Malware Analysis Report

2025-01-02 06:40

Sample ID 240515-s3rzxagb2x
Target 94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3
SHA256 94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3

Threat Level: Known bad

The file 94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Manipulates WinMonFS driver.

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 15:39

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 15:39

Reported

2024-05-15 15:41

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-491 = "India Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2412 = "Marquesas Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2428 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2428 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2428 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3068 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3068 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3068 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3068 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe C:\Windows\system32\cmd.exe
PID 3068 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe C:\Windows\system32\cmd.exe
PID 4212 wrote to memory of 1232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4212 wrote to memory of 1232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3068 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3068 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3068 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3068 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3068 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3068 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3068 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe C:\Windows\rss\csrss.exe
PID 3068 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe C:\Windows\rss\csrss.exe
PID 3068 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe C:\Windows\rss\csrss.exe
PID 1612 wrote to memory of 3660 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 3660 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 3660 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 3988 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 3988 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 3988 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 1384 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 1384 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 1384 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 1044 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1612 wrote to memory of 1044 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4524 wrote to memory of 4704 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4524 wrote to memory of 4704 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4524 wrote to memory of 4704 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4704 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4704 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4704 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe

"C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4268,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=4300 /prefetch:8

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe

"C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 5a2ad6cf-db85-4454-88af-af51b01f8a47.uuid.statscreate.org udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server4.statscreate.org udp
BG 185.82.216.96:443 server4.statscreate.org tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
N/A 127.0.0.1:3478 udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BG 185.82.216.96:443 server4.statscreate.org tcp
US 8.8.8.8:53 stun3.l.google.com udp
US 74.125.250.129:19302 stun3.l.google.com udp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
BG 185.82.216.96:443 server4.statscreate.org tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 65.242.123.52.in-addr.arpa udp
BG 185.82.216.96:443 server4.statscreate.org tcp

Files

memory/2428-1-0x00000000048A0000-0x0000000004C9F000-memory.dmp

memory/2428-2-0x0000000004CA0000-0x000000000558B000-memory.dmp

memory/2428-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3332-4-0x0000000074C3E000-0x0000000074C3F000-memory.dmp

memory/3332-5-0x0000000002E60000-0x0000000002E96000-memory.dmp

memory/3332-6-0x0000000074C30000-0x00000000753E0000-memory.dmp

memory/3332-7-0x0000000005630000-0x0000000005C58000-memory.dmp

memory/3332-8-0x0000000074C30000-0x00000000753E0000-memory.dmp

memory/3332-9-0x0000000005560000-0x0000000005582000-memory.dmp

memory/3332-10-0x0000000005D50000-0x0000000005DB6000-memory.dmp

memory/3332-11-0x0000000005DC0000-0x0000000005E26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lqn0ylbj.lil.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3332-21-0x0000000005E30000-0x0000000006184000-memory.dmp

memory/3332-22-0x0000000006410000-0x000000000642E000-memory.dmp

memory/3332-23-0x0000000006440000-0x000000000648C000-memory.dmp

memory/3332-24-0x00000000069A0000-0x00000000069E4000-memory.dmp

memory/3332-25-0x0000000007730000-0x00000000077A6000-memory.dmp

memory/3332-26-0x0000000007E30000-0x00000000084AA000-memory.dmp

memory/3332-27-0x00000000077D0000-0x00000000077EA000-memory.dmp

memory/2428-28-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3332-29-0x0000000007990000-0x00000000079C2000-memory.dmp

memory/3332-30-0x0000000070AD0000-0x0000000070B1C000-memory.dmp

memory/3332-32-0x0000000071080000-0x00000000713D4000-memory.dmp

memory/3332-42-0x00000000079D0000-0x00000000079EE000-memory.dmp

memory/3332-43-0x0000000074C30000-0x00000000753E0000-memory.dmp

memory/3332-31-0x0000000074C30000-0x00000000753E0000-memory.dmp

memory/3332-44-0x00000000079F0000-0x0000000007A93000-memory.dmp

memory/3332-45-0x0000000007AE0000-0x0000000007AEA000-memory.dmp

memory/3332-46-0x0000000007BA0000-0x0000000007C36000-memory.dmp

memory/3332-47-0x0000000007B20000-0x0000000007B31000-memory.dmp

memory/3332-48-0x0000000007B60000-0x0000000007B6E000-memory.dmp

memory/3332-49-0x0000000007B70000-0x0000000007B84000-memory.dmp

memory/3332-50-0x0000000007C60000-0x0000000007C7A000-memory.dmp

memory/3332-51-0x0000000007C50000-0x0000000007C58000-memory.dmp

memory/3332-54-0x0000000074C30000-0x00000000753E0000-memory.dmp

memory/2428-56-0x0000000004CA0000-0x000000000558B000-memory.dmp

memory/2428-58-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2428-55-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3004-68-0x0000000006170000-0x00000000064C4000-memory.dmp

memory/3004-69-0x0000000006820000-0x000000000686C000-memory.dmp

memory/3004-70-0x0000000070BD0000-0x0000000070C1C000-memory.dmp

memory/3004-71-0x0000000071370000-0x00000000716C4000-memory.dmp

memory/3004-81-0x00000000079E0000-0x0000000007A83000-memory.dmp

memory/3004-82-0x0000000007CF0000-0x0000000007D01000-memory.dmp

memory/3068-83-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3004-84-0x0000000007D40000-0x0000000007D54000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ed7c3fc6be638c2f34bf917f3423b9fc
SHA1 0842d5b3ab8c704a50934f4db040f49e8bc1c242
SHA256 2ac4af8af0ca82031a051fdea47bbf86cbab1893faf37ba2c136eeb6beec84c0
SHA512 16ccdb8a4b0b077adda27762a5d56858d1907dc7c092042d4fff383b6c28f11ce629f9198ac950a21eb35b5e7c753a6b54c49ddf91f86df46fa7fdfd11392ef4

memory/4140-98-0x0000000070BD0000-0x0000000070C1C000-memory.dmp

memory/4140-99-0x0000000071370000-0x00000000716C4000-memory.dmp

memory/1404-119-0x0000000005D20000-0x0000000006074000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6d5ad8cf57474bc06c102abe7092c937
SHA1 436728666bc46e121856fe185dbd82c60ba86269
SHA256 6cc3cbf0ef67cf208fb9c10ea4ff65c30c1e7329099f600c593adf9347ad05da
SHA512 bafc6d97c8cbcc59ee5b3e6a393f099d3e0ed5f1707abcc14ae8a953d29dd7a97142cad2a676fd48a436d52c39fe5e65af243360c38dfd91837fa6ea2bab3cfc

memory/1404-121-0x0000000070BD0000-0x0000000070C1C000-memory.dmp

memory/1404-122-0x0000000070D50000-0x00000000710A4000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 b642129a947608e13ba27bb887e2aeda
SHA1 f4e401d53b9c34b6ee6fc706afaf75091190d1e8
SHA256 94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3
SHA512 c6f1b50d255c195ca7b1cbd21f4bdc05e24bf2a51c1fc04c3be2e9f161d997d8a7b792ff946a8820c027eca3d0aa3fc5f06ee25efa1a7c6b8039f00d1e13aca6

memory/3068-138-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3660-148-0x00000000058B0000-0x0000000005C04000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d016f93c76b8f50a3935f87825a010e0
SHA1 7bc5199db336b48b2d59a9bf36140b01eea2574d
SHA256 ae10b27fc33d3b441b8bc14c0a1387a50c87cecfec91a392267cbe86330fe027
SHA512 c95c66a4acf3d7c368475743509a512c5488510977db42a16de669a8e1edd462c9743a8a87ed617168f40ed002a00ffe58226ba18621dc45b75dbf250535b8b7

memory/3660-150-0x0000000005F50000-0x0000000005F9C000-memory.dmp

memory/3660-151-0x0000000070B30000-0x0000000070B7C000-memory.dmp

memory/3660-152-0x00000000712D0000-0x0000000071624000-memory.dmp

memory/3660-162-0x0000000007170000-0x0000000007213000-memory.dmp

memory/3660-163-0x00000000074C0000-0x00000000074D1000-memory.dmp

memory/3660-164-0x0000000005D40000-0x0000000005D54000-memory.dmp

memory/1612-167-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3988-177-0x0000000006220000-0x0000000006574000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e55ae1603c95dc7414cbb4f7f184f4f4
SHA1 5304db9dbdb64cd63127972238738e964d5c4316
SHA256 464e1e76f9b867d0862bbf6f17b76557434ef4248f6489ac620d2f5c324dd0b1
SHA512 c7f5593a47ab062f258320d97c670ec06c04c0e4aa7fa782803ae87e202e65663193869095985acd7f1f5c4c99ae6e6bbdf4c4079ed8fd059b04b9fcbd121f0a

memory/3988-179-0x00000000068A0000-0x00000000068EC000-memory.dmp

memory/3988-180-0x0000000070A50000-0x0000000070A9C000-memory.dmp

memory/3988-181-0x0000000070E40000-0x0000000071194000-memory.dmp

memory/3988-191-0x0000000007A80000-0x0000000007B23000-memory.dmp

memory/3988-192-0x0000000007C50000-0x0000000007C61000-memory.dmp

memory/3988-193-0x0000000006180000-0x0000000006194000-memory.dmp

memory/1384-204-0x0000000005E60000-0x00000000061B4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 51eb700e53b78b9261119a0e861837e9
SHA1 b7e94e114a87e624567f9ca482a0b0d1cea1f3b3
SHA256 c07ac277ba52e4e19ee14568a4490b5d292006390d6a12547d280980a4eba833
SHA512 0ed516ad8c2f74059e3a4c1a5e0956ec89dd9e436b78f58d397291304911916bf233d4d3df0af35522aee26c72707fd0216eb5d94155497515ea87273508c6a9

memory/1384-206-0x0000000070A50000-0x0000000070A9C000-memory.dmp

memory/1384-207-0x00000000711F0000-0x0000000071544000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1612-223-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4524-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1040-231-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4524-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1612-233-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1040-236-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1612-235-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1612-239-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1040-241-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1612-242-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1612-245-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1612-247-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1040-250-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1612-251-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1612-254-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1612-256-0x0000000000400000-0x0000000002B0B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 15:39

Reported

2024-05-15 15:41

Platform

win11-20240508-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1972 = "Belarus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4816 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4816 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4816 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2512 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2512 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2512 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2512 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe C:\Windows\system32\cmd.exe
PID 2512 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe C:\Windows\system32\cmd.exe
PID 3748 wrote to memory of 2148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3748 wrote to memory of 2148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2512 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2512 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2512 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2512 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2512 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2512 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2512 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe C:\Windows\rss\csrss.exe
PID 2512 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe C:\Windows\rss\csrss.exe
PID 2512 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe C:\Windows\rss\csrss.exe
PID 3016 wrote to memory of 3500 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 3500 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 3500 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 2300 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 2300 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 2300 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 2580 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 2580 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 2580 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 4540 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3016 wrote to memory of 4540 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 700 wrote to memory of 2316 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 700 wrote to memory of 2316 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 700 wrote to memory of 2316 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 1032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2316 wrote to memory of 1032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2316 wrote to memory of 1032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe

"C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe

"C:\Users\Admin\AppData\Local\Temp\94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 6fd630fb-fa02-4e11-b4ee-e40a3fe05a7c.uuid.statscreate.org udp
US 8.8.8.8:53 server15.statscreate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 74.125.250.129:19302 stun.l.google.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server15.statscreate.org tcp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.96:443 server15.statscreate.org tcp
BG 185.82.216.96:443 server15.statscreate.org tcp

Files

memory/4816-1-0x00000000048E0000-0x0000000004CE7000-memory.dmp

memory/4816-2-0x0000000004CF0000-0x00000000055DB000-memory.dmp

memory/4816-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1764-4-0x0000000074A2E000-0x0000000074A2F000-memory.dmp

memory/1764-5-0x0000000000E10000-0x0000000000E46000-memory.dmp

memory/1764-6-0x0000000004E70000-0x000000000549A000-memory.dmp

memory/1764-7-0x0000000074A20000-0x00000000751D1000-memory.dmp

memory/1764-8-0x0000000074A20000-0x00000000751D1000-memory.dmp

memory/1764-9-0x0000000004BF0000-0x0000000004C12000-memory.dmp

memory/1764-10-0x0000000004C90000-0x0000000004CF6000-memory.dmp

memory/1764-11-0x0000000004D70000-0x0000000004DD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ivp30ruo.ipn.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1764-20-0x00000000055A0000-0x00000000058F7000-memory.dmp

memory/1764-21-0x0000000005AA0000-0x0000000005ABE000-memory.dmp

memory/1764-22-0x0000000005AE0000-0x0000000005B2C000-memory.dmp

memory/1764-23-0x0000000005EF0000-0x0000000005F36000-memory.dmp

memory/4816-24-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1764-26-0x0000000070C90000-0x0000000070CDC000-memory.dmp

memory/1764-25-0x0000000006ED0000-0x0000000006F04000-memory.dmp

memory/1764-27-0x0000000070E20000-0x0000000071177000-memory.dmp

memory/1764-36-0x0000000006F10000-0x0000000006F2E000-memory.dmp

memory/1764-37-0x0000000006F30000-0x0000000006FD4000-memory.dmp

memory/1764-38-0x0000000074A20000-0x00000000751D1000-memory.dmp

memory/1764-40-0x0000000007060000-0x000000000707A000-memory.dmp

memory/1764-41-0x0000000074A20000-0x00000000751D1000-memory.dmp

memory/1764-39-0x00000000076A0000-0x0000000007D1A000-memory.dmp

memory/1764-42-0x0000000004920000-0x000000000492A000-memory.dmp

memory/1764-43-0x00000000071D0000-0x0000000007266000-memory.dmp

memory/1764-44-0x00000000070E0000-0x00000000070F1000-memory.dmp

memory/1764-45-0x0000000007130000-0x000000000713E000-memory.dmp

memory/1764-46-0x0000000007140000-0x0000000007155000-memory.dmp

memory/1764-47-0x0000000007190000-0x00000000071AA000-memory.dmp

memory/1764-48-0x00000000071B0000-0x00000000071B8000-memory.dmp

memory/1764-51-0x0000000074A20000-0x00000000751D1000-memory.dmp

memory/4816-52-0x00000000048E0000-0x0000000004CE7000-memory.dmp

memory/4816-54-0x0000000004CF0000-0x00000000055DB000-memory.dmp

memory/4816-56-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4816-55-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3608-65-0x0000000006280000-0x00000000065D7000-memory.dmp

memory/3608-66-0x0000000070C90000-0x0000000070CDC000-memory.dmp

memory/3608-67-0x0000000070E10000-0x0000000071167000-memory.dmp

memory/3608-76-0x0000000007900000-0x00000000079A4000-memory.dmp

memory/3608-77-0x0000000007C30000-0x0000000007C41000-memory.dmp

memory/3608-78-0x0000000007C80000-0x0000000007C95000-memory.dmp

memory/2512-81-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e331bded8652786bd3d3afb96b410331
SHA1 083684741d96b9c5e7bfc144b10cc194b75dca47
SHA256 63aefa2d52846c1fd515e4a80e469f7fa5adc43b560a544ff36ccce60b2e28bc
SHA512 2e63f6ba0530eba62ce7d198e08dc4314e23104538f64ff06e55eed07907f83479948a1b431eedb3a9ec2495c98b78fdbf1e5283353cd40ee157d2669307f8ed

memory/3412-92-0x0000000070C90000-0x0000000070CDC000-memory.dmp

memory/3412-93-0x0000000070E10000-0x0000000071167000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5b37253ef977c542f929a20d3ba77182
SHA1 ed267e27c3203fec22c86cee3739169f41186017
SHA256 00eaa53b152288a5059048043bf71271db6ae909fa618a6399116c176b1201ff
SHA512 589bcc3688794f379922c6b17efb7ef0471be30c076908c18f10761994151a88f12d8085717be7f639cba0683ac2b1cb59ec61f8a15725f70c18ccc2abfa3ad4

memory/4952-112-0x0000000070C90000-0x0000000070CDC000-memory.dmp

memory/4952-113-0x0000000070E10000-0x0000000071167000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 b642129a947608e13ba27bb887e2aeda
SHA1 f4e401d53b9c34b6ee6fc706afaf75091190d1e8
SHA256 94af38f60f51e8be7c069d0a3dd34bbd1142041a88f6c65f2025942fe30d5af3
SHA512 c6f1b50d255c195ca7b1cbd21f4bdc05e24bf2a51c1fc04c3be2e9f161d997d8a7b792ff946a8820c027eca3d0aa3fc5f06ee25efa1a7c6b8039f00d1e13aca6

memory/2512-127-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3500-139-0x0000000005950000-0x0000000005CA7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 764b7306dcd490309e7cb8e50ed8249e
SHA1 8ed913ffaed0d3cd762da6c4e9618bac81dad46d
SHA256 09587891a3ca900d47f4d6306de0be34f57a2dabf5efb5ef4bd76658438856f0
SHA512 70fe9e204402d3df6ce5d8f5fe8a4547cff6e101cddc7644b8c65b36dea8b977b7e03c37ebfcc9ed4dd4f9f3ed8491c09eeb79409579505bb8241c4a9885ff78

memory/3500-141-0x0000000070C90000-0x0000000070CDC000-memory.dmp

memory/3500-142-0x0000000070EE0000-0x0000000071237000-memory.dmp

memory/3016-151-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2300-161-0x00000000061C0000-0x0000000006517000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 10214464bdc672df0c58d2d9b8b64e03
SHA1 83d6ac821c8c6fa83f0856c912759d931f7ee527
SHA256 ecc532aaf3e9216f1d69f9915a6c7b53bf97f1a798e88464f6853b438ac85323
SHA512 df43cc4a300f8b21835e1966215558fa3b6b427f1f8ff92a6f8582a956f0445fdcd5f85180168aa65441ae0cfedfff49daa0a9ce386393eb42576fceb79bfa80

memory/2300-163-0x0000000006960000-0x00000000069AC000-memory.dmp

memory/2300-164-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

memory/2300-165-0x0000000070D50000-0x00000000710A7000-memory.dmp

memory/2300-174-0x00000000078A0000-0x0000000007944000-memory.dmp

memory/2300-175-0x0000000007C10000-0x0000000007C21000-memory.dmp

memory/2300-176-0x0000000005FA0000-0x0000000005FB5000-memory.dmp

memory/2580-186-0x0000000006330000-0x0000000006687000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1ac7e6a7d88424f74ffd54fdb032938b
SHA1 dde5cfe1390226c081283a25a2d895dce3ff5b8f
SHA256 5d6fd872321e95de04b465ca62c77e19cefa6be3135ebb6d680eea675b7cb64d
SHA512 7f053dcec78d0f211d568b52eacbcc8a811fb2fededb6a9af62b18fd0ceb9f842803e429f0f7e3a85cb78b4fa2d881ba5e5bc74478257faa53eef2c9d4a52d73

memory/2580-188-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

memory/2580-189-0x0000000070D30000-0x0000000071087000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3016-205-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/700-210-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/700-215-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3524-214-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3016-216-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3524-219-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3016-218-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3016-221-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3524-225-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3016-224-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3016-228-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3016-230-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3016-233-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3016-236-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3016-240-0x0000000000400000-0x0000000002B0B000-memory.dmp