Malware Analysis Report

2025-01-02 06:41

Sample ID 240515-swtvxsff9t
Target d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977
SHA256 d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977

Threat Level: Known bad

The file d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Adds Run key to start application

Manipulates WinMonFS driver.

Checks installed software on the system

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 15:28

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 15:28

Reported

2024-05-15 15:31

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 976 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 976 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 976 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3792 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3792 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3792 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3792 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe C:\Windows\system32\cmd.exe
PID 3792 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe C:\Windows\system32\cmd.exe
PID 3192 wrote to memory of 1080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3192 wrote to memory of 1080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3792 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3792 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3792 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3792 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3792 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3792 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3792 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe C:\Windows\rss\csrss.exe
PID 3792 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe C:\Windows\rss\csrss.exe
PID 3792 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe C:\Windows\rss\csrss.exe
PID 4280 wrote to memory of 4536 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4280 wrote to memory of 4536 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4280 wrote to memory of 4536 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4280 wrote to memory of 4872 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4280 wrote to memory of 4872 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4280 wrote to memory of 4872 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4280 wrote to memory of 4100 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4280 wrote to memory of 4100 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4280 wrote to memory of 4100 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4280 wrote to memory of 4424 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4280 wrote to memory of 4424 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1408 wrote to memory of 540 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 540 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 540 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 540 wrote to memory of 4932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 540 wrote to memory of 4932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 540 wrote to memory of 4932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe

"C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe

"C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.138:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 138.61.62.23.in-addr.arpa udp
NL 23.62.61.138:443 www.bing.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 fca1117e-50ee-417e-a2f8-89fc4a8a8678.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 server12.thestatsfiles.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun2.l.google.com udp
BG 185.82.216.96:443 server12.thestatsfiles.ru tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.96:443 server12.thestatsfiles.ru tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
BG 185.82.216.96:443 server12.thestatsfiles.ru tcp

Files

memory/976-1-0x0000000004920000-0x0000000004D1F000-memory.dmp

memory/976-2-0x0000000004D20000-0x000000000560B000-memory.dmp

memory/976-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4668-4-0x00000000746FE000-0x00000000746FF000-memory.dmp

memory/4668-5-0x0000000004DD0000-0x0000000004E06000-memory.dmp

memory/4668-7-0x0000000005440000-0x0000000005A68000-memory.dmp

memory/4668-6-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/4668-8-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/4668-9-0x00000000053F0000-0x0000000005412000-memory.dmp

memory/4668-10-0x0000000005CE0000-0x0000000005D46000-memory.dmp

memory/4668-11-0x0000000005D50000-0x0000000005DB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zbituicz.wan.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4668-21-0x0000000005DC0000-0x0000000006114000-memory.dmp

memory/4668-22-0x00000000063A0000-0x00000000063BE000-memory.dmp

memory/4668-23-0x00000000063E0000-0x000000000642C000-memory.dmp

memory/4668-24-0x0000000006900000-0x0000000006944000-memory.dmp

memory/4668-25-0x00000000074C0000-0x0000000007536000-memory.dmp

memory/976-26-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4668-27-0x0000000007BC0000-0x000000000823A000-memory.dmp

memory/4668-28-0x0000000007560000-0x000000000757A000-memory.dmp

memory/4668-29-0x0000000007930000-0x0000000007962000-memory.dmp

memory/4668-32-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/4668-31-0x0000000070730000-0x0000000070A84000-memory.dmp

memory/4668-42-0x0000000007970000-0x000000000798E000-memory.dmp

memory/4668-30-0x0000000070590000-0x00000000705DC000-memory.dmp

memory/4668-43-0x0000000007990000-0x0000000007A33000-memory.dmp

memory/4668-44-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/4668-45-0x0000000007A70000-0x0000000007A7A000-memory.dmp

memory/4668-46-0x0000000008240000-0x00000000082D6000-memory.dmp

memory/4668-47-0x0000000007A90000-0x0000000007AA1000-memory.dmp

memory/4668-48-0x0000000007AD0000-0x0000000007ADE000-memory.dmp

memory/4668-49-0x0000000007AE0000-0x0000000007AF4000-memory.dmp

memory/4668-50-0x0000000007B30000-0x0000000007B4A000-memory.dmp

memory/4668-51-0x0000000007B20000-0x0000000007B28000-memory.dmp

memory/4668-54-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/976-56-0x0000000004920000-0x0000000004D1F000-memory.dmp

memory/976-57-0x0000000004D20000-0x000000000560B000-memory.dmp

memory/976-58-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/976-59-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1380-65-0x00000000053C0000-0x0000000005714000-memory.dmp

memory/1380-70-0x0000000070590000-0x00000000705DC000-memory.dmp

memory/1380-71-0x0000000070D10000-0x0000000071064000-memory.dmp

memory/1380-81-0x0000000006C40000-0x0000000006CE3000-memory.dmp

memory/1380-82-0x0000000006F50000-0x0000000006F61000-memory.dmp

memory/1380-83-0x0000000006FA0000-0x0000000006FB4000-memory.dmp

memory/3792-86-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/4924-88-0x0000000005640000-0x0000000005994000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b5b97daa14d8ebc89f5a22a738e70030
SHA1 42987a9f44a84481e831e3064291456fe9233990
SHA256 e24327000624fd54a65a0c76c7c1447d121ed39e5347fdee2889d145fbea2394
SHA512 d79db3e83dd074f7712a5853cc07d14b6aefb3f2f7cc987f7a7c63d4a8bc06c91bb634de9b1b4c9b25b30b5d2f87897e644af30ffc14b3ff1f7079f8b32e5808

memory/4924-99-0x0000000070590000-0x00000000705DC000-memory.dmp

memory/4924-100-0x0000000070D30000-0x0000000071084000-memory.dmp

memory/2040-120-0x0000000006140000-0x0000000006494000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b607661a1d635359c4b94a6807ebc9df
SHA1 72f40af75b53a46a1a21cbaf56ea03cb90805f78
SHA256 42662da3339d836d68131293f87be91e7ffbc7106193b705f7acd922b0262467
SHA512 56ab5ce7fa101bb1f5508a3fad2e45faf45c8b1741e52a1499f7b33000e6a7e21462fc68ef64add779294f8fff62b0025bb3feb31dab4d8c04041980c4b27974

memory/2040-123-0x0000000070590000-0x00000000705DC000-memory.dmp

memory/2040-124-0x0000000070710000-0x0000000070A64000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 cfd07b9cd4a95813076c3c914028a4e5
SHA1 4ba8f87c3289a6a2e42bd6ef63c1565a5fe18362
SHA256 d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977
SHA512 8380426cf3fc4167dec1ea2513aeb7664adeb99052b5ee0739d02c6600474017c793dc18761b4e15e695b1dadc40a275f88907381e75b461d720310c0b03dbae

memory/3792-138-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e4c090fb8a69bedc35ba09a86319d76e
SHA1 e415ed6e5502255ca12e19868dad1f578f80eec6
SHA256 63693f60a9852eccbb7a9f9fa43ab7d2b94311488e531c3ddfd1648254b2e980
SHA512 58a7fff12cae3833f475c611cb0bb5e72d9d56abe96f4c0dac75ca89b87ec87ad713380cb4059c8c847f28e8a3f97d27a7377bec450ccbc3b02b1565536c08c8

memory/4536-153-0x0000000070710000-0x0000000070A64000-memory.dmp

memory/4536-152-0x0000000070590000-0x00000000705DC000-memory.dmp

memory/4280-163-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4872-165-0x0000000006380000-0x00000000066D4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d7f5b9844b349713cab62d70558a92ac
SHA1 9bd0a96265218bf4b489edcc16e02867464ac776
SHA256 8605e0875cbac50b3d726480aeee5ae8c7ce3f5c3d74d8f2cf378ef0a3e9cc0b
SHA512 03acaff810b2fb863c8b8c0b6c7193c8fad3837451efb9927a9ab93b2fee43f5ab1bc86bdc350fbac959b4b011427b7b1dea7d15e70dc953fec2fe28ac698898

memory/4872-176-0x0000000006F80000-0x0000000006FCC000-memory.dmp

memory/4872-177-0x00000000704B0000-0x00000000704FC000-memory.dmp

memory/4872-178-0x0000000070C40000-0x0000000070F94000-memory.dmp

memory/4872-188-0x0000000007C70000-0x0000000007D13000-memory.dmp

memory/4872-189-0x0000000007F70000-0x0000000007F81000-memory.dmp

memory/4872-190-0x0000000006800000-0x0000000006814000-memory.dmp

memory/4100-201-0x0000000005870000-0x0000000005BC4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 53c3e740beed975c86b1f71440ee3724
SHA1 8e69d0d46c3e59d54ea5717fd97d3ed1d4660dae
SHA256 ff9f25928ba9904e8c2e865cacad9c6915e7dc447e9ac40366a4e54bf1712070
SHA512 2246d6d6e809e3ebce83750ddc32db0e0ec773b76a37b4b2a08d96d317b7afc13338772f9f806483eaf719c31faddca4c11731d6cdf4c8b420c91fdd8691630d

memory/4100-204-0x00000000704B0000-0x00000000704FC000-memory.dmp

memory/4100-205-0x0000000070630000-0x0000000070984000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4280-221-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1408-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1168-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1408-231-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4280-232-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1168-235-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4280-234-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4280-237-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1168-241-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4280-240-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4280-244-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4280-246-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4280-249-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4280-252-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4280-256-0x0000000000400000-0x0000000002B0B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 15:28

Reported

2024-05-15 15:31

Platform

win11-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2400 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2400 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2400 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4072 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4072 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4072 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4072 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe C:\Windows\system32\cmd.exe
PID 4072 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 3280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2416 wrote to memory of 3280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4072 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4072 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4072 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4072 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4072 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4072 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4072 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe C:\Windows\rss\csrss.exe
PID 4072 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe C:\Windows\rss\csrss.exe
PID 4072 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe C:\Windows\rss\csrss.exe
PID 1028 wrote to memory of 552 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1028 wrote to memory of 552 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1028 wrote to memory of 552 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1028 wrote to memory of 1912 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1028 wrote to memory of 1912 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1028 wrote to memory of 1912 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1028 wrote to memory of 2248 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1028 wrote to memory of 2248 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1028 wrote to memory of 2248 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1028 wrote to memory of 5020 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1028 wrote to memory of 5020 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4352 wrote to memory of 4796 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4352 wrote to memory of 4796 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4352 wrote to memory of 4796 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4796 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4796 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4796 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe

"C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe

"C:\Users\Admin\AppData\Local\Temp\d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 f5c7780a-985c-45dc-bcb1-529c11160bb0.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server14.thestatsfiles.ru udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun.l.google.com udp
BG 185.82.216.96:443 server14.thestatsfiles.ru tcp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.96:443 server14.thestatsfiles.ru tcp
BG 185.82.216.96:443 server14.thestatsfiles.ru tcp

Files

memory/2400-1-0x00000000049C0000-0x0000000004DC1000-memory.dmp

memory/2400-2-0x0000000004DD0000-0x00000000056BB000-memory.dmp

memory/2400-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1752-4-0x00000000745BE000-0x00000000745BF000-memory.dmp

memory/1752-5-0x0000000004680000-0x00000000046B6000-memory.dmp

memory/1752-7-0x00000000745B0000-0x0000000074D61000-memory.dmp

memory/1752-6-0x0000000004E10000-0x000000000543A000-memory.dmp

memory/1752-8-0x0000000004C80000-0x0000000004CA2000-memory.dmp

memory/1752-10-0x0000000005620000-0x0000000005686000-memory.dmp

memory/1752-9-0x00000000054B0000-0x0000000005516000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nd3svabg.5mx.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1752-19-0x0000000005700000-0x0000000005A57000-memory.dmp

memory/1752-20-0x00000000745B0000-0x0000000074D61000-memory.dmp

memory/1752-21-0x0000000005B10000-0x0000000005B2E000-memory.dmp

memory/1752-22-0x0000000005BE0000-0x0000000005C2C000-memory.dmp

memory/1752-23-0x00000000060C0000-0x0000000006106000-memory.dmp

memory/1752-25-0x0000000070820000-0x000000007086C000-memory.dmp

memory/1752-36-0x0000000006F90000-0x0000000006FAE000-memory.dmp

memory/1752-26-0x00000000709A0000-0x0000000070CF7000-memory.dmp

memory/1752-35-0x00000000745B0000-0x0000000074D61000-memory.dmp

memory/1752-37-0x0000000006FB0000-0x0000000007054000-memory.dmp

memory/1752-24-0x0000000006F50000-0x0000000006F84000-memory.dmp

memory/1752-38-0x00000000745B0000-0x0000000074D61000-memory.dmp

memory/1752-39-0x0000000007720000-0x0000000007D9A000-memory.dmp

memory/1752-40-0x00000000070E0000-0x00000000070FA000-memory.dmp

memory/1752-41-0x0000000007120000-0x000000000712A000-memory.dmp

memory/1752-42-0x00000000071E0000-0x0000000007276000-memory.dmp

memory/1752-43-0x0000000007150000-0x0000000007161000-memory.dmp

memory/1752-44-0x0000000007190000-0x000000000719E000-memory.dmp

memory/1752-45-0x00000000071A0000-0x00000000071B5000-memory.dmp

memory/1752-46-0x00000000072A0000-0x00000000072BA000-memory.dmp

memory/1752-47-0x0000000007290000-0x0000000007298000-memory.dmp

memory/1752-50-0x00000000745B0000-0x0000000074D61000-memory.dmp

memory/2400-52-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2400-53-0x00000000049C0000-0x0000000004DC1000-memory.dmp

memory/2400-54-0x0000000004DD0000-0x00000000056BB000-memory.dmp

memory/2400-56-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4480-62-0x0000000005C60000-0x0000000005FB7000-memory.dmp

memory/4480-66-0x0000000070820000-0x000000007086C000-memory.dmp

memory/4480-67-0x0000000070A70000-0x0000000070DC7000-memory.dmp

memory/4480-76-0x0000000007380000-0x0000000007424000-memory.dmp

memory/4480-77-0x00000000076D0000-0x00000000076E1000-memory.dmp

memory/4480-78-0x0000000007720000-0x0000000007735000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b5a93a93584e23c33a182d1b2dfd5fcb
SHA1 01a19e0f671f54a51e18d52071781c7d35b610d8
SHA256 530c029d7150aa8115d191e9f1bb095071533fb90d469c8a7aeba5667e705d84
SHA512 592ac15aeba0a97ab371fe50652683e1467287a14157d1d1913ddcfd2691c82a7632c457544a354af56b7f86e9694bf31cdc2322774f198b57e60cb9db674d0b

memory/4140-91-0x0000000070820000-0x000000007086C000-memory.dmp

memory/4140-92-0x00000000709A0000-0x0000000070CF7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cc018dad66832bcf37f0e6f78cc954ff
SHA1 61a76f0a89bdb8a3a76db50be1bfa7fccc936f01
SHA256 ed2798e85292862926614c99973de5639ba655e317af84e297fa7ae13e864a34
SHA512 f26c2c7f2ab24b3c0ca8078ed8cff930e2833d51f59ee994b452accd1de5c6c1d8846022b6febadf7c85264a43506834c2473b022097ba84c472d246b5c03599

memory/3344-113-0x0000000070A70000-0x0000000070DC7000-memory.dmp

memory/3344-112-0x0000000070820000-0x000000007086C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 cfd07b9cd4a95813076c3c914028a4e5
SHA1 4ba8f87c3289a6a2e42bd6ef63c1565a5fe18362
SHA256 d5176d11489ddd8aaa01ca8af810475a0d829d3ce6ecd57efa594790a97e4977
SHA512 8380426cf3fc4167dec1ea2513aeb7664adeb99052b5ee0739d02c6600474017c793dc18761b4e15e695b1dadc40a275f88907381e75b461d720310c0b03dbae

memory/4072-128-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8c2444a05ffd16899344467c726e53e6
SHA1 dae878c5fa07e524ca214663c185c2ba85a4ebe9
SHA256 f9f604f7c236bcbdf760d45860bf36bf1aa2c9091a0e7197827952dd21038652
SHA512 78a917b681c405db03a51ba97a72762f70d7862591de6023225a3a6d1ebe71c18f31e6d38f92920417f9cf2f6aa2bc51af7ef531bf4cf35ffdbfd196bffab40a

memory/552-139-0x0000000070820000-0x000000007086C000-memory.dmp

memory/552-140-0x00000000709A0000-0x0000000070CF7000-memory.dmp

memory/1028-150-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1912-152-0x0000000005760000-0x0000000005AB7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a0ea9818f036bf25864ddaf2f547c660
SHA1 1f02b097398aa491c0132d3a12fc45be679d5c8a
SHA256 7963f14917dfd39e54f96a1f6a0ca311cc9897845f4f58452169837d718b5d7d
SHA512 aec53971e7d633b4d190bac1d03b099919b8d644058fad5e49f4b500187a47e74605f79bdfaa9d85cddca161edcb2b320d591649730482c8acce634c0a6c27bc

memory/1912-162-0x0000000006230000-0x000000000627C000-memory.dmp

memory/1912-163-0x0000000070740000-0x000000007078C000-memory.dmp

memory/1912-164-0x0000000070990000-0x0000000070CE7000-memory.dmp

memory/1912-173-0x0000000006F20000-0x0000000006FC4000-memory.dmp

memory/1912-174-0x00000000072C0000-0x00000000072D1000-memory.dmp

memory/1912-175-0x0000000005AE0000-0x0000000005AF5000-memory.dmp

memory/2248-185-0x0000000005DF0000-0x0000000006147000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 10fa4c81fea8385c5ff9e734046ed4c2
SHA1 1de295e2fc1407d1f587a4395777e11098d74422
SHA256 13872f338633bed8bce0c94450eedfb7169bee47b31815ad5ad876441f90a432
SHA512 39c34e0800f6603e95bd4997ad54bab95bb4dc0a2929b96e2cf17072fe23ef0a57254f2776604b4b6bdd220372fba701295c8dd9758c92cef1417a332380ca47

memory/2248-187-0x0000000070740000-0x000000007078C000-memory.dmp

memory/2248-188-0x0000000070930000-0x0000000070C87000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1028-205-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4352-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/420-212-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4352-214-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1028-217-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/420-219-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1028-221-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1028-225-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/420-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1028-229-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1028-233-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1028-237-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1028-241-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1028-245-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1028-249-0x0000000000400000-0x0000000002B0B000-memory.dmp