Malware Analysis Report

2025-06-16 01:58

Sample ID 240509-vewz3afe55
Target 959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b
SHA256 959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b

Threat Level: Known bad

The file 959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Manipulates WinMonFS driver.

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 16:54

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 16:54

Reported

2024-05-09 16:57

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3824 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3824 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3824 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4564 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4564 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4564 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4564 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe C:\Windows\system32\cmd.exe
PID 4564 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe C:\Windows\system32\cmd.exe
PID 448 wrote to memory of 3484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 448 wrote to memory of 3484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4564 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4564 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4564 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4564 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4564 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4564 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4564 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe C:\Windows\rss\csrss.exe
PID 4564 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe C:\Windows\rss\csrss.exe
PID 4564 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe C:\Windows\rss\csrss.exe
PID 3808 wrote to memory of 3364 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3808 wrote to memory of 3364 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3808 wrote to memory of 3364 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3808 wrote to memory of 2768 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3808 wrote to memory of 2768 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3808 wrote to memory of 2768 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3808 wrote to memory of 4684 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3808 wrote to memory of 4684 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3808 wrote to memory of 4684 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3808 wrote to memory of 232 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3808 wrote to memory of 232 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4256 wrote to memory of 4664 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4256 wrote to memory of 4664 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4256 wrote to memory of 4664 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4664 wrote to memory of 4340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4664 wrote to memory of 4340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4664 wrote to memory of 4340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe

"C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe

"C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.225:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 225.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 49c9edc2-81f1-457a-b33f-cbd67dc83a74.uuid.statscreate.org udp
US 8.8.8.8:53 stun.sipgate.net udp
US 8.8.8.8:53 server2.statscreate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 15.197.250.192:3478 stun.sipgate.net udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server2.statscreate.org tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 192.250.197.15.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.96:443 server2.statscreate.org tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
BG 185.82.216.96:443 server2.statscreate.org tcp

Files

memory/3824-1-0x0000000003240000-0x0000000003646000-memory.dmp

memory/3824-2-0x0000000004F00000-0x00000000057EB000-memory.dmp

memory/3824-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1168-4-0x0000000074DEE000-0x0000000074DEF000-memory.dmp

memory/1168-5-0x0000000005240000-0x0000000005276000-memory.dmp

memory/1168-6-0x0000000005930000-0x0000000005F58000-memory.dmp

memory/1168-7-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/1168-8-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/1168-9-0x0000000005820000-0x0000000005842000-memory.dmp

memory/1168-10-0x0000000006110000-0x0000000006176000-memory.dmp

memory/1168-11-0x0000000006180000-0x00000000061E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1fyyzo2y.eql.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1168-21-0x00000000061F0000-0x0000000006544000-memory.dmp

memory/1168-22-0x0000000006800000-0x000000000681E000-memory.dmp

memory/1168-23-0x0000000006830000-0x000000000687C000-memory.dmp

memory/1168-24-0x0000000006D60000-0x0000000006DA4000-memory.dmp

memory/1168-25-0x0000000007910000-0x0000000007986000-memory.dmp

memory/1168-26-0x0000000008010000-0x000000000868A000-memory.dmp

memory/1168-27-0x00000000079B0000-0x00000000079CA000-memory.dmp

memory/1168-30-0x0000000070C80000-0x0000000070CCC000-memory.dmp

memory/1168-29-0x0000000007D70000-0x0000000007DA2000-memory.dmp

memory/1168-31-0x0000000071400000-0x0000000071754000-memory.dmp

memory/1168-41-0x0000000007DB0000-0x0000000007DCE000-memory.dmp

memory/1168-42-0x0000000007DD0000-0x0000000007E73000-memory.dmp

memory/3824-28-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/1168-43-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/1168-44-0x0000000007EC0000-0x0000000007ECA000-memory.dmp

memory/1168-45-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/1168-46-0x0000000008690000-0x0000000008726000-memory.dmp

memory/1168-47-0x0000000007F00000-0x0000000007F11000-memory.dmp

memory/1168-48-0x0000000007F40000-0x0000000007F4E000-memory.dmp

memory/1168-49-0x0000000007F50000-0x0000000007F64000-memory.dmp

memory/1168-50-0x0000000007FA0000-0x0000000007FBA000-memory.dmp

memory/1168-51-0x0000000007F90000-0x0000000007F98000-memory.dmp

memory/1168-54-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/3824-56-0x0000000003240000-0x0000000003646000-memory.dmp

memory/3824-57-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/3824-58-0x0000000004F00000-0x00000000057EB000-memory.dmp

memory/3452-68-0x00000000061B0000-0x0000000006504000-memory.dmp

memory/3452-69-0x0000000070C80000-0x0000000070CCC000-memory.dmp

memory/3452-70-0x0000000070E00000-0x0000000071154000-memory.dmp

memory/3452-81-0x0000000007910000-0x00000000079B3000-memory.dmp

memory/3824-82-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4564-80-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/3452-83-0x0000000007C20000-0x0000000007C31000-memory.dmp

memory/3452-84-0x0000000007C70000-0x0000000007C84000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 fc94799ef27c6c98b852ff53763cac86
SHA1 4ce70450a8a13d272f2532eb8f5a64f5ba92ca96
SHA256 568288b156dd4fd40481d973c169491a961d6a96e9d5fcc46bedc4f236a7e6c5
SHA512 ed0319136faf6fd0d21cdf03618ca6e3f7c01075b2ba7d61afa4372db114ef3120d1f3d339bd9f0e019ec6fe5212ec8bfbc04498a65fdb22e6ba495a807d7d9a

memory/468-100-0x0000000070E00000-0x0000000071154000-memory.dmp

memory/468-99-0x0000000070C80000-0x0000000070CCC000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 731daf87f10d3ed23f05ac76f1e733fb
SHA1 ea3cf7710dbcd26e635a3a17fd025126351f1881
SHA256 ae9de7f378978f98e07fc4a6afb299ef285203d20981e7dd97b7f007389d19f0
SHA512 264e63a395957f611c8cd2b4b3964df2bc99e7c7d4eb2f07979bc7cdf12b46ce402a3bc0b19a5a5b6b27be9ffdeead2e810e08292870a137943ce21b253c0913

memory/4596-122-0x0000000071400000-0x0000000071754000-memory.dmp

memory/4596-121-0x0000000070C80000-0x0000000070CCC000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 5697ae3edaa60fe9831e4d7fcf3b6c7d
SHA1 abbf6ffb25b29785833153beb54111ce79af70a4
SHA256 959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b
SHA512 cca347bf178dd1ad6615dfeaf097426f6c7c35cec577eea668a790732704e066436b72dc036d11cf1d9c02b0d4289f4d09e1cfb1467b72c3edc7ad003c56ffbf

memory/4564-136-0x0000000000400000-0x0000000002ED6000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7c493e949c6c1aaa585d22d7f60c80a2
SHA1 7f09d0d098a5c8d1e20616efa8d0c0a3155670b2
SHA256 90a227247f314a947ea7cb197ce27de387f90c544d4523e19b67c8085a6c69f4
SHA512 d00fc5885a4a456d8de86188e779350a82c2b270864db018f12c3b381361962e58024d991f79f6273d0f4ab2a5920f3a725624eca3996bebb002bd627b1aee4a

memory/3364-150-0x0000000070C80000-0x0000000070CCC000-memory.dmp

memory/3364-151-0x0000000071400000-0x0000000071754000-memory.dmp

memory/3808-161-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/2768-172-0x0000000005BC0000-0x0000000005F14000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a1e4d09422cde6c38fe3c3e161d63038
SHA1 0e05c96a2c7df9eea21db004fe14a8071dfde50a
SHA256 2e9e4c7af56c1100e3b7525e0ee86ac69a0b7e9e80f9d2c5625a12a5d5d3920b
SHA512 e616e5acfb10a9dfa4882266f9c7fd1398f3486bb3630eef4b006fb0095625df17d3c299c017fc33519fab3f18afe12c8b8195bc53c5cffeebb01d4f7fabdedf

memory/2768-174-0x00000000062A0000-0x00000000062EC000-memory.dmp

memory/2768-175-0x0000000070BA0000-0x0000000070BEC000-memory.dmp

memory/2768-176-0x0000000070D30000-0x0000000071084000-memory.dmp

memory/2768-186-0x00000000074A0000-0x0000000007543000-memory.dmp

memory/2768-187-0x00000000077B0000-0x00000000077C1000-memory.dmp

memory/2768-188-0x0000000005AC0000-0x0000000005AD4000-memory.dmp

memory/4684-199-0x00000000059E0000-0x0000000005D34000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 040af75574603a51a73765f93422f0a6
SHA1 e64b341653ff0af71e9e9e6ecdf4f44f0473a1ca
SHA256 1b1144b4a320af50157acb8884f4f41c7fbc3cefa7b8e3ff78a0c673b74cd95a
SHA512 c7e10ad81e74b4fb2e1b2132aca42469e6a33bd20c14b2b808a29dbddf66ebf578863a7f68c66095bb3f2ece55ea84b1db0759cba48a30b43377c452c39dc457

memory/4684-202-0x0000000070BA0000-0x0000000070BEC000-memory.dmp

memory/4684-203-0x0000000070D20000-0x0000000071074000-memory.dmp

memory/3808-214-0x0000000000400000-0x0000000002ED6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4256-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/520-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4256-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3808-230-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/520-233-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3808-232-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/3808-235-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/520-239-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3808-238-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/3808-242-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/3808-244-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/3808-247-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/3808-250-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/3808-254-0x0000000000400000-0x0000000002ED6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 16:54

Reported

2024-05-09 16:57

Platform

win11-20240426-en

Max time kernel

149s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1776 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4952 wrote to memory of 248 N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4952 wrote to memory of 248 N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4952 wrote to memory of 248 N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4952 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe C:\Windows\system32\cmd.exe
PID 4952 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe C:\Windows\system32\cmd.exe
PID 4144 wrote to memory of 2452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4144 wrote to memory of 2452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4952 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4952 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4952 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4952 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4952 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4952 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4952 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe C:\Windows\rss\csrss.exe
PID 4952 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe C:\Windows\rss\csrss.exe
PID 4952 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe C:\Windows\rss\csrss.exe
PID 3528 wrote to memory of 2132 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3528 wrote to memory of 2132 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3528 wrote to memory of 2132 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3528 wrote to memory of 2432 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3528 wrote to memory of 2432 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3528 wrote to memory of 2432 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3528 wrote to memory of 4480 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3528 wrote to memory of 4480 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3528 wrote to memory of 4480 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3528 wrote to memory of 4772 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3528 wrote to memory of 4772 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2152 wrote to memory of 4260 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 4260 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 4260 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4260 wrote to memory of 4116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4260 wrote to memory of 4116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4260 wrote to memory of 4116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe

"C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe

"C:\Users\Admin\AppData\Local\Temp\959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 d823c244-0e13-4138-8c3d-b50e4b010191.uuid.statscreate.org udp
US 8.8.8.8:53 server15.statscreate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun2.l.google.com udp
BG 185.82.216.96:443 server15.statscreate.org tcp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.96:443 server15.statscreate.org tcp
BG 185.82.216.96:443 server15.statscreate.org tcp
BG 185.82.216.96:443 server15.statscreate.org tcp

Files

memory/1776-1-0x0000000003320000-0x000000000371A000-memory.dmp

memory/1776-2-0x00000000050C0000-0x00000000059AB000-memory.dmp

memory/1776-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4688-4-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

memory/4688-5-0x0000000002FB0000-0x0000000002FE6000-memory.dmp

memory/4688-6-0x0000000074A00000-0x00000000751B1000-memory.dmp

memory/4688-7-0x0000000005CF0000-0x000000000631A000-memory.dmp

memory/4688-8-0x0000000005920000-0x0000000005942000-memory.dmp

memory/4688-9-0x0000000005BC0000-0x0000000005C26000-memory.dmp

memory/4688-10-0x0000000005C30000-0x0000000005C96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wzwiojbx.mxp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4688-19-0x0000000006320000-0x0000000006677000-memory.dmp

memory/4688-20-0x00000000067F0000-0x000000000680E000-memory.dmp

memory/4688-21-0x0000000006870000-0x00000000068BC000-memory.dmp

memory/4688-22-0x0000000006D60000-0x0000000006DA6000-memory.dmp

memory/4688-23-0x0000000007BE0000-0x0000000007C14000-memory.dmp

memory/4688-24-0x0000000070C70000-0x0000000070CBC000-memory.dmp

memory/4688-25-0x0000000070EC0000-0x0000000071217000-memory.dmp

memory/4688-34-0x0000000007C40000-0x0000000007C5E000-memory.dmp

memory/4688-35-0x0000000007C60000-0x0000000007D04000-memory.dmp

memory/4688-36-0x00000000083D0000-0x0000000008A4A000-memory.dmp

memory/4688-37-0x0000000007D90000-0x0000000007DAA000-memory.dmp

memory/4688-38-0x0000000007DD0000-0x0000000007DDA000-memory.dmp

memory/4688-39-0x0000000007EE0000-0x0000000007F76000-memory.dmp

memory/4688-40-0x0000000007DF0000-0x0000000007E01000-memory.dmp

memory/4688-41-0x0000000007E40000-0x0000000007E4E000-memory.dmp

memory/4688-42-0x0000000007E50000-0x0000000007E65000-memory.dmp

memory/4688-43-0x0000000007EA0000-0x0000000007EBA000-memory.dmp

memory/4688-44-0x0000000007EC0000-0x0000000007EC8000-memory.dmp

memory/4688-47-0x0000000074A00000-0x00000000751B1000-memory.dmp

memory/1776-49-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/248-58-0x0000000005710000-0x0000000005A67000-memory.dmp

memory/248-59-0x0000000070C70000-0x0000000070CBC000-memory.dmp

memory/248-60-0x0000000070DF0000-0x0000000071147000-memory.dmp

memory/248-69-0x0000000006D50000-0x0000000006DF4000-memory.dmp

memory/248-70-0x0000000007070000-0x0000000007081000-memory.dmp

memory/1776-71-0x0000000003320000-0x000000000371A000-memory.dmp

memory/1776-72-0x00000000050C0000-0x00000000059AB000-memory.dmp

memory/248-73-0x00000000070C0000-0x00000000070D5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/2980-85-0x0000000005770000-0x0000000005AC7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9c09c48a2ef2cc39bc624e47e3bb1d78
SHA1 ca8e2ea9dec425085d938afb31d74a05281f2cf3
SHA256 ddda50a290849ff2595a4ce9820dfb65820b8f8d14acd89ea27bc1cf7daf555e
SHA512 e03697f11abe7d958cf5a7fc8ebb8701e6c5a92ef07ad139d5e6dfc88e62357660cfd6cfddd1f16ab42048825493b16a1f8eda5696cb9e062342abb3827bfe5e

memory/4952-88-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/2980-89-0x0000000070C70000-0x0000000070CBC000-memory.dmp

memory/2980-90-0x0000000070E10000-0x0000000071167000-memory.dmp

memory/2092-108-0x0000000006340000-0x0000000006697000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ebaab6b779afecdfe3ae448900c9b143
SHA1 985a811b6a4d2129479f9828a94604a7e0696f18
SHA256 cbbb0aacdc728bbd68b670392ec6ceba1ae7091f9873f79e6a583cc481fe2334
SHA512 06328aa202d12c18b93cde35b39ac0ff87229a0c9d8dd3c64c60d5ff880125c4f7a6574253f5d96540cfefa66907527d35fbb0351b89c873ebc2e278c6fa5af6

memory/2092-111-0x00000000715B0000-0x0000000071907000-memory.dmp

memory/2092-110-0x0000000070C70000-0x0000000070CBC000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 5697ae3edaa60fe9831e4d7fcf3b6c7d
SHA1 abbf6ffb25b29785833153beb54111ce79af70a4
SHA256 959d1fa8c77f5248c79471dc047f6e21fe1bbf762105beb76d045d6b4138a81b
SHA512 cca347bf178dd1ad6615dfeaf097426f6c7c35cec577eea668a790732704e066436b72dc036d11cf1d9c02b0d4289f4d09e1cfb1467b72c3edc7ad003c56ffbf

memory/1776-125-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4952-126-0x0000000000400000-0x0000000002ED6000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ad3e6b9961ab7c3afef3cc171e418951
SHA1 af3c0b14916f4515fc950caee0359c15446f5bf6
SHA256 d4da3e68d40093e88f364d80063c81fc20ca3be1bd21406393574cddd11f75f8
SHA512 11439bee1e29778f4f0e5c6c85262622eedc7aa96e488e5c12f3cdcecf649312137f6b9ca43936997754f10abade0e550ea0e435788834ff6b40416bf0b87bbe

memory/2132-139-0x0000000070EC0000-0x0000000071217000-memory.dmp

memory/2132-138-0x0000000070C70000-0x0000000070CBC000-memory.dmp

memory/3528-148-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/2432-150-0x00000000061B0000-0x0000000006507000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 88a20797cab40d80bef03f535c4ef91f
SHA1 4ba2f031702bf8d6957ae4172453212fcbe472c9
SHA256 329869809a7c03fb5bef73582ceb9dc21f27000ec86097f4f7382bb44332c73b
SHA512 fc71448dff69c153390377e335f7a1da570c0644cbb0f0793dea47cbba1b97e2724e9d3555544c5bcf79c54b6141754ffa6999aa73d8e45f1f51a88b403571ce

memory/2432-160-0x0000000006760000-0x00000000067AC000-memory.dmp

memory/2432-162-0x0000000070DE0000-0x0000000071137000-memory.dmp

memory/2432-161-0x0000000070B90000-0x0000000070BDC000-memory.dmp

memory/2432-171-0x0000000007990000-0x0000000007A34000-memory.dmp

memory/2432-172-0x0000000007D30000-0x0000000007D41000-memory.dmp

memory/2432-173-0x0000000006540000-0x0000000006555000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6df844f47b527b3945a0db01db4a2ccb
SHA1 43574584c5bd3e725f3bbf550fdf0c4ac6361d4b
SHA256 a53d9329168f53d872f9b72750f541836bf8e7671cd2126288240a63b48385db
SHA512 628622eb8b22b082e8a6d8239f05b183034c98ce11bec5fa5a8df2d9d9959299b4757b8284a30df964b2aab01d639e45560a47132590d22cff76e1cd12f9fa68

memory/4480-184-0x0000000070B90000-0x0000000070BDC000-memory.dmp

memory/4480-185-0x0000000070DE0000-0x0000000071137000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3528-201-0x0000000000400000-0x0000000002ED6000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2152-205-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3576-208-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2152-210-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3528-212-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/3576-214-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3528-215-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/3528-218-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/3576-220-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3528-221-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/3528-224-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/3528-227-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/3576-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3528-230-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/3528-233-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/3528-236-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/3528-239-0x0000000000400000-0x0000000002ED6000-memory.dmp