Malware Analysis Report

2025-01-02 06:40

Sample ID 240515-wxm1jsdb3z
Target 11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7
SHA256 11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7

Threat Level: Known bad

The file 11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Checks installed software on the system

Adds Run key to start application

Manipulates WinMonFS driver.

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 18:18

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 18:18

Reported

2024-05-15 18:20

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4364 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3368 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3368 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3368 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3368 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe C:\Windows\system32\cmd.exe
PID 3368 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe C:\Windows\system32\cmd.exe
PID 2236 wrote to memory of 4508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2236 wrote to memory of 4508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3368 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3368 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3368 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3368 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3368 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3368 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3368 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe C:\Windows\rss\csrss.exe
PID 3368 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe C:\Windows\rss\csrss.exe
PID 3368 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe C:\Windows\rss\csrss.exe
PID 3604 wrote to memory of 444 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3604 wrote to memory of 444 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3604 wrote to memory of 444 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3604 wrote to memory of 388 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3604 wrote to memory of 388 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3604 wrote to memory of 388 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3604 wrote to memory of 688 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3604 wrote to memory of 688 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3604 wrote to memory of 688 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3604 wrote to memory of 3032 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3604 wrote to memory of 3032 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 624 wrote to memory of 4808 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 624 wrote to memory of 4808 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 624 wrote to memory of 4808 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4808 wrote to memory of 3612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4808 wrote to memory of 3612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4808 wrote to memory of 3612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe

"C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe

"C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.219:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 219.83.221.88.in-addr.arpa udp
BE 88.221.83.219:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 6de2c687-4b09-4d68-b893-4c94a391d9e9.uuid.statsexplorer.org udp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 server16.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.108:443 server16.statsexplorer.org tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BG 185.82.216.108:443 server16.statsexplorer.org tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
BG 185.82.216.108:443 server16.statsexplorer.org tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

memory/4364-1-0x0000000004750000-0x0000000004B49000-memory.dmp

memory/4364-2-0x0000000004B50000-0x000000000543B000-memory.dmp

memory/4364-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1756-4-0x000000007424E000-0x000000007424F000-memory.dmp

memory/1756-5-0x0000000002850000-0x0000000002886000-memory.dmp

memory/1756-7-0x00000000051D0000-0x00000000057F8000-memory.dmp

memory/1756-6-0x0000000074240000-0x00000000749F0000-memory.dmp

memory/1756-8-0x0000000074240000-0x00000000749F0000-memory.dmp

memory/1756-9-0x0000000005070000-0x0000000005092000-memory.dmp

memory/1756-10-0x0000000005140000-0x00000000051A6000-memory.dmp

memory/1756-11-0x0000000005800000-0x0000000005866000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bjn5wgzk.3md.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1756-21-0x0000000005870000-0x0000000005BC4000-memory.dmp

memory/1756-22-0x0000000005E30000-0x0000000005E4E000-memory.dmp

memory/1756-23-0x0000000005E60000-0x0000000005EAC000-memory.dmp

memory/1756-24-0x0000000006390000-0x00000000063D4000-memory.dmp

memory/1756-25-0x0000000007170000-0x00000000071E6000-memory.dmp

memory/1756-26-0x0000000007870000-0x0000000007EEA000-memory.dmp

memory/1756-27-0x00000000071F0000-0x000000000720A000-memory.dmp

memory/1756-29-0x00000000700E0000-0x000000007012C000-memory.dmp

memory/1756-41-0x00000000073F0000-0x000000000740E000-memory.dmp

memory/1756-42-0x0000000007410000-0x00000000074B3000-memory.dmp

memory/1756-43-0x0000000074240000-0x00000000749F0000-memory.dmp

memory/1756-44-0x0000000007500000-0x000000000750A000-memory.dmp

memory/1756-31-0x0000000070690000-0x00000000709E4000-memory.dmp

memory/1756-30-0x0000000074240000-0x00000000749F0000-memory.dmp

memory/1756-45-0x00000000075C0000-0x0000000007656000-memory.dmp

memory/1756-28-0x00000000073B0000-0x00000000073E2000-memory.dmp

memory/1756-46-0x0000000007520000-0x0000000007531000-memory.dmp

memory/1756-48-0x0000000007570000-0x0000000007584000-memory.dmp

memory/1756-49-0x0000000007660000-0x000000000767A000-memory.dmp

memory/1756-50-0x00000000075A0000-0x00000000075A8000-memory.dmp

memory/1756-47-0x0000000007560000-0x000000000756E000-memory.dmp

memory/1756-53-0x0000000074240000-0x00000000749F0000-memory.dmp

memory/4364-56-0x0000000004750000-0x0000000004B49000-memory.dmp

memory/4364-55-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4364-57-0x0000000004B50000-0x000000000543B000-memory.dmp

memory/3236-67-0x0000000005D10000-0x0000000006064000-memory.dmp

memory/3236-71-0x0000000070260000-0x00000000705B4000-memory.dmp

memory/3368-68-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3236-81-0x0000000007350000-0x00000000073F3000-memory.dmp

memory/4364-70-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3236-69-0x00000000700E0000-0x000000007012C000-memory.dmp

memory/3236-82-0x0000000007660000-0x0000000007671000-memory.dmp

memory/3236-83-0x00000000076B0000-0x00000000076C4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/2368-96-0x00000000060D0000-0x0000000006424000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 db32a577ff15d64b3c98d83efa5a00a3
SHA1 7e8addf39e8be5351b5657bcd6a4ee48ca38163c
SHA256 8e785a48d6eb52164848247f9999f67e5ba7bb93eb73356481e0a52e4c5c9a1f
SHA512 b1b09449b9e40f587581fbc5e830434bbb5b3c5b194c522732af5c97755e311ede9a8aa74b35f7d2aaaf27bae84279b5b37e582bccdda4f3f68d680f578eca44

memory/2368-99-0x0000000070860000-0x0000000070BB4000-memory.dmp

memory/2368-98-0x00000000700E0000-0x000000007012C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3322f66207e3c2492278fc7774579d7b
SHA1 8021dfbb04bb517cb8dfdb08e4f666b93a7295c4
SHA256 c053dd5bc40736c72605b9e1f9bea619bc8d02ef2131525401abac778fe451f8
SHA512 9f91987f945450987b5daa98548c5d9edb01715058dbbfaf342983716cd33a0ad0b812e4854895512309931957f462fb5a29bc3ba8344f89b41d905dc08eb999

memory/2872-122-0x0000000070860000-0x0000000070BB4000-memory.dmp

memory/2872-121-0x00000000700E0000-0x000000007012C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 1969388dbacca767f429ef13ed09463a
SHA1 5c16463d8dea20fb5f80b4468d27183312162cd4
SHA256 29eccada0679b26c6dc9f4477685de1244882bbaccd5bf5cead8535e23e69bb1
SHA512 2178af10352f58a4a92e422d7e4b6c74e083efc2f92116bc3dbd391e486dd0634d432c83a46ed358b5109409708f9c9cfb0909453d97a74e477302df93929775

C:\Windows\rss\csrss.exe

MD5 7d314377a736fcc2b713471c87c44f1c
SHA1 9783c687a5d85e6fcebce65bc2906aa42defd691
SHA256 11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7
SHA512 92fb249d19097e056da7d426f0d8e6c12af38a0f9d56037dbd9e20a1bb3c2045460ff63e9d622fc6c979d7782dc8b026247936ff7cfb7ec4597ca99e4acf3a8b

memory/3368-138-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7107a29b1e542a0b215141abf1c9b5e8
SHA1 106e757864e09cba4fcfddd21bef1cc6f18928ae
SHA256 6beb622e7b6462fb62b846e05f55d38811cb4bffee4214925a86046767763b1b
SHA512 f4135972b1ac45e64b351c36cabc6f357a84b16ff18c50ce56fd22d5acb3e38df1f09f892923eb1449410b46a9d8a2f18516efbdc730a1d368e6839f6ca3e276

memory/3604-149-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/444-151-0x00000000700E0000-0x000000007012C000-memory.dmp

memory/444-152-0x0000000070260000-0x00000000705B4000-memory.dmp

memory/388-163-0x0000000005BC0000-0x0000000005F14000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 74953dc9701620fc31e4c4771f4b7255
SHA1 11c6db92ee94906159eb398c2de68e20cfcc5ceb
SHA256 a491842fa1571ea6f0038d488f3a141b60374c0af58edc67005dde8cf944fa01
SHA512 74170d37c5ff9ce6a30ba566a0e1977ddb84fdcb11ecd456cafdeb9b6a3ae43b8acf445a573c8e1451d0111a236ebbe5fbd5476b6235830c2d44e2c58661bd6c

memory/388-174-0x0000000006810000-0x000000000685C000-memory.dmp

memory/388-175-0x0000000070000000-0x000000007004C000-memory.dmp

memory/388-186-0x0000000007480000-0x0000000007523000-memory.dmp

memory/388-176-0x0000000070790000-0x0000000070AE4000-memory.dmp

memory/388-187-0x00000000077F0000-0x0000000007801000-memory.dmp

memory/388-188-0x0000000006040000-0x0000000006054000-memory.dmp

memory/688-199-0x0000000005A90000-0x0000000005DE4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3fa6ba1798ce7a4d9ba3f11f568053b7
SHA1 b1ec222131d08c6913ddaa10eeb6f0f71246a1b4
SHA256 16790ac52a95f0fb88f3ebd9f79bcaa07d5681dc46b6965f3cd5812c5f41be27
SHA512 d1ae24864e2c1978c46a8b1375d780e92a651caf5ea957b6c36971e7049570dc04d478e686356b2ee6876e88aa457142573355f68840e996cbe97ded3328d9a9

memory/688-201-0x0000000070000000-0x000000007004C000-memory.dmp

memory/688-202-0x00000000701A0000-0x00000000704F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3604-220-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/624-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1160-228-0x0000000000400000-0x00000000008DF000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/624-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3604-232-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1160-235-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3604-236-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3604-240-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1160-242-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3604-244-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3604-248-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3604-252-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3604-256-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3604-260-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3604-264-0x0000000000400000-0x0000000002B0B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 18:18

Reported

2024-05-15 18:20

Platform

win11-20240419-en

Max time kernel

150s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1152 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1152 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1152 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe C:\Windows\system32\cmd.exe
PID 3124 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe C:\Windows\system32\cmd.exe
PID 4860 wrote to memory of 1544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4860 wrote to memory of 1544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3124 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe C:\Windows\rss\csrss.exe
PID 3124 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe C:\Windows\rss\csrss.exe
PID 3124 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe C:\Windows\rss\csrss.exe
PID 3304 wrote to memory of 3732 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3304 wrote to memory of 3732 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3304 wrote to memory of 3732 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3304 wrote to memory of 4940 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3304 wrote to memory of 4940 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3304 wrote to memory of 4940 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3304 wrote to memory of 2916 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3304 wrote to memory of 2916 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3304 wrote to memory of 2916 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3304 wrote to memory of 1472 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3304 wrote to memory of 1472 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3080 wrote to memory of 3312 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3080 wrote to memory of 3312 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3080 wrote to memory of 3312 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3312 wrote to memory of 1396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3312 wrote to memory of 1396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3312 wrote to memory of 1396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe

"C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe

"C:\Users\Admin\AppData\Local\Temp\11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 3d96f073-f395-4e1d-b6a2-e9fe03d3fad7.uuid.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server12.statsexplorer.org udp
US 74.125.250.129:19302 stun.l.google.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server12.statsexplorer.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.108:443 server12.statsexplorer.org tcp
BG 185.82.216.108:443 server12.statsexplorer.org tcp

Files

memory/1152-1-0x00000000048D0000-0x0000000004CD7000-memory.dmp

memory/1152-2-0x0000000004CE0000-0x00000000055CB000-memory.dmp

memory/1152-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4836-4-0x00000000749BE000-0x00000000749BF000-memory.dmp

memory/4836-5-0x0000000004B30000-0x0000000004B66000-memory.dmp

memory/4836-6-0x00000000749B0000-0x0000000075161000-memory.dmp

memory/4836-7-0x00000000051A0000-0x00000000057CA000-memory.dmp

memory/4836-8-0x0000000005120000-0x0000000005142000-memory.dmp

memory/4836-9-0x0000000005840000-0x00000000058A6000-memory.dmp

memory/4836-11-0x00000000749B0000-0x0000000075161000-memory.dmp

memory/4836-10-0x00000000058B0000-0x0000000005916000-memory.dmp

memory/4836-21-0x0000000005AA0000-0x0000000005DF7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_amqhi4gv.tx1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4836-22-0x0000000005FB0000-0x0000000005FCE000-memory.dmp

memory/4836-23-0x0000000006030000-0x000000000607C000-memory.dmp

memory/1152-12-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4836-24-0x0000000006560000-0x00000000065A6000-memory.dmp

memory/4836-26-0x0000000070C20000-0x0000000070C6C000-memory.dmp

memory/4836-25-0x00000000073D0000-0x0000000007404000-memory.dmp

memory/4836-27-0x0000000070E90000-0x00000000711E7000-memory.dmp

memory/4836-36-0x00000000749B0000-0x0000000075161000-memory.dmp

memory/4836-37-0x0000000007410000-0x000000000742E000-memory.dmp

memory/4836-38-0x0000000007430000-0x00000000074D4000-memory.dmp

memory/4836-41-0x0000000007560000-0x000000000757A000-memory.dmp

memory/4836-40-0x0000000007BA0000-0x000000000821A000-memory.dmp

memory/4836-39-0x00000000749B0000-0x0000000075161000-memory.dmp

memory/4836-43-0x00000000076B0000-0x0000000007746000-memory.dmp

memory/4836-42-0x00000000075A0000-0x00000000075AA000-memory.dmp

memory/4836-44-0x00000000075C0000-0x00000000075D1000-memory.dmp

memory/4836-45-0x0000000007610000-0x000000000761E000-memory.dmp

memory/4836-46-0x0000000007620000-0x0000000007635000-memory.dmp

memory/4836-47-0x0000000007670000-0x000000000768A000-memory.dmp

memory/4836-48-0x0000000007660000-0x0000000007668000-memory.dmp

memory/4836-51-0x00000000749B0000-0x0000000075161000-memory.dmp

memory/1152-54-0x00000000048D0000-0x0000000004CD7000-memory.dmp

memory/1152-55-0x0000000004CE0000-0x00000000055CB000-memory.dmp

memory/1152-53-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1152-56-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1416-65-0x0000000005920000-0x0000000005C77000-memory.dmp

memory/1416-66-0x0000000070C20000-0x0000000070C6C000-memory.dmp

memory/1416-67-0x0000000070E30000-0x0000000071187000-memory.dmp

memory/1416-76-0x0000000006E80000-0x0000000006F24000-memory.dmp

memory/1416-77-0x00000000073A0000-0x00000000073B1000-memory.dmp

memory/1416-79-0x00000000073F0000-0x0000000007405000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/2280-91-0x0000000005B30000-0x0000000005E87000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 644537f10ccc5f0b76eb78d8bfe85dd0
SHA1 c22151f3009a5cdcde423ea05d95772441d783d4
SHA256 1a0f34865a71260cd3a59912f0ef41c2a9e510b0e599eb1e38913317b3783b63
SHA512 11c6096053ecdc4b2473ce8a707ac09c7ab62773cf166293cea60b815d0e90332fc923ad2d052d37e3e7f1a3b8de7678ec1bc87fa60923bfa5769f022975df7e

memory/2280-93-0x0000000070C20000-0x0000000070C6C000-memory.dmp

memory/2280-94-0x0000000070DA0000-0x00000000710F7000-memory.dmp

memory/3124-104-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1724-113-0x0000000006020000-0x0000000006377000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 84d9073cc8848cf449dae780bc63789d
SHA1 b035f83f7b87ec99322caeecf844091ebc2f0397
SHA256 5e4bbbcb6c187263f5b9cf9a73a13099b783460116cf09ace46c322a25144d76
SHA512 7523f714aa0c34bec139a90f5b08678383e60b2e14f28bb34db433921d6f75a74d7ecd81674fb11bc3cda27d0d3cbfb2d01eaedfa1d77c5e476a60c78aaf6a06

memory/1724-115-0x0000000070C20000-0x0000000070C6C000-memory.dmp

memory/1724-116-0x0000000071560000-0x00000000718B7000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 7d314377a736fcc2b713471c87c44f1c
SHA1 9783c687a5d85e6fcebce65bc2906aa42defd691
SHA256 11a911cc71a8c15de4924ba03c84d1dafad9c23b535107268fb6e210fc46cfd7
SHA512 92fb249d19097e056da7d426f0d8e6c12af38a0f9d56037dbd9e20a1bb3c2045460ff63e9d622fc6c979d7782dc8b026247936ff7cfb7ec4597ca99e4acf3a8b

memory/3124-132-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9234cc0628aa76b932c908f4a28e9e95
SHA1 5ea278aeb7e7135907142d2a7a4702a9c99a9d8b
SHA256 98f4098560c7acf8c2ca152543947719d0a28991ebb44a6a2ab8ff2aa4468093
SHA512 6e076eb99f054ffeda6ea69068729c1391c08b6b5c1e8b4ab342dc2f107512aff0a2d9e7c68cb4f5340ac36f3a78c05de7a535307edc5c44be04ebfe22ed2be2

memory/3732-143-0x0000000070C20000-0x0000000070C6C000-memory.dmp

memory/3732-144-0x0000000070DA0000-0x00000000710F7000-memory.dmp

memory/4940-154-0x0000000005BF0000-0x0000000005F47000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ccdd54e23f7a074f6358925cb7182756
SHA1 573b111b61454d07500eca1a7d6e7103f3d5b02a
SHA256 a845d4e4aa90a6865f0b465cc0ea1886c440197545f5e10aadbda1edef786809
SHA512 d87e80de945cc18669b4a0aea85a62b8bc1c41b7ca1e5af9960bda67582c5ebd24764d1e25bfc11c5222380a605ce656e2f31c80cd29398339ce88f7183ca09b

memory/4940-164-0x0000000006310000-0x000000000635C000-memory.dmp

memory/4940-165-0x0000000070B40000-0x0000000070B8C000-memory.dmp

memory/4940-166-0x0000000070D90000-0x00000000710E7000-memory.dmp

memory/4940-175-0x00000000073B0000-0x0000000007454000-memory.dmp

memory/4940-177-0x0000000007710000-0x0000000007721000-memory.dmp

memory/4940-178-0x0000000005F80000-0x0000000005F95000-memory.dmp

memory/2916-188-0x0000000005BB0000-0x0000000005F07000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7bc1fc4c53c32edb2216385ff64632c6
SHA1 ae24a76b6e0525e6b82abe13b6a0224dcda8be83
SHA256 6e08b7e121d6e5151fceba894d5cc6d602f71382b9adc82ecdb2e187d244cf41
SHA512 33413e2f529fc5e0f806ccda66620cdbb59553b969ea5da69dc6a78233413af712894c906b159c48eeff62ed5bc1ed42365f49b4dc7047577d4978fdc622bad3

memory/2916-190-0x0000000070B40000-0x0000000070B8C000-memory.dmp

memory/2916-191-0x0000000070D50000-0x00000000710A7000-memory.dmp

memory/3304-202-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3304-210-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3080-215-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3080-217-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3304-220-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1664-221-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3304-224-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3304-228-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1664-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3304-232-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3304-236-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3304-239-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3304-244-0x0000000000400000-0x0000000002B0B000-memory.dmp