Malware Analysis Report

2025-01-02 06:39

Sample ID 240515-spbqrsfc3s
Target ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d
SHA256 ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d

Threat Level: Known bad

The file ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Adds Run key to start application

Checks installed software on the system

Manipulates WinMonFS driver.

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 15:17

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 15:17

Reported

2024-05-15 15:20

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-492 = "India Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4068 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe C:\Windows\system32\cmd.exe
PID 2756 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe C:\Windows\system32\cmd.exe
PID 1152 wrote to memory of 5096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1152 wrote to memory of 5096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2756 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe C:\Windows\rss\csrss.exe
PID 2756 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe C:\Windows\rss\csrss.exe
PID 2756 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe C:\Windows\rss\csrss.exe
PID 4160 wrote to memory of 3308 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4160 wrote to memory of 3308 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4160 wrote to memory of 3308 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4160 wrote to memory of 3140 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4160 wrote to memory of 3140 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4160 wrote to memory of 3140 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4160 wrote to memory of 2556 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4160 wrote to memory of 2556 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4160 wrote to memory of 2556 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4160 wrote to memory of 4388 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4160 wrote to memory of 4388 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4812 wrote to memory of 3320 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4812 wrote to memory of 3320 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4812 wrote to memory of 3320 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3320 wrote to memory of 1156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3320 wrote to memory of 1156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3320 wrote to memory of 1156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe

"C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe

"C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 11e02bea-c2d1-4a5e-8d40-92bdad0cde5a.uuid.statscreate.org udp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server4.statscreate.org udp
US 162.159.135.233:443 cdn.discordapp.com tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
BG 185.82.216.96:443 server4.statscreate.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.96:443 server4.statscreate.org tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
BG 185.82.216.96:443 server4.statscreate.org tcp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

memory/4068-1-0x0000000004770000-0x0000000004B71000-memory.dmp

memory/4068-2-0x0000000004B80000-0x000000000546B000-memory.dmp

memory/4068-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4396-4-0x000000007458E000-0x000000007458F000-memory.dmp

memory/4396-5-0x0000000002F30000-0x0000000002F66000-memory.dmp

memory/4396-6-0x00000000057E0000-0x0000000005E08000-memory.dmp

memory/4396-7-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/4396-8-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/4396-9-0x0000000005560000-0x0000000005582000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bxpvkyaw.xsf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4396-15-0x0000000005600000-0x0000000005666000-memory.dmp

memory/4396-16-0x0000000005F10000-0x0000000005F76000-memory.dmp

memory/4396-21-0x0000000005F80000-0x00000000062D4000-memory.dmp

memory/4396-22-0x0000000006530000-0x000000000654E000-memory.dmp

memory/4396-23-0x0000000006550000-0x000000000659C000-memory.dmp

memory/4396-24-0x0000000006AD0000-0x0000000006B14000-memory.dmp

memory/4396-25-0x0000000007840000-0x00000000078B6000-memory.dmp

memory/4396-26-0x0000000007F40000-0x00000000085BA000-memory.dmp

memory/4396-27-0x00000000078E0000-0x00000000078FA000-memory.dmp

memory/4396-29-0x0000000007AA0000-0x0000000007AD2000-memory.dmp

memory/4396-31-0x00000000709F0000-0x0000000070D44000-memory.dmp

memory/4396-30-0x0000000070420000-0x000000007046C000-memory.dmp

memory/4396-41-0x0000000007AE0000-0x0000000007AFE000-memory.dmp

memory/4396-43-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/4068-28-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4396-42-0x0000000007B00000-0x0000000007BA3000-memory.dmp

memory/4396-44-0x0000000007BF0000-0x0000000007BFA000-memory.dmp

memory/4396-46-0x0000000007CB0000-0x0000000007D46000-memory.dmp

memory/4396-45-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/4396-47-0x0000000007C10000-0x0000000007C21000-memory.dmp

memory/4396-48-0x0000000007C50000-0x0000000007C5E000-memory.dmp

memory/4396-49-0x0000000007C60000-0x0000000007C74000-memory.dmp

memory/4396-50-0x0000000007D50000-0x0000000007D6A000-memory.dmp

memory/4396-51-0x0000000007C90000-0x0000000007C98000-memory.dmp

memory/4396-54-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/4068-56-0x0000000004770000-0x0000000004B71000-memory.dmp

memory/2932-66-0x0000000005880000-0x0000000005BD4000-memory.dmp

memory/4068-68-0x0000000004B80000-0x000000000546B000-memory.dmp

memory/4068-67-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2932-69-0x0000000070420000-0x000000007046C000-memory.dmp

memory/2932-70-0x00000000705A0000-0x00000000708F4000-memory.dmp

memory/2932-80-0x0000000006F50000-0x0000000006FF3000-memory.dmp

memory/2932-81-0x0000000007270000-0x0000000007281000-memory.dmp

memory/2932-82-0x00000000072C0000-0x00000000072D4000-memory.dmp

memory/4068-86-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2756-85-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/3676-90-0x0000000005940000-0x0000000005C94000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 83234dac5d48491e8fb33ea0fd67ac30
SHA1 b81707a22b5b22c6daeb38019cbb8f5eea95f900
SHA256 cb9a47b55e620941d42e891951af9cb2df16a89badfc73f4ffee987c7e53cbac
SHA512 95fc63009871d113d1e1ee0bb5310a31d9c57a45959069fa07fb916d5285bc860bad412b6872503452655dc4aff15670ee2220fc73a1dfbf93f2bd9a8f1d41e9

memory/3676-99-0x0000000070420000-0x000000007046C000-memory.dmp

memory/3676-100-0x0000000070BA0000-0x0000000070EF4000-memory.dmp

memory/2644-120-0x0000000005B00000-0x0000000005E54000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d7832cf220eef136fec6dbc741dde329
SHA1 d7e3278fd5968fe234442b9a547169c243a3309f
SHA256 3f9b28f4a61343c470031a1809363619ed85aa655e1fa2211ac510bf19db4a5e
SHA512 82ee2fc508cd94118bc225346a88627fc8513765975ba1de9fce1972d0f9de89f328631feefddc1c48dbf11d7a21fd63e1859612f94bda17bd6e82f2e028294b

memory/2644-122-0x0000000070420000-0x000000007046C000-memory.dmp

memory/2644-123-0x00000000705C0000-0x0000000070914000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 c2f217ca1bb8cf75c9cec7a762e23906
SHA1 4cafb47746fd112d36e52977af6ffcd2a38e4a6e
SHA256 ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d
SHA512 2bcef9d3f2318167a1e56424395ae6777a4d13fe3bcd36edb7352bec9a357388f8529c8460b618df08617ffe9255b92f73fbcef82830bdfde638c191ad12f25d

memory/2756-140-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4d72e1efcb8e927ef8d144f606c6a951
SHA1 e5c07e018bcb85d009e13af941c88d86a6b6d25d
SHA256 9d56f38434dd6ba2675403424e9313bfc0bdcd247cef10fd9c6fae632301b557
SHA512 c0d02f0f7d8c59c7cd7e8a005779fdf3f24629abcb7316d68f79c21073fca4fde80597acc576019d1c71e349e3b98627c737ab1dc7cc8b27d4a3562d5379d907

memory/3308-151-0x0000000070420000-0x000000007046C000-memory.dmp

memory/3308-152-0x0000000070BA0000-0x0000000070EF4000-memory.dmp

memory/4160-163-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3140-174-0x0000000006190000-0x00000000064E4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b35a2d7c8580b4e53eec93a5a1871423
SHA1 4e4ea10162c673af5f61e95f6b7c6cb7903dc9c0
SHA256 39962370911418fe7d8b1173132d77322fbd5db28c365641adcafaf300dcd2d7
SHA512 db40b1ca37caee850a6ff851d1beec499e4f2c8f313f858a5f801104252bcae395aab3fceaed08db87237581122beb01af9db2cb2be01061365984ccd6d951f1

memory/3140-176-0x0000000006CD0000-0x0000000006D1C000-memory.dmp

memory/3140-179-0x00000000704C0000-0x0000000070814000-memory.dmp

memory/3140-178-0x0000000070340000-0x000000007038C000-memory.dmp

memory/3140-189-0x00000000079A0000-0x0000000007A43000-memory.dmp

memory/3140-190-0x0000000007D00000-0x0000000007D11000-memory.dmp

memory/3140-191-0x0000000006520000-0x0000000006534000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9b2770faffa9da09110db9ac03c56166
SHA1 51fab6bb78f152eae7f77ea5bcc2eab8d82d1c69
SHA256 2505307784b743d302b5062bfc8ad6cb516c8253fe9c3f3b68e5a8e98ed21292
SHA512 8e8b8ca64bb3b80a5e056a8603e5c4b3138b51b7dc0ae5e59100ce27f188659334299151bea9235e3a1b244887d6a9bee360627aceade36ea6493b8ea34a055e

memory/2556-203-0x0000000070340000-0x000000007038C000-memory.dmp

memory/2556-204-0x00000000704C0000-0x0000000070814000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4160-221-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4812-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4812-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4160-231-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3212-234-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4160-235-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4160-239-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3212-242-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4160-243-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4160-247-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4160-251-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4160-255-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4160-259-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4160-263-0x0000000000400000-0x0000000002B0B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 15:17

Reported

2024-05-15 15:20

Platform

win11-20240426-en

Max time kernel

149s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4844 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4844 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4844 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2920 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2920 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2920 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2920 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe C:\Windows\system32\cmd.exe
PID 2920 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe C:\Windows\system32\cmd.exe
PID 916 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 916 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2920 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2920 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2920 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2920 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2920 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2920 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2920 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe C:\Windows\rss\csrss.exe
PID 2920 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe C:\Windows\rss\csrss.exe
PID 2920 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe C:\Windows\rss\csrss.exe
PID 2556 wrote to memory of 2448 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2556 wrote to memory of 2448 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2556 wrote to memory of 2448 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2556 wrote to memory of 2332 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2556 wrote to memory of 2332 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2556 wrote to memory of 2332 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2556 wrote to memory of 1792 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2556 wrote to memory of 1792 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2556 wrote to memory of 1792 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2556 wrote to memory of 3808 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2556 wrote to memory of 3808 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3940 wrote to memory of 3236 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3940 wrote to memory of 3236 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3940 wrote to memory of 3236 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3236 wrote to memory of 4852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3236 wrote to memory of 4852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3236 wrote to memory of 4852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe

"C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe

"C:\Users\Admin\AppData\Local\Temp\ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 64956e96-c5df-4e1d-8748-b5e1bc132ddc.uuid.statscreate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server16.statscreate.org udp
US 162.159.134.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server16.statscreate.org tcp
US 74.125.250.129:19302 stun2.l.google.com udp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.96:443 server16.statscreate.org tcp
BG 185.82.216.96:443 server16.statscreate.org tcp

Files

memory/4844-1-0x0000000004940000-0x0000000004D3B000-memory.dmp

memory/4844-2-0x0000000004D40000-0x000000000562B000-memory.dmp

memory/4844-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4196-4-0x00000000746CE000-0x00000000746CF000-memory.dmp

memory/4196-5-0x00000000031B0000-0x00000000031E6000-memory.dmp

memory/4196-6-0x00000000058D0000-0x0000000005EFA000-memory.dmp

memory/4196-7-0x00000000746C0000-0x0000000074E71000-memory.dmp

memory/4196-8-0x00000000746C0000-0x0000000074E71000-memory.dmp

memory/4196-9-0x0000000006000000-0x0000000006022000-memory.dmp

memory/4196-10-0x00000000060A0000-0x0000000006106000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hvgan4kx.vze.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4196-11-0x0000000006190000-0x00000000061F6000-memory.dmp

memory/4196-20-0x0000000006200000-0x0000000006557000-memory.dmp

memory/4196-21-0x0000000006680000-0x000000000669E000-memory.dmp

memory/4196-22-0x00000000066A0000-0x00000000066EC000-memory.dmp

memory/4196-23-0x0000000007670000-0x00000000076B6000-memory.dmp

memory/4196-26-0x0000000070B40000-0x0000000070E97000-memory.dmp

memory/4196-25-0x0000000070930000-0x000000007097C000-memory.dmp

memory/4196-37-0x0000000007B10000-0x0000000007BB4000-memory.dmp

memory/4196-36-0x0000000007AF0000-0x0000000007B0E000-memory.dmp

memory/4196-38-0x00000000746C0000-0x0000000074E71000-memory.dmp

memory/4196-29-0x00000000746C0000-0x0000000074E71000-memory.dmp

memory/4196-24-0x0000000007A90000-0x0000000007AC4000-memory.dmp

memory/4196-39-0x0000000008280000-0x00000000088FA000-memory.dmp

memory/4196-40-0x0000000007C40000-0x0000000007C5A000-memory.dmp

memory/4196-41-0x0000000007C80000-0x0000000007C8A000-memory.dmp

memory/4196-42-0x0000000007D90000-0x0000000007E26000-memory.dmp

memory/4196-43-0x0000000007CA0000-0x0000000007CB1000-memory.dmp

memory/4196-44-0x0000000007CF0000-0x0000000007CFE000-memory.dmp

memory/4196-45-0x0000000007D00000-0x0000000007D15000-memory.dmp

memory/4196-46-0x0000000007D50000-0x0000000007D6A000-memory.dmp

memory/4196-47-0x0000000007D40000-0x0000000007D48000-memory.dmp

memory/4196-50-0x00000000746C0000-0x0000000074E71000-memory.dmp

memory/4844-53-0x0000000004940000-0x0000000004D3B000-memory.dmp

memory/4844-52-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2788-62-0x00000000061B0000-0x0000000006507000-memory.dmp

memory/4844-63-0x0000000004D40000-0x000000000562B000-memory.dmp

memory/2788-64-0x0000000070930000-0x000000007097C000-memory.dmp

memory/2788-65-0x0000000070AB0000-0x0000000070E07000-memory.dmp

memory/2788-74-0x00000000077E0000-0x0000000007884000-memory.dmp

memory/2788-75-0x0000000007B10000-0x0000000007B21000-memory.dmp

memory/2788-76-0x0000000007B60000-0x0000000007B75000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/3200-88-0x0000000005FF0000-0x0000000006347000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d6e6d2d4b15891776dc1b3964d534536
SHA1 e5a0f6dc51c6eb892e58697311276ed603c86f5a
SHA256 1b1c48ba0b7667013fc31ad0e6baeb7059402ed70c8be891ffdf471a543f269c
SHA512 15efbc2da48de116a775592f39a7f6f88e1d967cffaa01be7533a4aa98755510f3da15222d642f5b58d92cfa811d8428493016b227692695782f63b04e056851

memory/3200-90-0x0000000070930000-0x000000007097C000-memory.dmp

memory/3200-91-0x0000000070B80000-0x0000000070ED7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ae950c4f18cd0d43be7aec4b3d77b229
SHA1 de269919cd532d25344b7b5a51ce51c1251c5ec9
SHA256 68a9e60f8e7c07e3a9d2b39ebfd472211bd524efa2b0519f2b63e7104ad418de
SHA512 8b4fc73e6a1d60a9ff053ffe08d7c3cbc96bec69777f9513e14df6092ac0322ee8afc00c8d20df29fb0a8bf4a42555b2b42eb8e4fd0d9d0d5b09d6fc9643ab05

memory/2660-110-0x0000000070930000-0x000000007097C000-memory.dmp

memory/2660-111-0x0000000070B80000-0x0000000070ED7000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 c2f217ca1bb8cf75c9cec7a762e23906
SHA1 4cafb47746fd112d36e52977af6ffcd2a38e4a6e
SHA256 ad1c6731d191f64dcb14df183247a5eee51af94dd6251f473a169c73ffa9ed4d
SHA512 2bcef9d3f2318167a1e56424395ae6777a4d13fe3bcd36edb7352bec9a357388f8529c8460b618df08617ffe9255b92f73fbcef82830bdfde638c191ad12f25d

memory/4844-127-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2920-126-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3536d892861426b09d918dc6974fed80
SHA1 21123d6785deefee7bd78b56b54884cbda8e8c19
SHA256 ae9600067ccf8194033b136cdfe9c8c77d85001b55714f14c8af22a25bddf905
SHA512 f8c38a07cd9ff77cd93c7337e1b61bdbb66ce7cd74abcff0fe27cfee2369581740de4052c3f595bf3caf3987e216d720d83ce01a046328299dd72807dfb7799d

memory/2448-141-0x0000000070B40000-0x0000000070E97000-memory.dmp

memory/2448-140-0x0000000070930000-0x000000007097C000-memory.dmp

memory/2332-159-0x0000000005AC0000-0x0000000005E17000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9d1457f4878c5d1c9531f5e211abd513
SHA1 33bbbbd188258dbfedf9093a2f98b200e2abcb5e
SHA256 7d18bc1e6117ba43f0e60a963af919885fa3e34f81b688cf40194f0c39b5a78e
SHA512 6dbb5d350b476d928f37ae848b331e94465ac95b04d015d7769feaff04d81cf06439e64181816d6757fbe8ac6f919c0538de9d92d52c2bb3f18d9253f09a1d56

memory/2332-161-0x0000000005FB0000-0x0000000005FFC000-memory.dmp

memory/2332-162-0x0000000070850000-0x000000007089C000-memory.dmp

memory/2332-163-0x00000000709D0000-0x0000000070D27000-memory.dmp

memory/2332-172-0x00000000071D0000-0x0000000007274000-memory.dmp

memory/2332-174-0x0000000007530000-0x0000000007541000-memory.dmp

memory/2332-175-0x00000000059E0000-0x00000000059F5000-memory.dmp

memory/1792-185-0x0000000006290000-0x00000000065E7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 90235b8ef83f6d85613b1028dbc5eadf
SHA1 d45384df41bb13a7ef362000b8fe285a2c534ad4
SHA256 b3c8016ce1c8f185df2b48de56171c4e044f4b8f4d9daef56d9f483db8f30a42
SHA512 e86748e9839e94d237e86a09ac38df81190f89653f9493af423542795f092cd895258d1d87dfb74795237f889449335cd21207e83efb1a8dfb79df68b672f85e

memory/1792-187-0x0000000070850000-0x000000007089C000-memory.dmp

memory/1792-188-0x00000000709F0000-0x0000000070D47000-memory.dmp

memory/2556-198-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2556-207-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3940-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3272-214-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3940-216-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2556-219-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3272-220-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2556-223-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2556-227-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3272-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2556-231-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2556-234-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2556-239-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3272-240-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2556-243-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2556-247-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2556-251-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2556-254-0x0000000000400000-0x0000000002B0B000-memory.dmp