Malware Analysis Report

2025-01-02 06:40

Sample ID 240515-sms72afd86
Target 3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8
SHA256 3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8

Threat Level: Known bad

The file 3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Checks installed software on the system

Adds Run key to start application

Manipulates WinMonFS driver.

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Program crash

Command and Scripting Interpreter: PowerShell

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 15:14

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 15:14

Reported

2024-05-15 15:17

Platform

win11-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2244 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 400 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 400 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 400 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 400 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe C:\Windows\system32\cmd.exe
PID 400 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe C:\Windows\system32\cmd.exe
PID 1808 wrote to memory of 3500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1808 wrote to memory of 3500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 400 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 400 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 400 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 400 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 400 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 400 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 400 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe C:\Windows\rss\csrss.exe
PID 400 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe C:\Windows\rss\csrss.exe
PID 400 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe C:\Windows\rss\csrss.exe
PID 4668 wrote to memory of 3248 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4668 wrote to memory of 3248 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4668 wrote to memory of 3248 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4668 wrote to memory of 1520 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4668 wrote to memory of 1520 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4668 wrote to memory of 1520 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4668 wrote to memory of 1224 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4668 wrote to memory of 1224 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4668 wrote to memory of 1224 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4668 wrote to memory of 2952 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4668 wrote to memory of 2952 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2936 wrote to memory of 4028 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2936 wrote to memory of 4028 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2936 wrote to memory of 4028 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4028 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4028 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4028 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe

"C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4480 -ip 4480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 2516

C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe

"C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 b54c1781-1707-4feb-88f7-7ec22a4b35b7.uuid.statstraffic.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server11.statstraffic.org udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun.l.google.com udp
BG 185.82.216.104:443 server11.statstraffic.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.104:443 server11.statstraffic.org tcp
BG 185.82.216.104:443 server11.statstraffic.org tcp

Files

memory/2244-1-0x0000000004880000-0x0000000004C79000-memory.dmp

memory/2244-2-0x0000000004C80000-0x000000000556B000-memory.dmp

memory/2244-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4480-4-0x00000000741CE000-0x00000000741CF000-memory.dmp

memory/4480-5-0x0000000003010000-0x0000000003046000-memory.dmp

memory/4480-7-0x00000000057F0000-0x0000000005E1A000-memory.dmp

memory/4480-6-0x00000000741C0000-0x0000000074971000-memory.dmp

memory/4480-8-0x00000000741C0000-0x0000000074971000-memory.dmp

memory/4480-9-0x00000000056C0000-0x00000000056E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lfkwuevp.gqh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4480-16-0x0000000005F90000-0x0000000005FF6000-memory.dmp

memory/4480-10-0x0000000005F20000-0x0000000005F86000-memory.dmp

memory/4480-20-0x0000000006000000-0x0000000006357000-memory.dmp

memory/4480-21-0x00000000064E0000-0x00000000064FE000-memory.dmp

memory/4480-22-0x00000000065B0000-0x00000000065FC000-memory.dmp

memory/4480-23-0x0000000006A70000-0x0000000006AB6000-memory.dmp

memory/4480-24-0x0000000007920000-0x0000000007954000-memory.dmp

memory/4480-25-0x0000000070430000-0x000000007047C000-memory.dmp

memory/4480-27-0x00000000705B0000-0x0000000070907000-memory.dmp

memory/4480-26-0x00000000741C0000-0x0000000074971000-memory.dmp

memory/4480-36-0x0000000007960000-0x000000000797E000-memory.dmp

memory/4480-37-0x0000000007980000-0x0000000007A24000-memory.dmp

memory/4480-38-0x00000000080E0000-0x000000000875A000-memory.dmp

memory/4480-39-0x0000000007AA0000-0x0000000007ABA000-memory.dmp

memory/4480-40-0x0000000007AE0000-0x0000000007AEA000-memory.dmp

memory/4480-41-0x00000000741C0000-0x0000000074971000-memory.dmp

memory/2244-44-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2244-45-0x0000000004C80000-0x000000000556B000-memory.dmp

memory/2244-42-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3172-54-0x0000000005E00000-0x0000000006157000-memory.dmp

memory/3172-55-0x00000000067E0000-0x000000000682C000-memory.dmp

memory/3172-56-0x0000000070540000-0x000000007058C000-memory.dmp

memory/3172-57-0x00000000706C0000-0x0000000070A17000-memory.dmp

memory/3172-66-0x0000000007510000-0x00000000075B4000-memory.dmp

memory/3172-67-0x0000000007900000-0x0000000007996000-memory.dmp

memory/3172-68-0x0000000007820000-0x0000000007831000-memory.dmp

memory/3172-69-0x0000000007860000-0x000000000786E000-memory.dmp

memory/3172-71-0x0000000007870000-0x0000000007885000-memory.dmp

memory/3172-72-0x00000000078B0000-0x00000000078CA000-memory.dmp

memory/400-70-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3172-73-0x00000000078D0000-0x00000000078D8000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2551fb2ef32d05ae727cfeb646879220
SHA1 5f68abf8460f703a7a53b4a73d2da3b9780194d0
SHA256 67470ee0583d29b9cb8a918419ef0726c108db2e2f72a14e2e1bf39a1f02a274
SHA512 fb943ac60ff2410e78ec4fa1b0777235ab6bf231438b28d6303edfeeaac4f9619bdba965bec83136dcb746c6f477028603cbdf72fd9d05395a757ea0cf665750

memory/2376-86-0x0000000070540000-0x000000007058C000-memory.dmp

memory/2376-87-0x00000000706C0000-0x0000000070A17000-memory.dmp

memory/1204-105-0x0000000005720000-0x0000000005A77000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e718d86b418664dbaf4294072b0ff00d
SHA1 9d5cb8a9d78f1f601403ccdc9a47de918e9e7c7c
SHA256 30cb721dfe1136992fc390581c721feeea9f7ae5bdf1789229619a048c73e92f
SHA512 608ab5bb57f9cf5aefab1b113a8e22074276bbd022edc4ef350203bd851bf507289d37a64b4af59c7aa903d627d1db0ceb30d41bceb7f73ae1b2bc33e27f6fdc

memory/1204-107-0x0000000070540000-0x000000007058C000-memory.dmp

memory/1204-108-0x0000000070790000-0x0000000070AE7000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 4dd8f8e0b2a6bdb5f1d02988b7c63b3f
SHA1 aa1d5ed80aff5bfe054fee72f5fdd393ba1b9ba6
SHA256 3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8
SHA512 c744269aeb665f35be15b081120b9566e8acf5f4a1cdfd6a3285f0a83344cb97355be64c5fc36275597b1132381cfd19e251cb3cf5b3fc047a3340e5763ff96c

memory/400-121-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3248-132-0x0000000005C00000-0x0000000005F57000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f8cddb138cdd8a4de6950071d06b8260
SHA1 ffb5d9f6196b5fab27b6ad3a8c4e019eb263e649
SHA256 62d1af3e76c305bdeb4b80f443be03225010824202ca7f792a4d14ae0e182834
SHA512 367694dab0e6d99be0f617c91590b2a3dac6b6b747fd73825e64c6f6c3f9df57e5637fe1be38b5f9d07f123d1b55b7d7794fb308084edf2127f280e69ed48e64

memory/3248-134-0x0000000006690000-0x00000000066DC000-memory.dmp

memory/3248-135-0x00000000704A0000-0x00000000704EC000-memory.dmp

memory/3248-145-0x00000000073D0000-0x0000000007474000-memory.dmp

memory/3248-136-0x0000000070630000-0x0000000070987000-memory.dmp

memory/3248-146-0x0000000007730000-0x0000000007741000-memory.dmp

memory/3248-147-0x00000000054D0000-0x00000000054E5000-memory.dmp

memory/1520-157-0x00000000059E0000-0x0000000005D37000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ab1c5537f71dd43143ced7755e0d21bc
SHA1 0ae109c44c0f38b2490a8aa8567c027160b6420e
SHA256 29ee62f46d5f6e31f2caef6f5fa8bf75e11f6e10826cc02c0c870bc472d37b5e
SHA512 51aa6b69e9a2a9f600f33885f7b26b3983e7fe713abe673e6d9bab422f001757adbd5145ba9ea269a8e0bf814009a690020583bcb62945bef0fd178d8a6a3de6

memory/1520-159-0x0000000005EE0000-0x0000000005F2C000-memory.dmp

memory/1520-160-0x00000000703C0000-0x000000007040C000-memory.dmp

memory/1520-161-0x0000000070540000-0x0000000070897000-memory.dmp

memory/1520-170-0x00000000070E0000-0x0000000007184000-memory.dmp

memory/1520-171-0x0000000007470000-0x0000000007481000-memory.dmp

memory/1520-172-0x00000000052F0000-0x0000000005305000-memory.dmp

memory/1224-182-0x0000000006240000-0x0000000006597000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 49affadf861c3f0768617c15e609c36b
SHA1 a22a9ea183525a7db0ddf8cfd152ccbdf17019de
SHA256 46ee9e89d048cb130e246a9c0b1759efa43b6d9bffda6a41618ee1310f2268a5
SHA512 ad527a419cfe16a0865dea88af9b1f1ab602f42d0c2b1b7ad161a7bba4b8275c7c806de9ae771d6ece73cf2fc37f086a655e34958434577f8dbcb4323581435e

memory/1224-184-0x00000000703C0000-0x000000007040C000-memory.dmp

memory/1224-185-0x0000000070560000-0x00000000708B7000-memory.dmp

memory/4668-194-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4668-201-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2936-205-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2008-208-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2936-210-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4668-211-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2008-212-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4668-213-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4668-215-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2008-216-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4668-217-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4668-219-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4668-221-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4668-223-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4668-225-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4668-227-0x0000000000400000-0x0000000002B0B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 15:14

Reported

2024-05-15 15:17

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2392 = "Aleutian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-572 = "China Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1588 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1588 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1588 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe C:\Windows\system32\cmd.exe
PID 1420 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe C:\Windows\system32\cmd.exe
PID 2476 wrote to memory of 4664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2476 wrote to memory of 4664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1420 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe C:\Windows\rss\csrss.exe
PID 1420 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe C:\Windows\rss\csrss.exe
PID 1420 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe C:\Windows\rss\csrss.exe
PID 2552 wrote to memory of 3536 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2552 wrote to memory of 3536 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2552 wrote to memory of 3536 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2552 wrote to memory of 5000 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2552 wrote to memory of 5000 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2552 wrote to memory of 5000 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2552 wrote to memory of 4656 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2552 wrote to memory of 4656 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2552 wrote to memory of 4656 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2552 wrote to memory of 4472 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2552 wrote to memory of 4472 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 544 wrote to memory of 1476 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 544 wrote to memory of 1476 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 544 wrote to memory of 1476 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1476 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1476 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe

"C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe

"C:\Users\Admin\AppData\Local\Temp\3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 3a0e7284-550f-47cc-8595-f71af62e07ba.uuid.statstraffic.org udp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server14.statstraffic.org udp
BG 185.82.216.104:443 server14.statstraffic.org tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
BG 185.82.216.104:443 server14.statstraffic.org tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
BG 185.82.216.104:443 server14.statstraffic.org tcp
BG 185.82.216.104:443 server14.statstraffic.org tcp

Files

memory/1588-1-0x0000000004880000-0x0000000004C84000-memory.dmp

memory/1588-2-0x0000000004C90000-0x000000000557B000-memory.dmp

memory/1588-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4496-4-0x00000000741EE000-0x00000000741EF000-memory.dmp

memory/4496-5-0x0000000003120000-0x0000000003156000-memory.dmp

memory/4496-6-0x0000000005910000-0x0000000005F38000-memory.dmp

memory/4496-7-0x00000000741E0000-0x0000000074990000-memory.dmp

memory/4496-8-0x00000000741E0000-0x0000000074990000-memory.dmp

memory/4496-9-0x0000000005740000-0x0000000005762000-memory.dmp

memory/4496-10-0x0000000006030000-0x0000000006096000-memory.dmp

memory/4496-11-0x00000000060A0000-0x0000000006106000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ue41jssc.3fo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4496-21-0x0000000006110000-0x0000000006464000-memory.dmp

memory/4496-22-0x00000000066F0000-0x000000000670E000-memory.dmp

memory/4496-23-0x0000000006780000-0x00000000067CC000-memory.dmp

memory/4496-24-0x0000000006C60000-0x0000000006CA4000-memory.dmp

memory/4496-25-0x0000000007A70000-0x0000000007AE6000-memory.dmp

memory/4496-26-0x0000000008170000-0x00000000087EA000-memory.dmp

memory/4496-27-0x0000000007A30000-0x0000000007A4A000-memory.dmp

memory/1588-28-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4496-29-0x0000000007C70000-0x0000000007CA2000-memory.dmp

memory/4496-30-0x0000000070080000-0x00000000700CC000-memory.dmp

memory/4496-42-0x00000000741E0000-0x0000000074990000-memory.dmp

memory/4496-41-0x0000000007CB0000-0x0000000007CCE000-memory.dmp

memory/4496-31-0x0000000070800000-0x0000000070B54000-memory.dmp

memory/4496-43-0x0000000007CD0000-0x0000000007D73000-memory.dmp

memory/4496-44-0x00000000741E0000-0x0000000074990000-memory.dmp

memory/4496-45-0x0000000007DC0000-0x0000000007DCA000-memory.dmp

memory/4496-46-0x0000000007E80000-0x0000000007F16000-memory.dmp

memory/4496-47-0x0000000007DE0000-0x0000000007DF1000-memory.dmp

memory/4496-48-0x0000000007E20000-0x0000000007E2E000-memory.dmp

memory/4496-49-0x0000000007E30000-0x0000000007E44000-memory.dmp

memory/4496-50-0x0000000007F20000-0x0000000007F3A000-memory.dmp

memory/4496-51-0x0000000007E60000-0x0000000007E68000-memory.dmp

memory/4496-54-0x00000000741E0000-0x0000000074990000-memory.dmp

memory/1588-56-0x0000000004880000-0x0000000004C84000-memory.dmp

memory/1588-57-0x0000000004C90000-0x000000000557B000-memory.dmp

memory/1588-58-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1588-59-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2304-69-0x00000000054F0000-0x0000000005844000-memory.dmp

memory/1420-70-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2304-71-0x0000000070080000-0x00000000700CC000-memory.dmp

memory/2304-72-0x0000000070820000-0x0000000070B74000-memory.dmp

memory/2304-82-0x0000000006D00000-0x0000000006DA3000-memory.dmp

memory/2304-83-0x0000000007020000-0x0000000007031000-memory.dmp

memory/2304-84-0x0000000007070000-0x0000000007084000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 49cf8c32f2699436ebb9e55b17154b22
SHA1 0c2f7fd5db72586e85669ef3cc47589e8e1ae183
SHA256 9b362fd8e62b878dcb885535bec5271668fe49936cc4a920ef285916230cc5cc
SHA512 3ee6a325d8b27651725b90f9fc5f3a53372a862b382a029f9034a4ae4829dd6c0ce1faeb77fd6b42931289d73092a326cac4581e11088f67dba3405d6007d5fd

memory/60-99-0x0000000070800000-0x0000000070B54000-memory.dmp

memory/60-98-0x0000000070080000-0x00000000700CC000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 4dd8f8e0b2a6bdb5f1d02988b7c63b3f
SHA1 aa1d5ed80aff5bfe054fee72f5fdd393ba1b9ba6
SHA256 3ad663cab74552139102de98c9de686bfa6a151095bbc79be01ec9348b6759e8
SHA512 c744269aeb665f35be15b081120b9566e8acf5f4a1cdfd6a3285f0a83344cb97355be64c5fc36275597b1132381cfd19e251cb3cf5b3fc047a3340e5763ff96c

memory/1420-116-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2552-118-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3536-128-0x0000000006160000-0x00000000064B4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f751a95873dc400b89eebc82a1dd0600
SHA1 8487c62d627d57f8057026b178740df58ef8ee37
SHA256 caab31fe5ed080aed0205b71bb513eb600af593353145f030c27f9efedc40eee
SHA512 1d0d34cbbe890a7e4a87839ca243979a58176a2b9f0ec854e60f3204e6b94650dbadab6417b55c089197eead38738571b01e30562a263dd486a588349605c8ea

memory/3536-130-0x0000000070080000-0x00000000700CC000-memory.dmp

memory/3536-131-0x0000000070200000-0x0000000070554000-memory.dmp

memory/5000-147-0x0000000005400000-0x0000000005754000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 fd0820129e162d3272e39581fce3c8bf
SHA1 8e233e82c63136e7f7d4d292f4201ccfccf5bca9
SHA256 7aef33318edf9bd39a11b2ae722cd603604ed30942662d7eef3eb849e2959d5c
SHA512 75fceac16d837b6eea6570f05800ea0a0c604eb188c20c6c4b2a66757f9f7cb22cf5563d0e55cbf5ac244f5fa74ff16e600008f1ea791689177df2d787394fe5

memory/5000-153-0x0000000005B80000-0x0000000005BCC000-memory.dmp

memory/5000-154-0x000000006FFA0000-0x000000006FFEC000-memory.dmp

memory/5000-165-0x0000000006DA0000-0x0000000006E43000-memory.dmp

memory/5000-155-0x0000000070750000-0x0000000070AA4000-memory.dmp

memory/5000-166-0x00000000070A0000-0x00000000070B1000-memory.dmp

memory/5000-168-0x00000000058F0000-0x0000000005904000-memory.dmp

memory/4656-179-0x00000000057C0000-0x0000000005B14000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a2d025a2c2be07dbe4f011d7b649f9dc
SHA1 e3285081a358773a41bffec44d47a9a0c75c3807
SHA256 375a0524a3d1b57a5c0796d87b2abc7619d9079f3052f5b15423c08b44da05b5
SHA512 90e3490f3d5474d4d9298ec87aea893e86609d8fbb74fab381b4de90135c479e7dac55b44d3e926c63830b41f3fa3b28ca31607879b49ffc26ec87b362516c6d

memory/4656-181-0x000000006FFA0000-0x000000006FFEC000-memory.dmp

memory/4656-182-0x0000000070120000-0x0000000070474000-memory.dmp

memory/2552-194-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/544-205-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/636-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/544-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2552-208-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/636-215-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2552-214-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2552-218-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/636-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2552-223-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2552-226-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2552-230-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2552-234-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2552-238-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2552-243-0x0000000000400000-0x0000000002B0B000-memory.dmp