Malware Analysis Report

2024-12-08 02:05

Sample ID 240516-e6zbhacd57
Target 37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617
SHA256 37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617

Threat Level: Known bad

The file 37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Adds Run key to start application

Checks installed software on the system

Manipulates WinMonFS driver.

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 04:33

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 04:33

Reported

2024-05-16 04:36

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2084 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2084 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1392 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1392 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1392 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1392 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe C:\Windows\system32\cmd.exe
PID 1392 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe C:\Windows\system32\cmd.exe
PID 4504 wrote to memory of 1596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4504 wrote to memory of 1596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1392 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1392 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1392 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1392 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1392 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1392 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1392 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe C:\Windows\rss\csrss.exe
PID 1392 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe C:\Windows\rss\csrss.exe
PID 1392 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe C:\Windows\rss\csrss.exe
PID 2304 wrote to memory of 4836 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 4836 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 4836 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 228 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 228 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 228 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 3964 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 3964 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 3964 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 2552 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2304 wrote to memory of 2552 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 320 wrote to memory of 2388 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 320 wrote to memory of 2388 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 320 wrote to memory of 2388 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2388 wrote to memory of 980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2388 wrote to memory of 980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe

"C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe

"C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 88.221.83.219:443 www.bing.com tcp
US 8.8.8.8:53 219.83.221.88.in-addr.arpa udp
BE 88.221.83.219:443 www.bing.com tcp
US 8.8.8.8:53 2dc86a67-696e-4477-9780-f01187a7691c.uuid.myfastupdate.org udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 stun.sipgate.net udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server11.myfastupdate.org udp
US 15.197.250.192:3478 stun.sipgate.net udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server11.myfastupdate.org tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 192.250.197.15.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BG 185.82.216.111:443 server11.myfastupdate.org tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
BG 185.82.216.111:443 server11.myfastupdate.org tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BG 185.82.216.111:443 server11.myfastupdate.org tcp

Files

memory/2084-1-0x0000000002930000-0x0000000002D36000-memory.dmp

memory/2084-2-0x0000000002D40000-0x000000000362B000-memory.dmp

memory/2084-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/648-4-0x0000000074D5E000-0x0000000074D5F000-memory.dmp

memory/648-5-0x0000000002E80000-0x0000000002EB6000-memory.dmp

memory/648-6-0x0000000074D50000-0x0000000075500000-memory.dmp

memory/648-7-0x0000000005660000-0x0000000005C88000-memory.dmp

memory/648-8-0x0000000074D50000-0x0000000075500000-memory.dmp

memory/648-9-0x00000000055A0000-0x00000000055C2000-memory.dmp

memory/648-10-0x0000000005D90000-0x0000000005DF6000-memory.dmp

memory/648-11-0x0000000005E70000-0x0000000005ED6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vrybkygk.kbl.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/648-21-0x0000000005FE0000-0x0000000006334000-memory.dmp

memory/648-22-0x0000000006460000-0x000000000647E000-memory.dmp

memory/648-23-0x00000000064B0000-0x00000000064FC000-memory.dmp

memory/648-24-0x00000000069B0000-0x00000000069F4000-memory.dmp

memory/648-25-0x0000000007790000-0x0000000007806000-memory.dmp

memory/648-26-0x0000000007E90000-0x000000000850A000-memory.dmp

memory/648-27-0x0000000007830000-0x000000000784A000-memory.dmp

memory/648-29-0x0000000074D50000-0x0000000075500000-memory.dmp

memory/648-30-0x0000000070BF0000-0x0000000070C3C000-memory.dmp

memory/648-41-0x0000000007A20000-0x0000000007A3E000-memory.dmp

memory/648-42-0x0000000074D50000-0x0000000075500000-memory.dmp

memory/648-43-0x0000000007A40000-0x0000000007AE3000-memory.dmp

memory/648-31-0x0000000070D70000-0x00000000710C4000-memory.dmp

memory/648-28-0x00000000079E0000-0x0000000007A12000-memory.dmp

memory/648-44-0x0000000007B30000-0x0000000007B3A000-memory.dmp

memory/648-45-0x0000000007BF0000-0x0000000007C86000-memory.dmp

memory/648-46-0x0000000007B50000-0x0000000007B61000-memory.dmp

memory/648-47-0x0000000007B90000-0x0000000007B9E000-memory.dmp

memory/648-48-0x0000000007BA0000-0x0000000007BB4000-memory.dmp

memory/648-49-0x0000000007C90000-0x0000000007CAA000-memory.dmp

memory/648-50-0x0000000007BD0000-0x0000000007BD8000-memory.dmp

memory/648-53-0x0000000074D50000-0x0000000075500000-memory.dmp

memory/1392-55-0x0000000002920000-0x0000000002D23000-memory.dmp

memory/2848-61-0x0000000006330000-0x0000000006684000-memory.dmp

memory/2848-67-0x0000000071390000-0x00000000716E4000-memory.dmp

memory/2848-66-0x0000000070BF0000-0x0000000070C3C000-memory.dmp

memory/2848-77-0x0000000007BA0000-0x0000000007C43000-memory.dmp

memory/2848-78-0x0000000007EE0000-0x0000000007EF1000-memory.dmp

memory/2848-79-0x0000000007F30000-0x0000000007F44000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/3320-84-0x0000000005D20000-0x0000000006074000-memory.dmp

memory/2084-83-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2084-94-0x0000000002930000-0x0000000002D36000-memory.dmp

memory/2084-95-0x0000000002D40000-0x000000000362B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b09433ee753c83657c5124908bff06da
SHA1 72af34b4a940cec08a287d5536145cb0c05cce2a
SHA256 c4dcb57366a1935cd3084ca7d3916ed6a08dd48ea3fc80dde39b6a72de9c08ff
SHA512 705d77bfe215109b753fef4748cb063d17b92f93d5db55317f6fa77b6c74de96f2e79f4f12fe91f23c13d8712a719f0f6d25755c7a259556eca4554660df310f

memory/3320-98-0x0000000071370000-0x00000000716C4000-memory.dmp

memory/3320-97-0x0000000070BF0000-0x0000000070C3C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 dbc0e8584a9164142a1a4793d12acf0e
SHA1 7d076adbe67139c5989f10586c9485d08449140c
SHA256 7584e7ef51dd27a9acdc9da3d01d90405f3d242a9707137728d26d43f2ed3f86
SHA512 f283a8dd620fc432104ca9754e06e471d1a93d9a29e1137f17fa7401956647c59a8ee0fda22619f66aa00760200146c717aac573936f101a43e921f288187e0f

memory/4620-119-0x0000000070BF0000-0x0000000070C3C000-memory.dmp

memory/4620-120-0x0000000070D70000-0x00000000710C4000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 d607186a125b49d710c32d27381b33b2
SHA1 2168fbf37fa3801e2cdfd44bcfc633c145699172
SHA256 37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617
SHA512 4c3801b74466708e3b503db22530014d0ce686980c426399c263ec3a9fa471cd5c564e775001860ca35c08434f615f6a4f11298453c78a074a875ef139b17183

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 989bf865f9597ec772402c90944e3b91
SHA1 97ed0879c50bb74c96570d2626a5ddefba3776cf
SHA256 ea1b070be40148d44f8fc3d14fda0f9b6e45f488a6dd485f75ba94cf4f3b2348
SHA512 475af4e26bc5e054934c2a137639d547b9b6611ea4d296d49a905269acea1f56361fd55cbcd8fae656351bc61b3ed3032ff2d7df1c8f58885e6eafe856789859

memory/1392-146-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4836-148-0x0000000070D70000-0x00000000710C4000-memory.dmp

memory/4836-147-0x0000000070BF0000-0x0000000070C3C000-memory.dmp

memory/228-165-0x0000000005690000-0x00000000059E4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ea0647ab0a38ab4fdb23fc752e0aa64b
SHA1 a8e25faa6373050965b307ad464d60877b2e3676
SHA256 6bfff94be903891ee1140cd4b0564ee55ae4d23e5d62609a39430620dbb9b393
SHA512 1218e060c0392e621b0e28012f572963d68659957a4ff66060d5b2473f51b64f782d5b5ad07e29a48e428d5e81c87906425cadd26eafb18116207443c2cde5fc

memory/228-170-0x0000000006090000-0x00000000060DC000-memory.dmp

memory/228-171-0x0000000070B10000-0x0000000070B5C000-memory.dmp

memory/228-172-0x0000000070EF0000-0x0000000071244000-memory.dmp

memory/228-182-0x0000000006FA0000-0x0000000007043000-memory.dmp

memory/228-183-0x0000000007320000-0x0000000007331000-memory.dmp

memory/228-184-0x0000000005B50000-0x0000000005B64000-memory.dmp

memory/3964-186-0x0000000005E10000-0x0000000006164000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 28e145624ffab34c4751d9a11d796492
SHA1 1f1ad81f5f1a49a96501dad645a51cadcfc8ed37
SHA256 3d03d71f38e7681fdc28ad5e40b577613f6dae1f324c549aea3c9157480227cc
SHA512 c2bbb6c430e960a6c412a6588c436df885f65ebcc82398de3e7df3e1d5cff7d1897b21d6305b8c4477c3a3ba3c2cabfc70bdd139a8e90d489e29d11876d98e68

memory/3964-197-0x0000000070B10000-0x0000000070B5C000-memory.dmp

memory/3964-198-0x00000000712A0000-0x00000000715F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2304-215-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1392-218-0x0000000002920000-0x0000000002D23000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/320-222-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4652-225-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/320-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2304-228-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4652-231-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2304-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2304-236-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4652-239-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2304-240-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2304-244-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2304-249-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2304-252-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2304-256-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2304-260-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2304-265-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2304-268-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2304-272-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 04:33

Reported

2024-05-16 04:36

Platform

win11-20240508-en

Max time kernel

149s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5064 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5064 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5064 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe C:\Windows\system32\cmd.exe
PID 2208 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe C:\Windows\system32\cmd.exe
PID 4384 wrote to memory of 3576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4384 wrote to memory of 3576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2208 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe C:\Windows\rss\csrss.exe
PID 2208 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe C:\Windows\rss\csrss.exe
PID 2208 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe C:\Windows\rss\csrss.exe
PID 3084 wrote to memory of 1376 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3084 wrote to memory of 1376 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3084 wrote to memory of 1376 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3084 wrote to memory of 220 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3084 wrote to memory of 220 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3084 wrote to memory of 220 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3084 wrote to memory of 1500 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3084 wrote to memory of 1500 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3084 wrote to memory of 1500 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3084 wrote to memory of 1032 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3084 wrote to memory of 1032 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3344 wrote to memory of 5072 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3344 wrote to memory of 5072 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3344 wrote to memory of 5072 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 5072 wrote to memory of 3312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 5072 wrote to memory of 3312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 5072 wrote to memory of 3312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe

"C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe

"C:\Users\Admin\AppData\Local\Temp\37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 89507af2-b8c5-4d46-aee1-21cd99bbe7e6.uuid.myfastupdate.org udp
US 8.8.8.8:53 server8.myfastupdate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun4.l.google.com udp
BG 185.82.216.111:443 server8.myfastupdate.org tcp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.111:443 server8.myfastupdate.org tcp
IE 52.111.236.22:443 tcp
BG 185.82.216.111:443 server8.myfastupdate.org tcp

Files

memory/5064-1-0x0000000002A50000-0x0000000002E54000-memory.dmp

memory/5064-2-0x0000000002E60000-0x000000000374B000-memory.dmp

memory/5064-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3564-4-0x0000000074A5E000-0x0000000074A5F000-memory.dmp

memory/3564-5-0x0000000002970000-0x00000000029A6000-memory.dmp

memory/3564-6-0x0000000005120000-0x000000000574A000-memory.dmp

memory/3564-7-0x0000000074A50000-0x0000000075201000-memory.dmp

memory/3564-8-0x0000000074A50000-0x0000000075201000-memory.dmp

memory/3564-9-0x00000000050A0000-0x00000000050C2000-memory.dmp

memory/3564-10-0x0000000005880000-0x00000000058E6000-memory.dmp

memory/3564-11-0x00000000058F0000-0x0000000005956000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4nlrxc23.xsu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3564-20-0x0000000005A80000-0x0000000005DD7000-memory.dmp

memory/3564-21-0x0000000005E60000-0x0000000005E7E000-memory.dmp

memory/3564-22-0x0000000005EF0000-0x0000000005F3C000-memory.dmp

memory/3564-23-0x00000000063C0000-0x0000000006406000-memory.dmp

memory/3564-25-0x0000000070CC0000-0x0000000070D0C000-memory.dmp

memory/3564-24-0x0000000007270000-0x00000000072A4000-memory.dmp

memory/3564-26-0x0000000074A50000-0x0000000075201000-memory.dmp

memory/3564-27-0x0000000070E40000-0x0000000071197000-memory.dmp

memory/3564-36-0x00000000072B0000-0x00000000072CE000-memory.dmp

memory/3564-37-0x00000000072D0000-0x0000000007374000-memory.dmp

memory/3564-38-0x0000000007A40000-0x00000000080BA000-memory.dmp

memory/3564-39-0x0000000074A50000-0x0000000075201000-memory.dmp

memory/3564-40-0x0000000007400000-0x000000000741A000-memory.dmp

memory/3564-41-0x0000000007440000-0x000000000744A000-memory.dmp

memory/3564-42-0x0000000007500000-0x0000000007596000-memory.dmp

memory/3564-43-0x0000000007470000-0x0000000007481000-memory.dmp

memory/3564-44-0x00000000074B0000-0x00000000074BE000-memory.dmp

memory/3564-45-0x00000000074C0000-0x00000000074D5000-memory.dmp

memory/3564-46-0x00000000075C0000-0x00000000075DA000-memory.dmp

memory/3564-47-0x00000000075A0000-0x00000000075A8000-memory.dmp

memory/3564-50-0x0000000074A50000-0x0000000075201000-memory.dmp

memory/5064-52-0x0000000002E60000-0x000000000374B000-memory.dmp

memory/2208-53-0x0000000002A20000-0x0000000002E20000-memory.dmp

memory/4100-54-0x0000000006000000-0x0000000006357000-memory.dmp

memory/4100-63-0x0000000070CC0000-0x0000000070D0C000-memory.dmp

memory/4100-64-0x0000000070F30000-0x0000000071287000-memory.dmp

memory/4100-73-0x0000000007820000-0x00000000078C4000-memory.dmp

memory/4100-74-0x0000000007B50000-0x0000000007B61000-memory.dmp

memory/5064-75-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5064-76-0x0000000002A50000-0x0000000002E54000-memory.dmp

memory/4100-77-0x0000000007BA0000-0x0000000007BB5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/1728-81-0x0000000005650000-0x00000000059A7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ec5d59ac1fb8c5ed6a0dcf3cd2aa9399
SHA1 2ead30ad97b4094de4649837ca75c72e889429b0
SHA256 a376733b63d92ebcb349c6e9827c1761bc639c4b84115fa74bf6caeecd4be98e
SHA512 748b9ed1f46a9fe5167c71cd2ec1a9d1eb29ddc8c488fcbdb2e0c0cc8266f88ac02bbb9b4ac734d5e53d90877baa1ed07d573d2e1565196d24162aabfe0c6438

memory/1728-91-0x0000000070CC0000-0x0000000070D0C000-memory.dmp

memory/1728-92-0x0000000070F10000-0x0000000071267000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ec7373a1e70ba3122c291adb5629a47b
SHA1 c80a8d14f49639fb0d2f236d0523fd6f05b669d5
SHA256 eeb2470c9ad34659987ff7791591b208eefed5581d0ba41b5335bc0de85214b3
SHA512 f08590b795dd4a14334cb240219810881414909d90127bef602163f6454a6be90b9edcd2eb5ff7929abbec2f99d3a7430a89e96ad3ec3a39b869c02a11ef7e10

memory/3700-111-0x0000000070CC0000-0x0000000070D0C000-memory.dmp

memory/3700-112-0x0000000070E40000-0x0000000071197000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 d607186a125b49d710c32d27381b33b2
SHA1 2168fbf37fa3801e2cdfd44bcfc633c145699172
SHA256 37978e221406de7c9454be93ff242856350231570ca2b7a0575f26ba9bce7617
SHA512 4c3801b74466708e3b503db22530014d0ce686980c426399c263ec3a9fa471cd5c564e775001860ca35c08434f615f6a4f11298453c78a074a875ef139b17183

memory/2208-125-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c99f9a9bf5de6c3a7386b78db058bcac
SHA1 b2b02c0a37be971dbbd754e4cb85956cbebe4569
SHA256 ccd96c52cf483f714d51289c87b0267cb1386b3e24a72016d70879d6271a6016
SHA512 bd8817b813d92f4093eeed36cd9e62c5eec49648e5a513b38641a0ccf76431aa2c61c16e14fd707fb8dad4dd75000f73c778602acd7ebdf4dafbb17f2b72459f

memory/1376-138-0x0000000070CC0000-0x0000000070D0C000-memory.dmp

memory/1376-139-0x0000000070E40000-0x0000000071197000-memory.dmp

memory/220-157-0x0000000005790000-0x0000000005AE7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 47cc549d603121cb717c13c63cfdbc18
SHA1 1272985084822a0f547f7da3dd8e80cec4818858
SHA256 09bd6de25880fb4db4cd86fda6e0657638131904e4b27273b03ffc8ad8e78076
SHA512 1a90a84ceffdc463ab734e35cec0fb0a4823e9e3c333a76e0358f13ab4d28247e15e0519ea164f4c653a71a88466ceaa8f8676a8906ae0e434dc6f8fafe5fa86

memory/220-159-0x0000000005CE0000-0x0000000005D2C000-memory.dmp

memory/220-160-0x0000000070BE0000-0x0000000070C2C000-memory.dmp

memory/220-161-0x0000000070D80000-0x00000000710D7000-memory.dmp

memory/220-170-0x0000000006EA0000-0x0000000006F44000-memory.dmp

memory/220-171-0x00000000070D0000-0x00000000070E1000-memory.dmp

memory/220-172-0x00000000056A0000-0x00000000056B5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 51841a6ef1f613131cd116d467c12fac
SHA1 4aeb729a8ad9864f35927b09e0ff7498fa9430eb
SHA256 cff9b8b396d7005f3bdf82230a1d98e82fe8562a601b7b76c17bc201c94c1ab2
SHA512 f83cf52949f16ee988ed2ff54837d64dcee457bc373b024cc177439f7073464983cf201541edee158b6917dec7c25d2b291a7b9685d265000ce490e30aac0150

memory/1500-184-0x0000000070D80000-0x00000000710D7000-memory.dmp

memory/1500-183-0x0000000070BE0000-0x0000000070C2C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3084-199-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3344-205-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1676-207-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3344-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3084-211-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1676-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3084-212-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3084-215-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1676-218-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3084-220-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3084-223-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3084-225-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1676-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3084-227-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3084-232-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3084-235-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3084-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3084-239-0x0000000000400000-0x0000000000D1C000-memory.dmp