Malware Analysis Report

2025-01-02 06:43

Sample ID 240515-xxybysfd6y
Target 800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb
SHA256 800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb

Threat Level: Known bad

The file 800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Checks installed software on the system

Adds Run key to start application

Manipulates WinMonFS driver.

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 19:14

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 19:14

Reported

2024-05-15 19:17

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2392 = "Aleutian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-492 = "India Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 632 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 632 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 632 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4356 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4356 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4356 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4356 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe C:\Windows\system32\cmd.exe
PID 4356 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe C:\Windows\system32\cmd.exe
PID 1492 wrote to memory of 1032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1492 wrote to memory of 1032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4356 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4356 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4356 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4356 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4356 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4356 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4356 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe C:\Windows\rss\csrss.exe
PID 4356 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe C:\Windows\rss\csrss.exe
PID 4356 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe C:\Windows\rss\csrss.exe
PID 676 wrote to memory of 3944 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 3944 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 3944 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 3532 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 3532 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 3532 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 4388 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 4388 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 4388 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 2340 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 676 wrote to memory of 2340 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4936 wrote to memory of 4332 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4936 wrote to memory of 4332 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4936 wrote to memory of 4332 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4332 wrote to memory of 728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4332 wrote to memory of 728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4332 wrote to memory of 728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe

"C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3976,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4160 /prefetch:8

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe

"C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BE 2.17.196.115:443 www.bing.com tcp
US 8.8.8.8:53 115.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 bfda9a50-bd88-453b-8a9e-f99addc5070b.uuid.statsexplorer.org udp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server15.statsexplorer.org udp
US 74.125.250.129:19302 stun1.l.google.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server15.statsexplorer.org tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.108:443 server15.statsexplorer.org tcp
BG 185.82.216.108:443 server15.statsexplorer.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 195.201.50.20.in-addr.arpa udp

Files

memory/632-1-0x0000000004780000-0x0000000004B80000-memory.dmp

memory/632-2-0x0000000004B80000-0x000000000546B000-memory.dmp

memory/632-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1120-5-0x0000000004500000-0x0000000004536000-memory.dmp

memory/1120-6-0x000000007464E000-0x000000007464F000-memory.dmp

memory/1120-7-0x0000000074640000-0x0000000074DF0000-memory.dmp

memory/1120-8-0x0000000004C70000-0x0000000005298000-memory.dmp

memory/1120-9-0x0000000074640000-0x0000000074DF0000-memory.dmp

memory/632-4-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1120-10-0x0000000004AD0000-0x0000000004AF2000-memory.dmp

memory/1120-12-0x0000000005480000-0x00000000054E6000-memory.dmp

memory/1120-11-0x00000000053A0000-0x0000000005406000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pahxsl1f.sft.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1120-22-0x00000000055F0000-0x0000000005944000-memory.dmp

memory/1120-23-0x0000000005AA0000-0x0000000005ABE000-memory.dmp

memory/1120-24-0x0000000005AE0000-0x0000000005B2C000-memory.dmp

memory/1120-25-0x0000000006010000-0x0000000006054000-memory.dmp

memory/1120-26-0x0000000006DE0000-0x0000000006E56000-memory.dmp

memory/1120-27-0x00000000074E0000-0x0000000007B5A000-memory.dmp

memory/1120-28-0x0000000006E60000-0x0000000006E7A000-memory.dmp

memory/1120-31-0x0000000070660000-0x00000000709B4000-memory.dmp

memory/1120-30-0x00000000704E0000-0x000000007052C000-memory.dmp

memory/1120-42-0x0000000007060000-0x000000000707E000-memory.dmp

memory/1120-43-0x0000000074640000-0x0000000074DF0000-memory.dmp

memory/1120-29-0x0000000007020000-0x0000000007052000-memory.dmp

memory/1120-32-0x0000000074640000-0x0000000074DF0000-memory.dmp

memory/1120-44-0x0000000007080000-0x0000000007123000-memory.dmp

memory/1120-45-0x0000000007170000-0x000000000717A000-memory.dmp

memory/1120-46-0x0000000007230000-0x00000000072C6000-memory.dmp

memory/1120-47-0x0000000007190000-0x00000000071A1000-memory.dmp

memory/1120-48-0x00000000071D0000-0x00000000071DE000-memory.dmp

memory/1120-49-0x00000000071E0000-0x00000000071F4000-memory.dmp

memory/1120-50-0x00000000072D0000-0x00000000072EA000-memory.dmp

memory/1120-51-0x0000000007220000-0x0000000007228000-memory.dmp

memory/1120-54-0x0000000074640000-0x0000000074DF0000-memory.dmp

memory/632-56-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/632-57-0x0000000004780000-0x0000000004B80000-memory.dmp

memory/632-58-0x0000000004B80000-0x000000000546B000-memory.dmp

memory/448-59-0x00000000056A0000-0x00000000059F4000-memory.dmp

memory/448-69-0x00000000704E0000-0x000000007052C000-memory.dmp

memory/448-70-0x0000000070C60000-0x0000000070FB4000-memory.dmp

memory/448-80-0x0000000006ED0000-0x0000000006F73000-memory.dmp

memory/448-81-0x00000000071D0000-0x00000000071E1000-memory.dmp

memory/632-83-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4356-82-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/448-84-0x0000000007220000-0x0000000007234000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ff7cc08cef81965382e556904f9d752e
SHA1 c7a295cf6271bbcbf6058ec7907937f329a0f528
SHA256 13f51280f97d34f9e296c6e4b7a2fea51d0eee4246c9a15685e410fd11fc9499
SHA512 f8c1108a1ceba67f7fcc7986962a98b95dae5b6cc13b29e4579ff56161ac167019b85421a425f91226cb109db91d0376e75714030108839040450c8fa6c23505

memory/1596-98-0x00000000704E0000-0x000000007052C000-memory.dmp

memory/1596-99-0x0000000070C60000-0x0000000070FB4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 510eaf9637681c0c2874a3764bc1542c
SHA1 3ded8f32ef5f054c0cbe1fb01dde67582b530572
SHA256 3d57b75011b2bab802eb8a421b28ac63bf7bb6c4a4c4f6b0bcb75483f028ad4c
SHA512 3ea88df329133e818bdc8b0850b43b65285a0b4f4363b67803d4e69dc7e37398f7d8c52b28c389acb2a6469b4c4d644bbfc048cbfbcdc8e239d2aefc4cfdd1b0

memory/3180-121-0x00000000704E0000-0x000000007052C000-memory.dmp

memory/3180-122-0x0000000070660000-0x00000000709B4000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 0f75ec1db9cdd785e1145f66dad9b6c4
SHA1 d45f0664a3ae807e8e4eebf3f6c6785d37464b74
SHA256 800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb
SHA512 ec737361e2bb73fbf5be8c9a3e5692d6bd0431ea59aee9598de129ae17aafd340f8fea580baea50b5f37a686ad43d06e59bcc6392566c4802426f712b51274ed

memory/4356-136-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2fa655a970ec1d908c2714a249858629
SHA1 caef6365e2537cc6e1fa3dbf02ae42d587b4bdea
SHA256 853bed4fa3cd263ab340eaaefe40cf984fb7ff7acbee559359e42aa764c4f0e5
SHA512 ed7aba640fd34522fc8e0da0b15e837e730edf1f5f2fd14ef032a057daca41764cd40ea9fb2b2468864961b089b668d6e0d0eae810ea2c0d6e2fc30d81a8282a

memory/3944-150-0x00000000704E0000-0x000000007052C000-memory.dmp

memory/3944-151-0x0000000070660000-0x00000000709B4000-memory.dmp

memory/676-161-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3532-172-0x00000000058A0000-0x0000000005BF4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c7479c70ae9ccde6727738227b061124
SHA1 b92c17ca770ba66bfb01c3d4dbdb1e99cd04cae7
SHA256 2a2d01ada4d4738820809f0337d3fff6cf9c8911f50b65a38be652dd05b2bcf4
SHA512 d6f7fd390e1d8b802f79b834113ef95f91e189d551dc93f0671350169d9f3e18ef4b0d949c59cda81565803f391c1659b45a67fd758edd6cbed1f730b3356d34

memory/3532-174-0x0000000005E80000-0x0000000005ECC000-memory.dmp

memory/3532-175-0x0000000070400000-0x000000007044C000-memory.dmp

memory/3532-186-0x0000000007090000-0x0000000007133000-memory.dmp

memory/3532-176-0x0000000070580000-0x00000000708D4000-memory.dmp

memory/3532-187-0x0000000005C50000-0x0000000005C61000-memory.dmp

memory/3532-188-0x0000000005C90000-0x0000000005CA4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 448b638fd09e52ed8db297001a7a0115
SHA1 d2252a105dc65edecb6c6357c375ec2625f5a02e
SHA256 5d068db46f978fee9c17b7ab822c7682ecae6ee72f5aa4836647c05e8bf2473a
SHA512 caa63af103d5c7b11d66be7e254d3ed6942f3f51d2780b64b3c257f2c09937d7e03c4f3503de05089fedcccb427c0aaa36b97219e0cb50245fa60df4ec2b28d3

memory/4388-201-0x0000000070400000-0x000000007044C000-memory.dmp

memory/4388-202-0x0000000070580000-0x00000000708D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/676-218-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4936-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1404-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4936-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/676-229-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1404-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/676-231-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/676-235-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1404-237-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/676-238-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/676-241-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/676-243-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/676-247-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/676-250-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/676-253-0x0000000000400000-0x0000000002B0B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 19:14

Reported

2024-05-15 19:17

Platform

win11-20240426-en

Max time kernel

149s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-492 = "India Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1720 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4212 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4212 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4212 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4212 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe C:\Windows\system32\cmd.exe
PID 4212 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe C:\Windows\system32\cmd.exe
PID 2816 wrote to memory of 1428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2816 wrote to memory of 1428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4212 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4212 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4212 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4212 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4212 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4212 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4212 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe C:\Windows\rss\csrss.exe
PID 4212 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe C:\Windows\rss\csrss.exe
PID 4212 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe C:\Windows\rss\csrss.exe
PID 1280 wrote to memory of 4892 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1280 wrote to memory of 4892 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1280 wrote to memory of 4892 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1280 wrote to memory of 4648 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1280 wrote to memory of 4648 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1280 wrote to memory of 4648 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1280 wrote to memory of 2504 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1280 wrote to memory of 2504 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1280 wrote to memory of 2504 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1280 wrote to memory of 328 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1280 wrote to memory of 328 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3872 wrote to memory of 1688 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3872 wrote to memory of 1688 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3872 wrote to memory of 1688 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1688 wrote to memory of 3168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1688 wrote to memory of 3168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1688 wrote to memory of 3168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe

"C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe

"C:\Users\Admin\AppData\Local\Temp\800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 38fa7e60-212b-47fc-bd74-fb1cb7218924.uuid.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server4.statsexplorer.org udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun3.l.google.com udp
BG 185.82.216.108:443 server4.statsexplorer.org tcp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
BG 185.82.216.108:443 server4.statsexplorer.org tcp
BG 185.82.216.108:443 server4.statsexplorer.org tcp

Files

memory/1720-1-0x00000000049F0000-0x0000000004DF7000-memory.dmp

memory/1720-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1720-2-0x0000000004E00000-0x00000000056EB000-memory.dmp

memory/4860-5-0x0000000074B7E000-0x0000000074B7F000-memory.dmp

memory/4860-6-0x0000000002990000-0x00000000029C6000-memory.dmp

memory/1720-4-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4860-7-0x0000000074B70000-0x0000000075321000-memory.dmp

memory/4860-8-0x0000000005540000-0x0000000005B6A000-memory.dmp

memory/4860-9-0x0000000005370000-0x0000000005392000-memory.dmp

memory/4860-10-0x0000000074B70000-0x0000000075321000-memory.dmp

memory/4860-12-0x0000000005C50000-0x0000000005CB6000-memory.dmp

memory/4860-11-0x0000000005BE0000-0x0000000005C46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_awdx1l0n.fjy.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4860-21-0x0000000005CC0000-0x0000000006017000-memory.dmp

memory/4860-22-0x00000000061B0000-0x00000000061CE000-memory.dmp

memory/4860-23-0x00000000061E0000-0x000000000622C000-memory.dmp

memory/4860-24-0x0000000006720000-0x0000000006766000-memory.dmp

memory/4860-25-0x00000000075B0000-0x00000000075E4000-memory.dmp

memory/4860-26-0x0000000074B70000-0x0000000075321000-memory.dmp

memory/4860-28-0x0000000070F60000-0x00000000712B7000-memory.dmp

memory/4860-27-0x0000000070DE0000-0x0000000070E2C000-memory.dmp

memory/4860-37-0x0000000007610000-0x000000000762E000-memory.dmp

memory/4860-38-0x0000000007630000-0x00000000076D4000-memory.dmp

memory/4860-39-0x0000000074B70000-0x0000000075321000-memory.dmp

memory/4860-40-0x0000000007DA0000-0x000000000841A000-memory.dmp

memory/4860-41-0x0000000007760000-0x000000000777A000-memory.dmp

memory/4860-42-0x00000000077A0000-0x00000000077AA000-memory.dmp

memory/4860-43-0x00000000078B0000-0x0000000007946000-memory.dmp

memory/4860-44-0x00000000077C0000-0x00000000077D1000-memory.dmp

memory/4860-45-0x0000000007810000-0x000000000781E000-memory.dmp

memory/4860-46-0x0000000007820000-0x0000000007835000-memory.dmp

memory/4860-47-0x0000000007870000-0x000000000788A000-memory.dmp

memory/4860-48-0x0000000007890000-0x0000000007898000-memory.dmp

memory/4860-51-0x0000000074B70000-0x0000000075321000-memory.dmp

memory/1720-54-0x00000000049F0000-0x0000000004DF7000-memory.dmp

memory/1720-55-0x0000000004E00000-0x00000000056EB000-memory.dmp

memory/1720-53-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1720-56-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4264-66-0x0000000006020000-0x0000000006377000-memory.dmp

memory/4264-68-0x0000000071030000-0x0000000071387000-memory.dmp

memory/4264-77-0x0000000007790000-0x0000000007834000-memory.dmp

memory/4264-67-0x0000000070DE0000-0x0000000070E2C000-memory.dmp

memory/4264-78-0x0000000007AB0000-0x0000000007AC1000-memory.dmp

memory/4264-79-0x0000000007B00000-0x0000000007B15000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3ceca19896f511f1b6324a5a9accc9a1
SHA1 7290fef919be317240f2e97162068693acec38e5
SHA256 b442b2a9ee1348635b1ed3f762c6c1447dd981912af17593266f5e173eb8928b
SHA512 fd20c544bb8fc3a190aa8616a5ad00435f9c21394a42ce9375e1824cd5252b3935d67bbc759dc0b8663e6c91fa7a50904462ef051e239a24a34b522e9bff9e09

memory/896-91-0x00000000055C0000-0x0000000005917000-memory.dmp

memory/896-93-0x0000000070DE0000-0x0000000070E2C000-memory.dmp

memory/896-94-0x0000000070F80000-0x00000000712D7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1f93a933337cfb7c790d5f8888fc2673
SHA1 655fd40074be57497a246550d662a3aba2b3b1f3
SHA256 df24e31307166b179130a65849e1db67a0b7c5a756708de7800e94907097f645
SHA512 1a90f00c485ea64e7c4c93600573383b04d54ee88457c6a87deec4dc852692bd1f17dc916e6aad6ec80dc6929fb3d6e4b9227457f25ec610f75ded7879765dad

memory/3344-112-0x0000000005FB0000-0x0000000006307000-memory.dmp

memory/3344-114-0x0000000070DE0000-0x0000000070E2C000-memory.dmp

memory/3344-115-0x0000000071050000-0x00000000713A7000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 0f75ec1db9cdd785e1145f66dad9b6c4
SHA1 d45f0664a3ae807e8e4eebf3f6c6785d37464b74
SHA256 800d643fdcf8405167509f4733a69107b3a5880cfe5bbdb46d8e3089b239eebb
SHA512 ec737361e2bb73fbf5be8c9a3e5692d6bd0431ea59aee9598de129ae17aafd340f8fea580baea50b5f37a686ad43d06e59bcc6392566c4802426f712b51274ed

memory/4212-124-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4212-129-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d69e94275bbc16aafeca807f82b57a8d
SHA1 c419f53898b96ba0e5c84e2ac2ef6d695c2453d3
SHA256 5679ee4d7ee2cd801214e1a26aa64ec465af44a807f545aded6eb5fedc14bcab
SHA512 c2fe9a048078f0edd6790faffb1ae9c1644f842c85abe990d8e704dac5adbca2e2a76260aa28fb64a5fca11fcbcb097c551150c9de68484089904f6146155eda

memory/4892-144-0x0000000070DE0000-0x0000000070E2C000-memory.dmp

memory/4892-145-0x0000000071030000-0x0000000071387000-memory.dmp

memory/1280-154-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4648-156-0x00000000056B0000-0x0000000005A07000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0faa97ebf439f3efa6829c65811914cd
SHA1 309c8ebb0ff1266491a10940499b056dde00b689
SHA256 05c44442cdc7e069c4f365cf80705f589869a5ce4aa3c8c330f86565f570cfbc
SHA512 ea2d9c625262f61f2aeb2d4d369de9ef9d2c09790d64fc42cbee36861ed77f847bea9a1edc9f098fcd25d77ed3dcee47b8dbda71c51d7c7ecd891cc7551036c0

memory/4648-166-0x0000000006090000-0x00000000060DC000-memory.dmp

memory/4648-167-0x0000000070D00000-0x0000000070D4C000-memory.dmp

memory/4648-168-0x0000000070F50000-0x00000000712A7000-memory.dmp

memory/4648-177-0x0000000006F10000-0x0000000006FB4000-memory.dmp

memory/4648-178-0x0000000007260000-0x0000000007271000-memory.dmp

memory/4648-179-0x0000000005A90000-0x0000000005AA5000-memory.dmp

memory/2504-189-0x0000000005CE0000-0x0000000006037000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a11dfd67db993f03eb43aaa2e113e9f6
SHA1 2b440d17f1be1a32443818cd463b4d55c2953960
SHA256 d418fab194da08247bd26a65fb9983a1fa0f5b8dafc9f4810a0f6723b08ae672
SHA512 41e853d5a208f6ea4180080641708bf75e4909e146d5f18b576309134eb42903057d017112cda69056c549d78f94cc497b2f9899a99e87ffbb3480dd74196c46

memory/2504-192-0x0000000070D00000-0x0000000070D4C000-memory.dmp

memory/2504-193-0x0000000070E80000-0x00000000711D7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1280-208-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3872-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1908-216-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3872-218-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1280-219-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1908-221-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1280-222-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1280-226-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1908-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1280-228-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1280-231-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1280-234-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1280-237-0x0000000000400000-0x0000000002B0B000-memory.dmp