Malware Analysis Report

2025-01-02 06:34

Sample ID 240515-3pcyyaab5w
Target b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f
SHA256 b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f

Threat Level: Known bad

The file b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Checks installed software on the system

Adds Run key to start application

Manipulates WinMonFS driver.

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 23:40

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 23:40

Reported

2024-05-15 23:43

Platform

win11-20240426-en

Max time kernel

131s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1304 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1304 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1304 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3472 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3472 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3472 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3472 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe C:\Windows\system32\cmd.exe
PID 3472 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe C:\Windows\system32\cmd.exe
PID 1036 wrote to memory of 4536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1036 wrote to memory of 4536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3472 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3472 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3472 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3472 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3472 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3472 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3472 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe C:\Windows\rss\csrss.exe
PID 3472 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe C:\Windows\rss\csrss.exe
PID 3472 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe C:\Windows\rss\csrss.exe
PID 5088 wrote to memory of 3192 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5088 wrote to memory of 3192 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5088 wrote to memory of 3192 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5088 wrote to memory of 752 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5088 wrote to memory of 752 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5088 wrote to memory of 752 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5088 wrote to memory of 1556 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5088 wrote to memory of 1556 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5088 wrote to memory of 1556 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5088 wrote to memory of 4656 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 5088 wrote to memory of 4656 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3552 wrote to memory of 3452 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3552 wrote to memory of 3452 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3552 wrote to memory of 3452 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3452 wrote to memory of 3740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3452 wrote to memory of 3740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3452 wrote to memory of 3740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe

"C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe

"C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 4056dfd0-eddb-4926-ba95-a42929d8d546.uuid.localstats.org udp
US 8.8.8.8:53 stun3.l.google.com udp
US 8.8.8.8:53 server6.localstats.org udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server6.localstats.org tcp
US 74.125.250.129:19302 stun3.l.google.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 52.111.229.48:443 tcp
BG 185.82.216.111:443 server6.localstats.org tcp

Files

memory/1304-1-0x0000000004A20000-0x0000000004E1F000-memory.dmp

memory/1304-2-0x0000000004E20000-0x000000000570B000-memory.dmp

memory/1304-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2792-4-0x00000000741FE000-0x00000000741FF000-memory.dmp

memory/2792-5-0x00000000027B0000-0x00000000027E6000-memory.dmp

memory/2792-6-0x0000000005580000-0x0000000005BAA000-memory.dmp

memory/2792-7-0x00000000741F0000-0x00000000749A1000-memory.dmp

memory/2792-8-0x0000000005220000-0x0000000005242000-memory.dmp

memory/2792-9-0x00000000053C0000-0x0000000005426000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fnnmpalb.m4o.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2792-15-0x0000000005430000-0x0000000005496000-memory.dmp

memory/2792-20-0x0000000005BB0000-0x0000000005F07000-memory.dmp

memory/2792-19-0x00000000741F0000-0x00000000749A1000-memory.dmp

memory/2792-21-0x0000000005FC0000-0x0000000005FDE000-memory.dmp

memory/2792-22-0x0000000006000000-0x000000000604C000-memory.dmp

memory/2792-23-0x0000000007140000-0x0000000007186000-memory.dmp

memory/2792-26-0x0000000070630000-0x0000000070987000-memory.dmp

memory/2792-36-0x0000000007430000-0x000000000744E000-memory.dmp

memory/2792-37-0x0000000007450000-0x00000000074F4000-memory.dmp

memory/2792-35-0x00000000741F0000-0x00000000749A1000-memory.dmp

memory/2792-25-0x0000000070460000-0x00000000704AC000-memory.dmp

memory/2792-24-0x00000000073F0000-0x0000000007424000-memory.dmp

memory/2792-38-0x00000000741F0000-0x00000000749A1000-memory.dmp

memory/2792-39-0x0000000007BC0000-0x000000000823A000-memory.dmp

memory/2792-40-0x0000000007580000-0x000000000759A000-memory.dmp

memory/2792-41-0x00000000075C0000-0x00000000075CA000-memory.dmp

memory/2792-42-0x00000000076D0000-0x0000000007766000-memory.dmp

memory/2792-43-0x00000000075E0000-0x00000000075F1000-memory.dmp

memory/2792-44-0x0000000007630000-0x000000000763E000-memory.dmp

memory/2792-45-0x0000000007640000-0x0000000007655000-memory.dmp

memory/2792-46-0x0000000007690000-0x00000000076AA000-memory.dmp

memory/2792-47-0x00000000076B0000-0x00000000076B8000-memory.dmp

memory/2792-50-0x00000000741F0000-0x00000000749A1000-memory.dmp

memory/1304-52-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1304-53-0x0000000004A20000-0x0000000004E1F000-memory.dmp

memory/1304-54-0x0000000004E20000-0x000000000570B000-memory.dmp

memory/3888-63-0x00000000055E0000-0x0000000005937000-memory.dmp

memory/3888-64-0x0000000070460000-0x00000000704AC000-memory.dmp

memory/3888-65-0x0000000070670000-0x00000000709C7000-memory.dmp

memory/3888-74-0x0000000006D10000-0x0000000006DB4000-memory.dmp

memory/3888-75-0x0000000007040000-0x0000000007051000-memory.dmp

memory/3888-76-0x0000000007090000-0x00000000070A5000-memory.dmp

memory/1304-81-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3472-80-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/8-83-0x0000000005AD0000-0x0000000005E27000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f5f91ce6963951b81cb20ff4359d7734
SHA1 9b899a786bf61fe4f093d367f1d3ba6cdaa713e3
SHA256 f79900b0e67f98637148057d1ed098f9860d83c00e635473400852400fad6b93
SHA512 9d7147f0eca3a5f5f7276ee6fcf9b658d34cbe7b06f96bcc82841f03af8c2b87742db09b2ff8bc6f96186fb3bee5029bf4aaa976805236132680c4aa615a26b1

memory/8-93-0x0000000070460000-0x00000000704AC000-memory.dmp

memory/8-94-0x00000000706B0000-0x0000000070A07000-memory.dmp

memory/4892-112-0x00000000059B0000-0x0000000005D07000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 499d755dfbd77e712a6bba413f910b8b
SHA1 5c44e9456cebc8c8abf98bceff01873846ba0699
SHA256 e1d4563ce6853e06aa709b9add24d759ffcf2a0bbb9efe46bde67fc82875374c
SHA512 99a70d7f1a0409f625b227f5db930caef5fa5de600ca21209f44acf087d23dc04e8746d2ae2e5692d3d5d6656d2cf41f8b1dabda52b6b1994b1cae74855ec7b8

memory/4892-115-0x0000000070600000-0x0000000070957000-memory.dmp

memory/4892-114-0x0000000070460000-0x00000000704AC000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 582d1f04a6baf535d024aa21df81465c
SHA1 7f135be67ad28d2cdcdaddc5a3a4df85358b0e9a
SHA256 b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f
SHA512 26019a1cf99229afa879bb4563f35f7c29ec02858e87fdf842dccc473242afe0a97974326fbd5b9aac13ad00e5ea515a39c35ca9aa8d75124a5b5fd75945f7e3

memory/3472-131-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2d078881492ff745df5bc76aff772fbd
SHA1 9d92061965f7712bb3c2c0c035ba06bf979c495a
SHA256 3b348aa1e0e3b07fd87602056f9195379fdceb76f6510d7148c31db9e56323ef
SHA512 4bd40708b3f66ff7c4ecc3a20823b2b6670e132291a609384560a1edfd9b18a3d68924e08ecbd26aaa1086609ac51f9adaf31b3a88383614d6589ec9eed9d9d9

memory/3192-141-0x0000000070460000-0x00000000704AC000-memory.dmp

memory/3192-142-0x00000000706B0000-0x0000000070A07000-memory.dmp

memory/5088-152-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/752-158-0x0000000005560000-0x00000000058B7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 fbc034c88730465f3c0bd855ffa96872
SHA1 12b996168b17daa5f5ff21a7fc98aa0b3b168778
SHA256 cb1834b6a99636290ba1ae8ef2b9333b5ad74715583beb02dcadfa52b8e2c68f
SHA512 5a92d9e08b8ecc5dd651ec0d73c761b765298403448952464d1bbcf119eab05b71a3b9153951f532c4a2f727e4d4536d52e6c16c34ce01c4eaa1e7571a1cade3

memory/752-163-0x0000000005B20000-0x0000000005B6C000-memory.dmp

memory/752-165-0x00000000705D0000-0x0000000070927000-memory.dmp

memory/752-164-0x0000000070380000-0x00000000703CC000-memory.dmp

memory/752-174-0x0000000006D60000-0x0000000006E04000-memory.dmp

memory/752-175-0x0000000007080000-0x0000000007091000-memory.dmp

memory/752-176-0x00000000058E0000-0x00000000058F5000-memory.dmp

memory/1556-186-0x00000000060B0000-0x0000000006407000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 827c990f3968b3fc9488f1e2f3b94022
SHA1 ab09036ff68fed868bbc6bedd4f785d27d38da29
SHA256 a37bc78213a7909ead853b0297fce6c4e9eb95535b90eccb6029a4a3782ea11d
SHA512 d0d4d98ccbfc90d5f1bb20a4b6dc574723354434475cb0014e132bf687390e851659b3cd82e30a73323f530d980926d02f97828e9b06016427f4bf0501b774ab

memory/1556-188-0x0000000070380000-0x00000000703CC000-memory.dmp

memory/1556-189-0x0000000070520000-0x0000000070877000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/5088-206-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3552-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3884-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3552-215-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5088-218-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3884-221-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5088-222-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/5088-226-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3884-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5088-230-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/5088-234-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/5088-238-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3884-239-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5088-242-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/5088-246-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/5088-250-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/5088-254-0x0000000000400000-0x0000000002B0B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 23:40

Reported

2024-05-15 23:43

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4620 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4620 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4620 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4564 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4564 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4564 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4564 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe C:\Windows\system32\cmd.exe
PID 4564 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe C:\Windows\system32\cmd.exe
PID 2356 wrote to memory of 1096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2356 wrote to memory of 1096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4564 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4564 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4564 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4564 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4564 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4564 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4564 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe C:\Windows\rss\csrss.exe
PID 4564 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe C:\Windows\rss\csrss.exe
PID 4564 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe C:\Windows\rss\csrss.exe
PID 2988 wrote to memory of 4796 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2988 wrote to memory of 4796 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2988 wrote to memory of 4796 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2988 wrote to memory of 3252 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2988 wrote to memory of 3252 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2988 wrote to memory of 3252 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2988 wrote to memory of 4456 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2988 wrote to memory of 4456 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2988 wrote to memory of 4456 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2988 wrote to memory of 4560 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2988 wrote to memory of 4560 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2568 wrote to memory of 780 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 780 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 780 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 780 wrote to memory of 2164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 780 wrote to memory of 2164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 780 wrote to memory of 2164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe

"C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe

"C:\Users\Admin\AppData\Local\Temp\b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 4c7b062d-ac9e-47e6-af30-5e9c480bbfef.uuid.localstats.org udp
US 8.8.8.8:53 stun.l.google.com udp
US 8.8.8.8:53 server6.localstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server6.localstats.org tcp
US 74.125.250.129:19302 stun.l.google.com udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
BG 185.82.216.111:443 server6.localstats.org tcp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

memory/4620-1-0x00000000047C0000-0x0000000004BBE000-memory.dmp

memory/4620-2-0x0000000004BC0000-0x00000000054AB000-memory.dmp

memory/4620-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2152-5-0x0000000073FFE000-0x0000000073FFF000-memory.dmp

memory/2152-6-0x0000000002ED0000-0x0000000002F06000-memory.dmp

memory/2152-8-0x0000000073FF0000-0x00000000747A0000-memory.dmp

memory/2152-7-0x0000000005550000-0x0000000005B78000-memory.dmp

memory/4620-4-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2152-9-0x0000000073FF0000-0x00000000747A0000-memory.dmp

memory/2152-10-0x00000000054B0000-0x00000000054D2000-memory.dmp

memory/2152-11-0x0000000005D80000-0x0000000005DE6000-memory.dmp

memory/2152-17-0x0000000005DF0000-0x0000000005E56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_smpxmf4h.3lv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2152-22-0x00000000060B0000-0x0000000006404000-memory.dmp

memory/2152-23-0x0000000006460000-0x000000000647E000-memory.dmp

memory/2152-24-0x00000000064A0000-0x00000000064EC000-memory.dmp

memory/2152-25-0x00000000069E0000-0x0000000006A24000-memory.dmp

memory/2152-26-0x0000000007590000-0x0000000007606000-memory.dmp

memory/2152-28-0x0000000007630000-0x000000000764A000-memory.dmp

memory/2152-27-0x0000000007C90000-0x000000000830A000-memory.dmp

memory/2152-29-0x00000000079E0000-0x0000000007A12000-memory.dmp

memory/2152-30-0x000000006FE90000-0x000000006FEDC000-memory.dmp

memory/2152-31-0x00000000705D0000-0x0000000070924000-memory.dmp

memory/2152-42-0x0000000007A20000-0x0000000007A3E000-memory.dmp

memory/2152-33-0x0000000073FF0000-0x00000000747A0000-memory.dmp

memory/2152-43-0x0000000007A40000-0x0000000007AE3000-memory.dmp

memory/2152-44-0x0000000073FF0000-0x00000000747A0000-memory.dmp

memory/2152-45-0x0000000007B50000-0x0000000007B5A000-memory.dmp

memory/2152-46-0x0000000008310000-0x00000000083A6000-memory.dmp

memory/2152-47-0x0000000007B70000-0x0000000007B81000-memory.dmp

memory/2152-48-0x0000000007BB0000-0x0000000007BBE000-memory.dmp

memory/2152-49-0x0000000007BC0000-0x0000000007BD4000-memory.dmp

memory/2152-50-0x0000000007C10000-0x0000000007C2A000-memory.dmp

memory/2152-51-0x0000000007C00000-0x0000000007C08000-memory.dmp

memory/2152-54-0x0000000073FF0000-0x00000000747A0000-memory.dmp

memory/4620-56-0x00000000047C0000-0x0000000004BBE000-memory.dmp

memory/4620-57-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4620-58-0x0000000004BC0000-0x00000000054AB000-memory.dmp

memory/4620-59-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2172-69-0x0000000005930000-0x0000000005C84000-memory.dmp

memory/2172-70-0x000000006FE90000-0x000000006FEDC000-memory.dmp

memory/2172-71-0x0000000070010000-0x0000000070364000-memory.dmp

memory/2172-81-0x0000000006F70000-0x0000000007013000-memory.dmp

memory/2172-83-0x0000000007290000-0x00000000072A1000-memory.dmp

memory/4564-82-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2172-84-0x00000000072E0000-0x00000000072F4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 792f541d99905a7c541fa1243d7b0a4d
SHA1 8525ccc80049bb4f379b088689f01d5438649c15
SHA256 29ce65a7cb7d490e02507439f6efde69f09e65b7bb8f97a57be1457eb9f0b8a2
SHA512 a0cf3173e84fc0736e8be067a1664e076df225f1c81994d5d47a74cdb92086c7527de34d79b69297e0c51a80a4992092ccf4d0b86e15feae435231632771f65f

memory/3180-99-0x000000006FE90000-0x000000006FEDC000-memory.dmp

memory/3180-100-0x0000000070010000-0x0000000070364000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b67c3aca20f7744d331e97f69ea1a6f9
SHA1 59aa8d33ac80b11b86ed0935574f9ddb87d13692
SHA256 7855e691067c68ec7917578b1f576434428223e0e07f183978e89bd5153fe672
SHA512 a4d2fe39caef321051551fd647f7a0d6244628be570e6e2eddcad05fff8d43563a17100ba5f500fcd99122a9e968dc4aec1f73f6aa3158d11db2b66f2700113c

memory/396-121-0x000000006FE90000-0x000000006FEDC000-memory.dmp

memory/396-122-0x0000000070010000-0x0000000070364000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 582d1f04a6baf535d024aa21df81465c
SHA1 7f135be67ad28d2cdcdaddc5a3a4df85358b0e9a
SHA256 b588f5cc23596ad4fe106d15181f0b9b68695b74355c11c6a1177e4db01b8a9f
SHA512 26019a1cf99229afa879bb4563f35f7c29ec02858e87fdf842dccc473242afe0a97974326fbd5b9aac13ad00e5ea515a39c35ca9aa8d75124a5b5fd75945f7e3

memory/4564-136-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e652d8fdfe02cfed8651caf513ee9180
SHA1 138a822cbce6a59c52e98c0f4deeeecdcce00969
SHA256 fbbc42ff6625982f9d0c56aa33c2e37874439bb944c5d497b800e0e42ca68ebe
SHA512 3df2e3089cc2701949be73bb4311ed7680eb5923a1d8b65b601f91070008493d7d2690153c894f61cea2d4a0bcc0e11852695e8e9fc0decb127f30db02790f70

memory/4796-150-0x000000006FE90000-0x000000006FEDC000-memory.dmp

memory/4796-151-0x0000000070010000-0x0000000070364000-memory.dmp

memory/2988-161-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3252-163-0x0000000005DC0000-0x0000000006114000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 18f31067494cd101e8bf7c590852e8fc
SHA1 d4f2dd69e471abe219117d4e3e044ceb0cc633bf
SHA256 1f7464308f337bdfba8dafb65cfcd1f26c72166249c6e099fe7cdc3d820cd2da
SHA512 6cd0f7c12da78444c4ad87e6b7822f9045a9c625c7479b5f57dd8148d39b4db9f02917fb846be108273bd9fe328c92b53382868d6c8e8219ea69dbacc1dd0742

memory/3252-174-0x0000000006480000-0x00000000064CC000-memory.dmp

memory/3252-175-0x000000006FDB0000-0x000000006FDFC000-memory.dmp

memory/3252-176-0x0000000070540000-0x0000000070894000-memory.dmp

memory/3252-186-0x0000000007660000-0x0000000007703000-memory.dmp

memory/3252-187-0x00000000079E0000-0x00000000079F1000-memory.dmp

memory/3252-188-0x0000000006240000-0x0000000006254000-memory.dmp

memory/4456-199-0x0000000005870000-0x0000000005BC4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 fb2aebe4447da139120259dfb87be24f
SHA1 990092d5236c99787efde6088a67345979b98409
SHA256 e1d7d659603feb5445d4de548af4e5f783817f7643f50dfb24ecfad730efb2c6
SHA512 5696a27599d2cd30ecc6dd8a585033e157c9765971d18d246704bb4c4ef6a0796de7e8a64b8424cf10c4d538cf1e50d556d5dc16722eafd1164662f352e70e48

memory/4456-202-0x000000006FF30000-0x0000000070284000-memory.dmp

memory/4456-201-0x000000006FDB0000-0x000000006FDFC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2988-219-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2568-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2896-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2568-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2988-230-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2896-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2988-233-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2988-236-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2896-238-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2988-239-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2988-242-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2988-245-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2988-248-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2988-251-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2988-254-0x0000000000400000-0x0000000002B0B000-memory.dmp