Malware Analysis Report

2024-12-08 02:19

Sample ID 240516-wkk1esgf8s
Target b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd
SHA256 b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd

Threat Level: Known bad

The file b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Adds Run key to start application

Manipulates WinMonFS driver.

Checks installed software on the system

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 17:58

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 17:58

Reported

2024-05-16 18:01

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-571 = "China Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1540 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1400 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1400 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1400 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1400 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe C:\Windows\system32\cmd.exe
PID 1400 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe C:\Windows\system32\cmd.exe
PID 3496 wrote to memory of 2052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3496 wrote to memory of 2052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1400 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1400 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1400 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1400 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1400 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1400 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1400 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe C:\Windows\rss\csrss.exe
PID 1400 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe C:\Windows\rss\csrss.exe
PID 1400 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe C:\Windows\rss\csrss.exe
PID 1500 wrote to memory of 4052 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1500 wrote to memory of 4052 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1500 wrote to memory of 4052 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1500 wrote to memory of 3408 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1500 wrote to memory of 3408 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1500 wrote to memory of 3408 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1500 wrote to memory of 5116 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1500 wrote to memory of 5116 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1500 wrote to memory of 5116 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1500 wrote to memory of 4780 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1500 wrote to memory of 4780 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4380 wrote to memory of 2688 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4380 wrote to memory of 2688 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4380 wrote to memory of 2688 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2688 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2688 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe

"C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe

"C:\Users\Admin\AppData\Local\Temp\b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 177622c9-baad-4190-9805-7f0ce994decc.uuid.statstraffic.org udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 stun.sipgate.net udp
US 8.8.8.8:53 server12.statstraffic.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 15.197.250.192:3478 stun.sipgate.net udp
BG 185.82.216.104:443 server12.statstraffic.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 192.250.197.15.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.104:443 server12.statstraffic.org tcp
BG 185.82.216.104:443 server12.statstraffic.org tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BG 185.82.216.104:443 server12.statstraffic.org tcp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

memory/1540-1-0x0000000002940000-0x0000000002D3E000-memory.dmp

memory/1540-2-0x0000000002D40000-0x000000000362B000-memory.dmp

memory/1540-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2372-4-0x0000000074D8E000-0x0000000074D8F000-memory.dmp

memory/2372-5-0x0000000002AF0000-0x0000000002B26000-memory.dmp

memory/2372-6-0x0000000005650000-0x0000000005C78000-memory.dmp

memory/2372-7-0x0000000074D80000-0x0000000075530000-memory.dmp

memory/2372-8-0x0000000074D80000-0x0000000075530000-memory.dmp

memory/2372-9-0x0000000005470000-0x0000000005492000-memory.dmp

memory/2372-10-0x0000000005510000-0x0000000005576000-memory.dmp

memory/2372-11-0x0000000005580000-0x00000000055E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w4cqrzby.ex2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2372-21-0x0000000005D00000-0x0000000006054000-memory.dmp

memory/2372-23-0x0000000006480000-0x00000000064CC000-memory.dmp

memory/2372-22-0x0000000006450000-0x000000000646E000-memory.dmp

memory/2372-24-0x00000000069A0000-0x00000000069E4000-memory.dmp

memory/2372-25-0x0000000007560000-0x00000000075D6000-memory.dmp

memory/2372-26-0x0000000007E60000-0x00000000084DA000-memory.dmp

memory/2372-27-0x0000000007800000-0x000000000781A000-memory.dmp

memory/2372-28-0x00000000079C0000-0x00000000079F2000-memory.dmp

memory/2372-41-0x0000000007A00000-0x0000000007A1E000-memory.dmp

memory/2372-30-0x0000000074D80000-0x0000000075530000-memory.dmp

memory/2372-31-0x0000000071950000-0x0000000071CA4000-memory.dmp

memory/2372-29-0x0000000070C20000-0x0000000070C6C000-memory.dmp

memory/2372-43-0x0000000074D80000-0x0000000075530000-memory.dmp

memory/2372-42-0x0000000007A20000-0x0000000007AC3000-memory.dmp

memory/2372-44-0x0000000007B10000-0x0000000007B1A000-memory.dmp

memory/2372-45-0x0000000007C20000-0x0000000007CB6000-memory.dmp

memory/2372-46-0x0000000007B80000-0x0000000007B91000-memory.dmp

memory/2372-47-0x0000000007B60000-0x0000000007B6E000-memory.dmp

memory/2372-48-0x0000000007BA0000-0x0000000007BB4000-memory.dmp

memory/2372-49-0x0000000007BE0000-0x0000000007BFA000-memory.dmp

memory/2372-50-0x0000000007BD0000-0x0000000007BD8000-memory.dmp

memory/2372-53-0x0000000074D80000-0x0000000075530000-memory.dmp

memory/1400-55-0x0000000002930000-0x0000000002D35000-memory.dmp

memory/2920-56-0x0000000006190000-0x00000000064E4000-memory.dmp

memory/2920-66-0x0000000070C20000-0x0000000070C6C000-memory.dmp

memory/2920-67-0x00000000713A0000-0x00000000716F4000-memory.dmp

memory/2920-77-0x00000000079B0000-0x0000000007A53000-memory.dmp

memory/2920-78-0x0000000007CE0000-0x0000000007CF1000-memory.dmp

memory/2920-79-0x0000000007D30000-0x0000000007D44000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/1536-92-0x0000000006420000-0x0000000006774000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3576c861f21155f67c69f4b9a7cf00ff
SHA1 062de6353cb3102a95159e585fd382bb10f2f8e9
SHA256 09a34b9b9c495451d7133141e08ba8598752885ac1c0bd340d51c94f2aa5a9ad
SHA512 ca400019c6cfc744123ac5f3fffa57b02768b9647c604f77f4a6b163b97834ff166e0c6a7b94c5fbafa76801111aee66b2d896674320bac2890bfc86c42de7ec

memory/1536-94-0x0000000070C20000-0x0000000070C6C000-memory.dmp

memory/1536-95-0x0000000070DA0000-0x00000000710F4000-memory.dmp

memory/1540-106-0x0000000002940000-0x0000000002D3E000-memory.dmp

memory/1540-105-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3f52a516a3c81fc3150b5d6f83b9d56d
SHA1 11bd573ad3a387f370139510e12b9f0fe9ad7602
SHA256 57edcbdfaeaf57e6c22a803625ebd9237f0fdbc418b8cd0fc9e48b9506fbcdb8
SHA512 561105a86ea1d32cbee78ee01ea52d14dd0e286374dc542c8d738fb57a1a06b56ec9a92c697d7feb0d897909d6452513e18727ef0a9bb7cc4a5c63f4859dd55c

memory/2252-118-0x0000000070C20000-0x0000000070C6C000-memory.dmp

memory/2252-119-0x00000000713A0000-0x00000000716F4000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 21e3a01ed8d20365c4f3db069e636cc2
SHA1 67bae0d7500592fbeeb5a5049bbf2b45c1d7b020
SHA256 b09edfcb1208b6fdf4cbc44de48fa1c4e768c2dbea014a3ebf121e040eb6e0bd
SHA512 0377c9455b1801af40bde90c51a7affe89a1c2e384988635ba75e22eadd63d5e074317728ceace4b8a2fd6cbbd99155e692b0793e68ae7a670fcb469c8e98d32

memory/1400-133-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1400-135-0x0000000002D40000-0x000000000362B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6df92b58225b726a40818a00f247f033
SHA1 0f2878f37badd492d6ccbec6c6b46274b0b98572
SHA256 2ce7002ba2bc03fb59838acb945706a6d57c1e3d609f26dea9ce49d58121f0b0
SHA512 302fe4802e29901ec751bcf2681ee02fd947366af8dba71d0979e3b66eef6fb8ddcb2731329938a3803fff1caacf90030ff13b6f2e77bd494cf49c9f24d553b2

memory/4052-147-0x0000000070C20000-0x0000000070C6C000-memory.dmp

memory/4052-148-0x0000000070DA0000-0x00000000710F4000-memory.dmp

memory/3408-168-0x00000000057C0000-0x0000000005B14000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d773e5af8a99171461f380e35cb7d672
SHA1 379e12c9299ba04f4a27c0a68e9a09d0cb908dfc
SHA256 9343587ff76f4cd35926a22df8081fcfc9b7e153f7e4db5e8ae122574ff61e97
SHA512 c07ad9e0b62c0ab61b4b619830a0f60c26db11d5243bca92d151d6c0865bd322d3685f5e418415f6c4fb726d1e4091a53b29ec4d586f853b129df60949105f9b

memory/3408-170-0x0000000006310000-0x000000000635C000-memory.dmp

memory/3408-171-0x0000000070B40000-0x0000000070B8C000-memory.dmp

memory/3408-172-0x00000000712D0000-0x0000000071624000-memory.dmp

memory/3408-182-0x0000000007030000-0x00000000070D3000-memory.dmp

memory/3408-183-0x00000000056E0000-0x00000000056F1000-memory.dmp

memory/3408-184-0x0000000005C20000-0x0000000005C34000-memory.dmp

memory/5116-195-0x0000000005540000-0x0000000005894000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2586c9983b88b8336d7eede31edf9439
SHA1 f2b11f6a7600510800ac117b23fd846e81223e95
SHA256 5d6c097e39dc2fa6c8e1b13bfec35a43d5a6ad3146a76353530f404714501edb
SHA512 3700c4fefe971e3c694e394ba69124645f05699d85e2f70ddf6d382d829f87173222560f26c0bc99aefae0adbd6ce602fe3e964e6668bf5ab133a1680f7580c9

memory/5116-198-0x0000000070B40000-0x0000000070B8C000-memory.dmp

memory/5116-199-0x00000000712F0000-0x0000000071644000-memory.dmp

memory/1500-210-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4380-220-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1676-223-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4380-225-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1500-226-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1500-228-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1676-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1500-231-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1676-235-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1500-234-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1500-238-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1500-241-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1500-243-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1500-246-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1500-250-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1500-253-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1500-255-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1500-258-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 17:58

Reported

2024-05-16 17:59

Platform

win11-20240426-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A