3ee4beca369986499e23708ede6508c2bafa18d
SHA256 3b598b8919b9a984f4a54d424b3cb744d375405bb335c6ed8b4e275d6cf43a3b
SHA512 f30f8c005f6f953ef6663ac06e0c511e6ccd030c4cdc3f01cf987a89fd0efad7fb2fd4424ffe6d6d24348102c266fa71818d2f05a9b5c4f69dbf3e429294078e

memory/3440-164-0x0000000006670000-0x00000000066BC000-memory.dmp

memory/3440-165-0x0000000070300000-0x000000007034C000-memory.dmp

memory/3440-166-0x0000000070550000-0x00000000708A7000-memory.dmp

memory/3440-175-0x0000000007850000-0x00000000078F4000-memory.dmp

memory/3440-176-0x0000000007BA0000-0x0000000007BB1000-memory.dmp

memory/3440-177-0x0000000006400000-0x0000000006415000-memory.dmp

memory/3312-187-0x0000000006210000-0x0000000006567000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0ecae2f50464a02699b7cf5ef6e3d91b
SHA1 fd4e1c68d645e1134e4497fb65d56b043a28e9eb
SHA256 8e673eaf216f8471531bd1d5ae0901fa6564a53672470b58c354092d67f20c07
SHA512 11a1d28d3f65665a433ea0194caefd00c0789f3fcbc3d56fc930b75ce4babc25c99fa89152f386148e6f1fc3458db06a485fba50fce2e50f18876abccb5c2199

memory/3312-189-0x0000000070300000-0x000000007034C000-memory.dmp

memory/3312-190-0x0000000070510000-0x0000000070867000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2456-206-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4564-207-0x0000000002A30000-0x0000000002E34000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3680-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1056-214-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3680-216-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2456-218-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2456-220-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1056-221-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2456-223-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2456-226-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1056-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2456-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2456-232-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2456-235-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1056-236-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2456-238-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2456-242-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2456-245-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2456-247-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2456-250-0x0000000000400000-0x0000000000D1C000-memory.dmp