Malware Analysis Report

2025-01-02 06:40

Sample ID 240515-wqm2zada42
Target 2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472
SHA256 2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472

Threat Level: Known bad

The file 2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Adds Run key to start application

Checks installed software on the system

Manipulates WinMonFS driver.

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 18:07

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 18:07

Reported

2024-05-15 18:10

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-491 = "India Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2412 = "Marquesas Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1944 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1944 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1944 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2392 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2392 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2392 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2392 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe C:\Windows\system32\cmd.exe
PID 2392 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe C:\Windows\system32\cmd.exe
PID 4972 wrote to memory of 408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4972 wrote to memory of 408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2392 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2392 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2392 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2392 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2392 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2392 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2392 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe C:\Windows\rss\csrss.exe
PID 2392 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe C:\Windows\rss\csrss.exe
PID 2392 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe C:\Windows\rss\csrss.exe
PID 3676 wrote to memory of 4268 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3676 wrote to memory of 4268 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3676 wrote to memory of 4268 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3676 wrote to memory of 4192 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3676 wrote to memory of 4192 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3676 wrote to memory of 4192 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3676 wrote to memory of 944 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3676 wrote to memory of 944 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3676 wrote to memory of 944 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3676 wrote to memory of 3164 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3676 wrote to memory of 3164 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4176 wrote to memory of 948 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4176 wrote to memory of 948 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4176 wrote to memory of 948 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 948 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 948 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 948 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe

"C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe

"C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 afee2664-06fe-4ee1-8146-ddcc9db20164.uuid.statscreate.org udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 stun.l.google.com udp
US 8.8.8.8:53 server2.statscreate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun.l.google.com udp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
BG 185.82.216.96:443 server2.statscreate.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.96:443 server2.statscreate.org tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
BG 185.82.216.96:443 server2.statscreate.org tcp

Files

memory/1944-1-0x0000000004810000-0x0000000004C09000-memory.dmp

memory/1944-2-0x0000000004C10000-0x00000000054FB000-memory.dmp

memory/1944-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1996-5-0x0000000004CA0000-0x0000000004CD6000-memory.dmp

memory/1996-6-0x0000000074D8E000-0x0000000074D8F000-memory.dmp

memory/1996-7-0x0000000005310000-0x0000000005938000-memory.dmp

memory/1996-8-0x0000000074D80000-0x0000000075530000-memory.dmp

memory/1944-4-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1996-9-0x0000000074D80000-0x0000000075530000-memory.dmp

memory/1996-10-0x0000000005290000-0x00000000052B2000-memory.dmp

memory/1996-11-0x0000000005AF0000-0x0000000005B56000-memory.dmp

memory/1996-12-0x0000000005C10000-0x0000000005C76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rqeldyjw.b2r.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1996-22-0x0000000005D80000-0x00000000060D4000-memory.dmp

memory/1996-23-0x0000000006240000-0x000000000625E000-memory.dmp

memory/1996-24-0x0000000006290000-0x00000000062DC000-memory.dmp

memory/1996-25-0x00000000067A0000-0x00000000067E4000-memory.dmp

memory/1996-26-0x0000000007570000-0x00000000075E6000-memory.dmp

memory/1996-27-0x0000000007C70000-0x00000000082EA000-memory.dmp

memory/1996-28-0x0000000007610000-0x000000000762A000-memory.dmp

memory/1996-29-0x00000000077C0000-0x00000000077F2000-memory.dmp

memory/1996-30-0x0000000070C20000-0x0000000070C6C000-memory.dmp

memory/1996-42-0x0000000007800000-0x000000000781E000-memory.dmp

memory/1996-37-0x0000000074D80000-0x0000000075530000-memory.dmp

memory/1996-31-0x0000000070DA0000-0x00000000710F4000-memory.dmp

memory/1996-43-0x0000000074D80000-0x0000000075530000-memory.dmp

memory/1996-44-0x0000000007820000-0x00000000078C3000-memory.dmp

memory/1996-45-0x0000000007910000-0x000000000791A000-memory.dmp

memory/1996-46-0x0000000007A20000-0x0000000007AB6000-memory.dmp

memory/1996-47-0x0000000007920000-0x0000000007931000-memory.dmp

memory/1996-48-0x0000000007960000-0x000000000796E000-memory.dmp

memory/1996-49-0x0000000007980000-0x0000000007994000-memory.dmp

memory/1996-50-0x00000000079C0000-0x00000000079DA000-memory.dmp

memory/1996-51-0x00000000079B0000-0x00000000079B8000-memory.dmp

memory/1996-54-0x0000000074D80000-0x0000000075530000-memory.dmp

memory/1944-57-0x0000000004C10000-0x00000000054FB000-memory.dmp

memory/1944-58-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1944-55-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3644-64-0x00000000055B0000-0x0000000005904000-memory.dmp

memory/3644-69-0x0000000005E60000-0x0000000005EAC000-memory.dmp

memory/2392-70-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3644-72-0x00000000714C0000-0x0000000071814000-memory.dmp

memory/3644-71-0x0000000070D20000-0x0000000070D6C000-memory.dmp

memory/3644-82-0x0000000006DB0000-0x0000000006E53000-memory.dmp

memory/3644-83-0x00000000070E0000-0x00000000070F1000-memory.dmp

memory/3644-84-0x0000000007130000-0x0000000007144000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ce06da3724e6911658621f4763f575dd
SHA1 48716eb4989be82bd7025059cb66b638d6e58811
SHA256 23b03d7efdf804514218c39464c932dc3c7f0c311b8dfad14868e08c782a49f0
SHA512 7caa5dd7b2847892bd107a696334c59ae86fa0f5b2ad10f167dbd45a6bbde98a10122260c16de55a165a2131724ae1ed7a281f103abb6b2aaf73df227af3f762

memory/1400-98-0x0000000070D20000-0x0000000070D6C000-memory.dmp

memory/1400-99-0x00000000714C0000-0x0000000071814000-memory.dmp

memory/2032-119-0x00000000057D0000-0x0000000005B24000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0853c927803c51f61f895d5d0dc121ef
SHA1 04396954d474367485b19344a42bb7efbaad1b2e
SHA256 f17b6c04fb8f050a1855924cca66a87cc676d8025431f8b92c6a2352e76b62b4
SHA512 1ec7cf8211efca53f1f8cbb5af8e2260dee02a3b3f372423caf0acfdf2f7778ea81e2696ac8032ef6505e8622f655a36615a0b6fc8e8485eddb4a183496ca99d

memory/2032-121-0x0000000070D20000-0x0000000070D6C000-memory.dmp

memory/2032-122-0x0000000070EA0000-0x00000000711F4000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 950ebbafbafdf050c1f725268544bfc6
SHA1 7357dc12488596959b2eaa088a6f9773d5623672
SHA256 2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472
SHA512 c485983bb4afda16aee280cce4701c324e9815d9f6a268e20bbef6df5bbd116dc5e8fdc5ecb4d4abaaf07b5f78815a5f3fd53604270e27270580dc200be1e2c2

memory/2392-133-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2392-138-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4268-145-0x0000000005C40000-0x0000000005F94000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 06e44b18c4f88adf24b961328dc82b7b
SHA1 2115d8a9ac2e8695e7d22a370d7c2a3d4687d163
SHA256 d1e79d873bae864e271bc54dd6e6a26b3e5febba290fd33e6d742dd9605ffabd
SHA512 9d7c6426ad396361c8c06a5028074c183cb073ba69981899992b7b4189e686adc705c08013bc3a6993ca8a6bf5cc087a925163df4144d2eaf501a618ee11286f

memory/4268-151-0x00000000068A0000-0x00000000068EC000-memory.dmp

memory/4268-152-0x0000000070C80000-0x0000000070CCC000-memory.dmp

memory/4268-153-0x0000000071420000-0x0000000071774000-memory.dmp

memory/4268-163-0x0000000007590000-0x0000000007633000-memory.dmp

memory/4268-164-0x0000000007920000-0x0000000007931000-memory.dmp

memory/4268-165-0x0000000006160000-0x0000000006174000-memory.dmp

memory/4192-176-0x00000000055C0000-0x0000000005914000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9e057509324604d90cfc2eec89981ca4
SHA1 5b87fec93d3b6fe98c40c103202f74aa3914c391
SHA256 fa9f7e92f142d2e12fbe15ea90bf92a4e811a96b0a0970a9362ea5df6afd4903
SHA512 45637de1026e17f9397dcca24ab8b2d919dc3474db8e5560cca0b47164bfa74004aac89743599dc35bc3e8380d7e88daef85d12ed144912e78adc508cc78ceab

memory/4192-178-0x0000000005D10000-0x0000000005D5C000-memory.dmp

memory/4192-179-0x0000000070BA0000-0x0000000070BEC000-memory.dmp

memory/4192-180-0x0000000071330000-0x0000000071684000-memory.dmp

memory/4192-190-0x0000000006EB0000-0x0000000006F53000-memory.dmp

memory/4192-191-0x0000000007230000-0x0000000007241000-memory.dmp

memory/4192-192-0x0000000005A60000-0x0000000005A74000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f156f769f5dcefd9c85203e42d984c7d
SHA1 bb7d5fa252d8c4fec10d3d30a427f0e4becb4b7c
SHA256 9433e12af2111fdafb75847ed24ead5dc329d80daa41ffa5b6d31aef3fb12c74
SHA512 9acf81ac692c9f25e9fcb325c8ca2aeb515be20decf2a6a1a8022f8b2bd5713d3b96845920187d7eb9f16344a9b41410a4adea251b83a8d2ce32252dd174a8c4

memory/944-204-0x0000000070BA0000-0x0000000070BEC000-memory.dmp

memory/944-205-0x0000000071330000-0x0000000071684000-memory.dmp

memory/3676-215-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3676-222-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4176-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4176-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4536-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3676-231-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4536-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3676-233-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3676-235-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4536-236-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3676-237-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3676-239-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3676-241-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3676-243-0x0000000000400000-0x0000000002B0B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 18:07

Reported

2024-05-15 18:10

Platform

win11-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1120 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1120 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1120 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5060 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5060 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5060 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5060 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe C:\Windows\system32\cmd.exe
PID 5060 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe C:\Windows\system32\cmd.exe
PID 2900 wrote to memory of 3084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2900 wrote to memory of 3084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5060 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5060 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5060 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5060 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5060 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5060 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5060 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe C:\Windows\rss\csrss.exe
PID 5060 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe C:\Windows\rss\csrss.exe
PID 5060 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe C:\Windows\rss\csrss.exe
PID 1160 wrote to memory of 4604 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1160 wrote to memory of 4604 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1160 wrote to memory of 4604 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1160 wrote to memory of 4488 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1160 wrote to memory of 4488 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1160 wrote to memory of 4488 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1160 wrote to memory of 1604 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1160 wrote to memory of 1604 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1160 wrote to memory of 1604 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1160 wrote to memory of 5056 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1160 wrote to memory of 5056 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3996 wrote to memory of 2632 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 2632 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 2632 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 3464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2632 wrote to memory of 3464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2632 wrote to memory of 3464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe

"C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe

"C:\Users\Admin\AppData\Local\Temp\2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 dd2f9d0f-cae5-4aeb-bceb-fb0408e43a6c.uuid.statscreate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server7.statscreate.org udp
US 162.159.133.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server7.statscreate.org tcp
US 74.125.250.129:19302 stun3.l.google.com udp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.96:443 server7.statscreate.org tcp
BG 185.82.216.96:443 server7.statscreate.org tcp

Files

memory/1120-1-0x0000000004890000-0x0000000004C94000-memory.dmp

memory/1120-2-0x0000000004CA0000-0x000000000558B000-memory.dmp

memory/1120-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2276-4-0x000000007422E000-0x000000007422F000-memory.dmp

memory/2276-5-0x0000000004620000-0x0000000004656000-memory.dmp

memory/2276-6-0x0000000004CC0000-0x00000000052EA000-memory.dmp

memory/2276-7-0x0000000074220000-0x00000000749D1000-memory.dmp

memory/2276-8-0x0000000004B40000-0x0000000004B62000-memory.dmp

memory/2276-9-0x0000000005420000-0x0000000005486000-memory.dmp

memory/2276-10-0x0000000005590000-0x00000000055F6000-memory.dmp

memory/2276-11-0x0000000005600000-0x0000000005957000-memory.dmp

memory/2276-12-0x0000000074220000-0x00000000749D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2zrdk31d.e4u.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2276-21-0x0000000005AE0000-0x0000000005AFE000-memory.dmp

memory/2276-22-0x0000000005B10000-0x0000000005B5C000-memory.dmp

memory/2276-23-0x0000000006040000-0x0000000006086000-memory.dmp

memory/2276-26-0x0000000070490000-0x00000000704DC000-memory.dmp

memory/2276-36-0x0000000006F40000-0x0000000006F5E000-memory.dmp

memory/2276-25-0x0000000006EE0000-0x0000000006F14000-memory.dmp

memory/2276-27-0x00000000706E0000-0x0000000070A37000-memory.dmp

memory/2276-37-0x0000000006F60000-0x0000000007004000-memory.dmp

memory/2276-38-0x0000000074220000-0x00000000749D1000-memory.dmp

memory/2276-39-0x0000000074220000-0x00000000749D1000-memory.dmp

memory/1120-24-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2276-41-0x0000000007090000-0x00000000070AA000-memory.dmp

memory/2276-40-0x00000000076D0000-0x0000000007D4A000-memory.dmp

memory/2276-42-0x00000000070D0000-0x00000000070DA000-memory.dmp

memory/2276-43-0x00000000071E0000-0x0000000007276000-memory.dmp

memory/2276-44-0x00000000070F0000-0x0000000007101000-memory.dmp

memory/2276-45-0x0000000007140000-0x000000000714E000-memory.dmp

memory/2276-46-0x0000000007150000-0x0000000007165000-memory.dmp

memory/2276-47-0x00000000071A0000-0x00000000071BA000-memory.dmp

memory/2276-48-0x00000000071C0000-0x00000000071C8000-memory.dmp

memory/2276-51-0x0000000074220000-0x00000000749D1000-memory.dmp

memory/1120-53-0x0000000004890000-0x0000000004C94000-memory.dmp

memory/1120-54-0x0000000004CA0000-0x000000000558B000-memory.dmp

memory/1120-55-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2256-64-0x0000000005D70000-0x00000000060C7000-memory.dmp

memory/2256-65-0x0000000070490000-0x00000000704DC000-memory.dmp

memory/2256-66-0x00000000706A0000-0x00000000709F7000-memory.dmp

memory/2256-75-0x00000000074C0000-0x0000000007564000-memory.dmp

memory/1120-77-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5060-76-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2256-78-0x00000000077F0000-0x0000000007801000-memory.dmp

memory/2256-79-0x0000000007860000-0x0000000007875000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 10401951a228f8748ba6251855c458b8
SHA1 562e9dcfc215568f5bf3f62cdba35328b7d9112a
SHA256 73d3c8ba0ab7d4e66d71ef931653787598c415cc46f1eb131003609e778aed5a
SHA512 086b7761e4f21514441668abbb4b4d100d37645c607d70be5ed9010a678b9b7e802b36063d404c1f86735b7b347a7b0ec54c641d8a5cea44699c266f19fa6c7e

memory/4588-92-0x0000000070490000-0x00000000704DC000-memory.dmp

memory/4588-93-0x00000000706A0000-0x00000000709F7000-memory.dmp

memory/2120-112-0x0000000005EA0000-0x00000000061F7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 95fdc6bd6a2c97404aa0b495435a988b
SHA1 fbdfc2a09ddab0dc05ed3bfe784cb0286eb5fc1c
SHA256 b1fed3305e5654f70bc2433d74d3ee44d2d9121ab875522c898667dde5f2766e
SHA512 e8e32fe540f0146f2eaa44a43a183c92469f88bbe7b98ca3db31023b3d522af2c21433a8879a81dca5aab99338aa6803ff27ede6f2c1993909ab00f036613f23

memory/2120-114-0x0000000070490000-0x00000000704DC000-memory.dmp

memory/2120-115-0x0000000070610000-0x0000000070967000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 950ebbafbafdf050c1f725268544bfc6
SHA1 7357dc12488596959b2eaa088a6f9773d5623672
SHA256 2aecfb9370460b488abd4f1fb79fe3d657346634f7f51462ac34971005d05472
SHA512 c485983bb4afda16aee280cce4701c324e9815d9f6a268e20bbef6df5bbd116dc5e8fdc5ecb4d4abaaf07b5f78815a5f3fd53604270e27270580dc200be1e2c2

memory/5060-129-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 de245d1b835106f4c5a7036c34d154ca
SHA1 8a2986a1b655e87d36ee4c4fc3ff76f7f9786609
SHA256 26e5d1553c43b8404b17b0fd7ca37726a9cb5e281e1db66c66facac6b76c93fa
SHA512 cdc372d6504e1ddd957c3279ec48fab610a9a73795f36ee0883551f8377322db0e36d4f583261b603f3f4e2e1bc05a367bc8e3989535344a5a105884ed25f632

memory/1160-141-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4604-142-0x0000000070490000-0x00000000704DC000-memory.dmp

memory/4604-143-0x00000000706E0000-0x0000000070A37000-memory.dmp

memory/4488-161-0x0000000005B00000-0x0000000005E57000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a2014c615774b504873776453f0fdf15
SHA1 8d5eda53ea31b09d8f459ef568aedefe11f13bc4
SHA256 435a641b2ebf9d903f1a21e1351030927e1291d3e576327d1826042bf79cc017
SHA512 7477811ba827913f7cec4a586550ec96fb8b0cb3e43a24d4e6e770ddcddee7c4f47f83b429d05bac243be0f0dd86560fd859c1ae5e8e20940d66373b34d5ea84

memory/4488-163-0x0000000006620000-0x000000000666C000-memory.dmp

memory/4488-164-0x00000000703B0000-0x00000000703FC000-memory.dmp

memory/4488-165-0x0000000070600000-0x0000000070957000-memory.dmp

memory/4488-174-0x00000000073A0000-0x0000000007444000-memory.dmp

memory/4488-175-0x00000000076E0000-0x00000000076F1000-memory.dmp

memory/4488-176-0x0000000005EE0000-0x0000000005EF5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ba4410878dfadaf9cfcf7a4094545b9d
SHA1 d1d2ec407c5c00ec3ec69868f41cd6f10a191433
SHA256 b836878035f03b3181e46c50034c66926024a3c645c25f3a51b1d802f7ef0a2e
SHA512 aa5dbd22ab2589cfec2366b48fd80fc864f5c7225f0decd885919124b2118118bba89ab9eb8040a019771beca2f5676fd128f8ffcde2592e8e98a152c93e3121

memory/1604-188-0x00000000703B0000-0x00000000703FC000-memory.dmp

memory/1604-189-0x0000000070600000-0x0000000070957000-memory.dmp

memory/1160-199-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3996-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3996-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1160-214-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2020-217-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1160-216-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1160-219-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2020-223-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1160-222-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1160-226-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1160-228-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1160-231-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1160-234-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1160-238-0x0000000000400000-0x0000000002B0B000-memory.dmp