Malware Analysis Report

2025-01-02 06:35

Sample ID 240515-3pgl5aab5z
Target adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7
SHA256 adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7

Threat Level: Known bad

The file adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Checks installed software on the system

Adds Run key to start application

Manipulates WinMonFS driver.

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 23:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 23:41

Reported

2024-05-15 23:43

Platform

win10v2004-20240426-en

Max time kernel

89s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2392 = "Aleutian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3640 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3640 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3640 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1484 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1484 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1484 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1484 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe C:\Windows\system32\cmd.exe
PID 1484 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe C:\Windows\system32\cmd.exe
PID 4536 wrote to memory of 4656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4536 wrote to memory of 4656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1484 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1484 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1484 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1484 wrote to memory of 5528 N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1484 wrote to memory of 5528 N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1484 wrote to memory of 5528 N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1484 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe C:\Windows\rss\csrss.exe
PID 1484 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe C:\Windows\rss\csrss.exe
PID 1484 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe C:\Windows\rss\csrss.exe
PID 2976 wrote to memory of 5692 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 5692 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 5692 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 1056 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 1056 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 1056 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 3620 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 3620 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 3620 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 3180 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2976 wrote to memory of 3180 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4352 wrote to memory of 3064 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4352 wrote to memory of 3064 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4352 wrote to memory of 3064 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3064 wrote to memory of 3316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3064 wrote to memory of 3316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3064 wrote to memory of 3316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe

"C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe

"C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 388c1987-dfcd-4617-87cc-5bb83f7f01d9.uuid.localstats.org udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 stun3.l.google.com udp
US 8.8.8.8:53 server1.localstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun3.l.google.com udp
BG 185.82.216.111:443 server1.localstats.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
BG 185.82.216.111:443 server1.localstats.org tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
BE 88.221.83.242:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 242.83.221.88.in-addr.arpa udp

Files

memory/3640-1-0x00000000049E0000-0x0000000004DE4000-memory.dmp

memory/3640-2-0x0000000004DF0000-0x00000000056DB000-memory.dmp

memory/3640-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3532-4-0x00000000749DE000-0x00000000749DF000-memory.dmp

memory/3532-5-0x0000000002890000-0x00000000028C6000-memory.dmp

memory/3532-7-0x00000000749D0000-0x0000000075180000-memory.dmp

memory/3532-6-0x0000000004F50000-0x0000000005578000-memory.dmp

memory/3532-8-0x00000000749D0000-0x0000000075180000-memory.dmp

memory/3532-9-0x0000000004EB0000-0x0000000004ED2000-memory.dmp

memory/3532-10-0x00000000057B0000-0x0000000005816000-memory.dmp

memory/3532-11-0x0000000005820000-0x0000000005886000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2ucyqoeb.g1q.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3532-21-0x0000000005890000-0x0000000005BE4000-memory.dmp

memory/3532-22-0x0000000005E90000-0x0000000005EAE000-memory.dmp

memory/3532-23-0x0000000006360000-0x00000000063AC000-memory.dmp

memory/3532-24-0x0000000006400000-0x0000000006444000-memory.dmp

memory/3532-25-0x00000000071E0000-0x0000000007256000-memory.dmp

memory/3532-27-0x00000000071C0000-0x00000000071DA000-memory.dmp

memory/3532-26-0x00000000078E0000-0x0000000007F5A000-memory.dmp

memory/3532-28-0x0000000007400000-0x0000000007432000-memory.dmp

memory/3532-30-0x00000000749D0000-0x0000000075180000-memory.dmp

memory/3532-41-0x0000000007440000-0x000000000745E000-memory.dmp

memory/3532-31-0x0000000070FF0000-0x0000000071344000-memory.dmp

memory/3532-29-0x0000000070870000-0x00000000708BC000-memory.dmp

memory/3532-42-0x0000000007460000-0x0000000007503000-memory.dmp

memory/3532-43-0x00000000749D0000-0x0000000075180000-memory.dmp

memory/3532-44-0x0000000007550000-0x000000000755A000-memory.dmp

memory/3532-45-0x0000000007610000-0x00000000076A6000-memory.dmp

memory/3532-46-0x0000000007570000-0x0000000007581000-memory.dmp

memory/3532-47-0x00000000075B0000-0x00000000075BE000-memory.dmp

memory/3532-48-0x00000000075C0000-0x00000000075D4000-memory.dmp

memory/3532-49-0x00000000076B0000-0x00000000076CA000-memory.dmp

memory/3532-50-0x00000000075F0000-0x00000000075F8000-memory.dmp

memory/3532-53-0x00000000749D0000-0x0000000075180000-memory.dmp

memory/3640-55-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3640-56-0x00000000049E0000-0x0000000004DE4000-memory.dmp

memory/3640-57-0x0000000004DF0000-0x00000000056DB000-memory.dmp

memory/1848-67-0x0000000005830000-0x0000000005B84000-memory.dmp

memory/1848-69-0x0000000070A30000-0x0000000070D84000-memory.dmp

memory/1848-68-0x0000000070870000-0x00000000708BC000-memory.dmp

memory/1848-79-0x0000000007080000-0x0000000007123000-memory.dmp

memory/1848-80-0x00000000073A0000-0x00000000073B1000-memory.dmp

memory/1848-81-0x00000000073F0000-0x0000000007404000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/3348-94-0x0000000005A80000-0x0000000005DD4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 72ed3c7c72665b8618d42f6041f6ec2a
SHA1 d4a8692eafe214aac49b3ad8aef721d34058cdbc
SHA256 65134aee54e932cffc2f244aa73530ec40b843c49e99fb63d97ab9baf6755ec3
SHA512 dde59e628b1687a54696644755285060088ef68e6d63a4e1df9aa6dcb31ecc65d8a2539151452fb7c2438958fffbcf7fa1bce00932e695fd65652433b8a351a1

memory/3348-97-0x0000000071020000-0x0000000071374000-memory.dmp

memory/3348-96-0x0000000070870000-0x00000000708BC000-memory.dmp

memory/5528-117-0x0000000005E00000-0x0000000006154000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b2d96cc0a2006ff8be31ce9c7809d16b
SHA1 5c3ac446672b4d11386c773bfb592ce9f9c3cb1b
SHA256 d37f5951d0deca9efc60a1c8546cdcf632a704cb9257f28054e149959351b340
SHA512 8cd36adb92e95cc93f3c4eeb3f36ea3a48b47182f71e652ad490b688cecfb24c5627ad0ac6f75cfc4a9996f83d40b534cbc5d7f1f36cd83141b28de61934a3fe

memory/5528-120-0x00000000709F0000-0x0000000070D44000-memory.dmp

memory/5528-119-0x0000000070870000-0x00000000708BC000-memory.dmp

memory/3640-132-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1484-131-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 7320dd78167da7789fdf9f98d8795cf3
SHA1 fc745bafce6a6585a7c88c7e51f9c77bc4a4f7a9
SHA256 adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7
SHA512 c5617ebb98b3f729fc5d24475814e6773da80f527e50cfd789a7dad86b7bdaf2c90173df5ced583d32128eeb7b5b7d36370345bc9a7bf6b174adf4ddd9d429ca

memory/5692-148-0x0000000006070000-0x00000000063C4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5ab29c7ab4d6e265fbeabb78ffc1a1ec
SHA1 1c6e9bd30271d11aa49d63cc1b0eaeb1ea6cd714
SHA256 b9b768726c6cf0acaf2c408ba383e130df92b3c8dd14747c6d38d9743b5c2805
SHA512 0c4e29ceb19fd3910b489af4b66f97aac5ee5b7f9fddc0c9d5c26423c49e957d07aa97959c87dc78368070e266450432f18da6800c7e5d1dca6f49a0eaf6ac4e

memory/5692-150-0x0000000070870000-0x00000000708BC000-memory.dmp

memory/5692-151-0x0000000070E40000-0x0000000071194000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b58db09e3bac7fb5b5ef19a4363b82a1
SHA1 9effee2d137ab3ccdd87bdc534be2610ff1a7988
SHA256 fa67f822e4ee882703067a49dd80f8b21e67abccd9e34f24b6d0f070ce0c0355
SHA512 685d654058e819e988e2adc78ca838f8de1eb1647b5a6bb799e879687108a5de04327d39396b54bafd049c885db71807583de2e1364ea5e2b02b0f7dcd727767

memory/1056-171-0x00000000062A0000-0x00000000065F4000-memory.dmp

memory/1056-173-0x0000000006AE0000-0x0000000006B2C000-memory.dmp

memory/1056-174-0x0000000070790000-0x00000000707DC000-memory.dmp

memory/1056-175-0x0000000070910000-0x0000000070C64000-memory.dmp

memory/1056-185-0x00000000079F0000-0x0000000007A93000-memory.dmp

memory/1056-186-0x0000000007D20000-0x0000000007D31000-memory.dmp

memory/1056-187-0x0000000006250000-0x0000000006264000-memory.dmp

memory/3620-198-0x00000000057F0000-0x0000000005B44000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4fd2a655ade281dea1ecf112572046a3
SHA1 19487513f538b9190bce256dc4e8dc314394c9bf
SHA256 1af4929b3a9c4ed42755a83187520dd1b03e3d4167d6ef8432e76d29dd00ef87
SHA512 f8716968635e49c4c05576cf4b8de1f6fe44e4030e8ebf7f3fce6e77614b9fb8586a8c8ad9e6ce84ec4533810a94fe181d34c4448b47ce2bf2e3d23cc79ab1f3

memory/3620-200-0x0000000070790000-0x00000000707DC000-memory.dmp

memory/3620-201-0x0000000070F40000-0x0000000071294000-memory.dmp

memory/1484-213-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2976-214-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4352-225-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3612-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4352-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2976-230-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3612-234-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2976-233-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2976-237-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3612-242-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2976-241-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2976-245-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2976-250-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3612-254-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2976-253-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2976-257-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2976-261-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2976-265-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2976-270-0x0000000000400000-0x0000000002B0B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 23:41

Reported

2024-05-15 23:43

Platform

win11-20240419-en

Max time kernel

149s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2700 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2700 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2700 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3340 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3340 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3340 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3340 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe C:\Windows\system32\cmd.exe
PID 3340 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe C:\Windows\system32\cmd.exe
PID 1068 wrote to memory of 4320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1068 wrote to memory of 4320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3340 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3340 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3340 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3340 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3340 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3340 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3340 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe C:\Windows\rss\csrss.exe
PID 3340 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe C:\Windows\rss\csrss.exe
PID 3340 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe C:\Windows\rss\csrss.exe
PID 2344 wrote to memory of 4112 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2344 wrote to memory of 4112 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2344 wrote to memory of 4112 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2344 wrote to memory of 2528 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2344 wrote to memory of 2528 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2344 wrote to memory of 2528 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2344 wrote to memory of 2820 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2344 wrote to memory of 2820 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2344 wrote to memory of 2820 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2344 wrote to memory of 4368 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2344 wrote to memory of 4368 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1740 wrote to memory of 1696 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 1696 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 1696 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1696 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1696 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe

"C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe

"C:\Users\Admin\AppData\Local\Temp\adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 065dc229-ce48-4d23-b687-c6d054f47241.uuid.localstats.org udp
US 8.8.8.8:53 server2.localstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 3.33.249.248:3478 stun.sipgate.net udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server2.localstats.org tcp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.111:443 server2.localstats.org tcp

Files

memory/2700-1-0x0000000004A40000-0x0000000004E40000-memory.dmp

memory/2700-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2700-2-0x0000000004E40000-0x000000000572B000-memory.dmp

memory/340-4-0x0000000074BEE000-0x0000000074BEF000-memory.dmp

memory/340-5-0x0000000004A60000-0x0000000004A96000-memory.dmp

memory/340-7-0x0000000005170000-0x000000000579A000-memory.dmp

memory/340-6-0x0000000074BE0000-0x0000000075391000-memory.dmp

memory/340-8-0x0000000004F50000-0x0000000004F72000-memory.dmp

memory/340-9-0x0000000074BE0000-0x0000000075391000-memory.dmp

memory/340-10-0x00000000050F0000-0x0000000005156000-memory.dmp

memory/340-11-0x0000000005850000-0x00000000058B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5qtrbglm.nkg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/340-20-0x0000000005A00000-0x0000000005D57000-memory.dmp

memory/340-21-0x0000000005F00000-0x0000000005F1E000-memory.dmp

memory/340-22-0x0000000005F40000-0x0000000005F8C000-memory.dmp

memory/340-23-0x0000000006490000-0x00000000064D6000-memory.dmp

memory/340-26-0x0000000070E50000-0x0000000070E9C000-memory.dmp

memory/340-25-0x0000000007310000-0x0000000007344000-memory.dmp

memory/340-27-0x0000000070FD0000-0x0000000071327000-memory.dmp

memory/340-37-0x0000000007390000-0x0000000007434000-memory.dmp

memory/340-36-0x0000000007370000-0x000000000738E000-memory.dmp

memory/340-38-0x0000000074BE0000-0x0000000075391000-memory.dmp

memory/340-39-0x0000000074BE0000-0x0000000075391000-memory.dmp

memory/2700-24-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/340-41-0x00000000074C0000-0x00000000074DA000-memory.dmp

memory/340-40-0x0000000007B00000-0x000000000817A000-memory.dmp

memory/340-42-0x0000000007500000-0x000000000750A000-memory.dmp

memory/340-43-0x00000000075C0000-0x0000000007656000-memory.dmp

memory/340-44-0x0000000007530000-0x0000000007541000-memory.dmp

memory/340-45-0x0000000007570000-0x000000000757E000-memory.dmp

memory/340-46-0x0000000007580000-0x0000000007595000-memory.dmp

memory/340-47-0x0000000007680000-0x000000000769A000-memory.dmp

memory/340-48-0x00000000076A0000-0x00000000076A8000-memory.dmp

memory/340-51-0x0000000074BE0000-0x0000000075391000-memory.dmp

memory/2700-54-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2700-55-0x0000000004E40000-0x000000000572B000-memory.dmp

memory/2700-52-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4420-64-0x0000000005CC0000-0x0000000006017000-memory.dmp

memory/4420-65-0x0000000006270000-0x00000000062BC000-memory.dmp

memory/4420-66-0x0000000070F60000-0x0000000070FAC000-memory.dmp

memory/4420-67-0x00000000711B0000-0x0000000071507000-memory.dmp

memory/4420-76-0x0000000007440000-0x00000000074E4000-memory.dmp

memory/4420-77-0x0000000007770000-0x0000000007781000-memory.dmp

memory/4420-78-0x00000000077C0000-0x00000000077D5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/4040-90-0x0000000005BE0000-0x0000000005F37000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 580950c6990a73520a91897c8f43cde1
SHA1 728f527b054785e23931534b0d70843bb37305e4
SHA256 17b352be8bf01d148c9bf6c0dce90bcfa260355b7e5d8f5a926ac0e96df31768
SHA512 a5fb9f260f171a9452342dfc78b96f5b48cbbe2eb278921fad3d08a5518744be9d7107f4c0bf98a752961fa44b2349906cb94f4c890dcaed344a6812a9e72091

memory/4040-92-0x0000000070F60000-0x0000000070FAC000-memory.dmp

memory/4040-93-0x00000000710E0000-0x0000000071437000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4aaad826601be1b6dad6f5f749143671
SHA1 6f059490568c5d7d193c77a2bad06c8b9cb664ee
SHA256 0d044c1be5384b5bdb8f8a092b193c284844532417a5ce316eb64c0ab51311b4
SHA512 3a7783a0bfe18dcb3891b6fcf5fe0898cb396270f6e706536248ec81e3a78e0f31520fc9ad91fc796e9abfa8b1fc89a05ea6abc3d4fd02c803f7178bcca615a4

memory/1972-112-0x0000000070F60000-0x0000000070FAC000-memory.dmp

memory/1972-113-0x00000000710E0000-0x0000000071437000-memory.dmp

memory/3340-122-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 7320dd78167da7789fdf9f98d8795cf3
SHA1 fc745bafce6a6585a7c88c7e51f9c77bc4a4f7a9
SHA256 adc770fc8445d9325a743ffdb40119906c9114e924d75bc08405ba0f0667e9b7
SHA512 c5617ebb98b3f729fc5d24475814e6773da80f527e50cfd789a7dad86b7bdaf2c90173df5ced583d32128eeb7b5b7d36370345bc9a7bf6b174adf4ddd9d429ca

memory/3340-129-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4112-138-0x0000000006050000-0x00000000063A7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 36a928ac4074c5843ed6166a8e1e85c0
SHA1 cc6e851922f43330aa36c340616a6a3d23152168
SHA256 857be71432cd9198411d82c2c9a51f0ba0d59f715e117c75095b4850eb1891d6
SHA512 ab0a8155900a2f61c193680e8e210bfb9986db8f98b2667dc86ace3b121f0d211b2f9a8b05d1c68bd027b2ab2bc146fa30bd714bc73b7720f1a73b9974bbc5b4

memory/4112-140-0x0000000006B20000-0x0000000006B6C000-memory.dmp

memory/4112-141-0x0000000070EC0000-0x0000000070F0C000-memory.dmp

memory/4112-142-0x0000000071110000-0x0000000071467000-memory.dmp

memory/4112-151-0x0000000007820000-0x00000000078C4000-memory.dmp

memory/4112-152-0x0000000007BA0000-0x0000000007BB1000-memory.dmp

memory/4112-153-0x00000000063D0000-0x00000000063E5000-memory.dmp

memory/2528-163-0x0000000005BD0000-0x0000000005F27000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9f09a3671b64d17db4ca6108919fbd93
SHA1 649580e8d15235fee49fcece045a8fc9e9d6597a
SHA256 a533944042f84da76f4e8dec4846f22a8e6bb394b22a66a16c17b8c3bfca284e
SHA512 7c165817cbc358cb341c1fa0747c2414ab5dadf4ce2d84e5947e043ea473da58122186f21f906f14ada58c043d7cde9388fe2072d2ebe2c70e8b7285e5a501dc

memory/2528-165-0x00000000061E0000-0x000000000622C000-memory.dmp

memory/2528-166-0x0000000070DE0000-0x0000000070E2C000-memory.dmp

memory/2528-167-0x0000000070F60000-0x00000000712B7000-memory.dmp

memory/2528-176-0x00000000073D0000-0x0000000007474000-memory.dmp

memory/2528-177-0x0000000005F50000-0x0000000005F61000-memory.dmp

memory/2528-178-0x0000000005F90000-0x0000000005FA5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ff1ad3bab3dfa908a4c234b43b04967f
SHA1 e1677eaf18cae5731c7b9fa235d36242e1918a20
SHA256 3a327dd0435478a233a3a40049b1d3ae7191503bdd67dfe2ea9ca02c27f5482b
SHA512 85064244d4c49d14d1ee20726fa773183842bfb863694584cca72fd8798bdd665c2c659e428869e95d91e5f8dde32f44e2a81306e91e479a03bd38f7f05b38c5

memory/2820-189-0x0000000070DE0000-0x0000000070E2C000-memory.dmp

memory/2820-190-0x0000000070F60000-0x00000000712B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2344-206-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1740-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1740-215-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2344-216-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/388-219-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2344-218-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2344-221-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/388-225-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2344-224-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2344-228-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2344-230-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/388-234-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2344-233-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2344-236-0x0000000000400000-0x0000000002B0B000-memory.dmp