Malware Analysis Report

2024-12-08 02:04

Sample ID 240516-met7gaga2y
Target 5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af
SHA256 5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af

Threat Level: Known bad

The file 5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Checks installed software on the system

Manipulates WinMonFS driver.

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 10:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 10:23

Reported

2024-05-16 10:25

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1972 = "Belarus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4756 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4756 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4756 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe C:\Windows\system32\cmd.exe
PID 3024 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe C:\Windows\system32\cmd.exe
PID 1160 wrote to memory of 60 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1160 wrote to memory of 60 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3024 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe C:\Windows\rss\csrss.exe
PID 3024 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe C:\Windows\rss\csrss.exe
PID 3024 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe C:\Windows\rss\csrss.exe
PID 1048 wrote to memory of 2332 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 2332 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 2332 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 216 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 216 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 216 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 2016 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 2016 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 2016 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 4880 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1048 wrote to memory of 4880 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4616 wrote to memory of 4376 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4616 wrote to memory of 4376 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4616 wrote to memory of 4376 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4376 wrote to memory of 4496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4376 wrote to memory of 4496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4376 wrote to memory of 4496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe

"C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe

"C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 88.221.83.224:443 www.bing.com tcp
US 8.8.8.8:53 224.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
BE 88.221.83.224:443 www.bing.com tcp
US 8.8.8.8:53 59d777d6-07f3-4dee-b1b1-ea347d0f2cd1.uuid.statsexplorer.org udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 stun.l.google.com udp
US 8.8.8.8:53 server9.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 74.125.250.129:19302 stun.l.google.com udp
BG 185.82.216.108:443 server9.statsexplorer.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
BG 185.82.216.108:443 server9.statsexplorer.org tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
BG 185.82.216.108:443 server9.statsexplorer.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4756-1-0x0000000002A20000-0x0000000002E1F000-memory.dmp

memory/4756-2-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/4756-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3652-4-0x000000007400E000-0x000000007400F000-memory.dmp

memory/3652-5-0x0000000002500000-0x0000000002536000-memory.dmp

memory/3652-6-0x0000000074000000-0x00000000747B0000-memory.dmp

memory/3652-7-0x0000000004D50000-0x0000000005378000-memory.dmp

memory/3652-8-0x0000000004B30000-0x0000000004B52000-memory.dmp

memory/3652-9-0x0000000074000000-0x00000000747B0000-memory.dmp

memory/3652-11-0x0000000004C40000-0x0000000004CA6000-memory.dmp

memory/3652-10-0x0000000004BD0000-0x0000000004C36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_puefhljz.ok2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3652-17-0x0000000005380000-0x00000000056D4000-memory.dmp

memory/3652-22-0x0000000005AE0000-0x0000000005AFE000-memory.dmp

memory/3652-23-0x0000000005DF0000-0x0000000005E3C000-memory.dmp

memory/3652-24-0x0000000005F00000-0x0000000005F44000-memory.dmp

memory/3652-25-0x0000000006C00000-0x0000000006C76000-memory.dmp

memory/3652-26-0x0000000007310000-0x000000000798A000-memory.dmp

memory/3652-27-0x0000000006CB0000-0x0000000006CCA000-memory.dmp

memory/3652-29-0x000000006FEA0000-0x000000006FEEC000-memory.dmp

memory/3652-28-0x0000000007050000-0x0000000007082000-memory.dmp

memory/3652-30-0x0000000074000000-0x00000000747B0000-memory.dmp

memory/3652-31-0x0000000070640000-0x0000000070994000-memory.dmp

memory/3652-41-0x0000000007090000-0x00000000070AE000-memory.dmp

memory/3652-43-0x0000000074000000-0x00000000747B0000-memory.dmp

memory/3652-42-0x00000000070B0000-0x0000000007153000-memory.dmp

memory/3652-44-0x00000000071A0000-0x00000000071AA000-memory.dmp

memory/3652-45-0x0000000007270000-0x0000000007306000-memory.dmp

memory/3652-46-0x00000000071D0000-0x00000000071E1000-memory.dmp

memory/3652-47-0x0000000007210000-0x000000000721E000-memory.dmp

memory/3652-48-0x0000000007220000-0x0000000007234000-memory.dmp

memory/3652-50-0x0000000007250000-0x0000000007258000-memory.dmp

memory/3652-49-0x0000000007990000-0x00000000079AA000-memory.dmp

memory/3652-53-0x0000000074000000-0x00000000747B0000-memory.dmp

memory/3024-55-0x0000000002960000-0x0000000002D5C000-memory.dmp

memory/3024-56-0x0000000002D60000-0x000000000364B000-memory.dmp

memory/216-57-0x00000000062A0000-0x00000000065F4000-memory.dmp

memory/216-67-0x000000006FEA0000-0x000000006FEEC000-memory.dmp

memory/216-68-0x0000000070620000-0x0000000070974000-memory.dmp

memory/216-78-0x0000000007AF0000-0x0000000007B93000-memory.dmp

memory/216-79-0x0000000007E20000-0x0000000007E31000-memory.dmp

memory/216-80-0x0000000007E70000-0x0000000007E84000-memory.dmp

memory/4756-81-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4756-82-0x0000000002A20000-0x0000000002E1F000-memory.dmp

memory/4756-83-0x0000000002E20000-0x000000000370B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/1800-96-0x0000000005900000-0x0000000005C54000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 dae69f4699933c6763761d8954b538bb
SHA1 5e5aef859a1c9b3b7d6742815901c86d482775d6
SHA256 f364ec50aa2520b593790c54a4620335414ef4bcff6a6d4f1130228d7894c3bb
SHA512 140f859c73604a894dc99520cc1f510da1a6a0977ebba40ecc687f30e1edbde22a4c6790fb153f4ac8b2b18aacdab3ca4fd33ee4b90596e481bd63738ec2b2db

memory/1800-98-0x000000006FEA0000-0x000000006FEEC000-memory.dmp

memory/1800-99-0x0000000070020000-0x0000000070374000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 72b6ad3ac061fa4b0ce99de0df6e503a
SHA1 a1c92339e8757d1a3f5039d482f50e535f2896dd
SHA256 9d52c3a1e56ba635ca6f3184c55ed6f8bc3116518e036073c30f8a5e52006d23
SHA512 8d116acf4fe7feeeca91f90758c4da2cd5a6d586fd5b673a872eefd295ffe7b97710571a21527623d87f60059217b83aa50f827058c187c321e8636a8923f878

memory/3708-120-0x000000006FEA0000-0x000000006FEEC000-memory.dmp

memory/3708-121-0x0000000070620000-0x0000000070974000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 974f4810c8505e86a531a72e16f0a15b
SHA1 974b32aea0e50d60e81a1aa4e4e5f1c43d6d065f
SHA256 5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af
SHA512 6030a08684e582eb9f99f199fad9c60638b9e2eb18cee1c7deb49a09d92cd9f7c8ea28ceb3df4e6acade1a6724318d67ec7782421c689982a9a9718d0f18e8e9

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4f723f7286f38de2ad3068a2c008887f
SHA1 1eb0a76f6d9f7d78d3afc9328373d8d3f36a4d56
SHA256 8252708a5dbc90c20d7eefaa11126a2e41be642a9f4e5d393528bb4ccf4ede50
SHA512 c2e7c2a28389ac7a78aa0a163cc2d863342872fc58199e240d8845a8e161fe71962e97de0057ce66203fb5d34590212fb851bd6134d15f63c42adb70eb91423b

memory/2332-147-0x000000006FEA0000-0x000000006FEEC000-memory.dmp

memory/2332-148-0x0000000070020000-0x0000000070374000-memory.dmp

memory/3024-158-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/216-165-0x00000000060D0000-0x0000000006424000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c656ec5bfb5edd838e495333277695a4
SHA1 f51fc58fea5a940d640aed7a46db15cdd8f20562
SHA256 d75cb4682f25197adffff86b64d26570e8ce640eecbb2c68ad81ddb045966409
SHA512 e550150388eab5bc9e62cfcb9c7f492093885e0d3d07912e656762163f8f184c52bd68dfe38703fd7af7fea0b21db4f7d6f84b680c62b54745ce4ce41549412b

memory/216-171-0x0000000006D00000-0x0000000006D4C000-memory.dmp

memory/216-172-0x000000006FDC0000-0x000000006FE0C000-memory.dmp

memory/216-173-0x0000000070550000-0x00000000708A4000-memory.dmp

memory/216-183-0x00000000079C0000-0x0000000007A63000-memory.dmp

memory/216-184-0x0000000007D40000-0x0000000007D51000-memory.dmp

memory/216-186-0x0000000006580000-0x0000000006594000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4be1c13e39cf727954b90e34968180a6
SHA1 94db59da8808ac0e35b4c3ee9ca171e39320b71e
SHA256 23907bdce8078460c327c8fbf1b701e12b72953749aedbffc7c239c2e85c1107
SHA512 e5fa12349bb579cb681ce4bf19b9029be92a6722090a1ffa3c2fb5183d99973016a7aea5797ba4a9b12240cd28c3dfe8b33aa198c0bd3a45ce306f64fc8925bf

memory/2016-198-0x0000000005D70000-0x00000000060C4000-memory.dmp

memory/2016-199-0x000000006FDC0000-0x000000006FE0C000-memory.dmp

memory/2016-200-0x000000006FF40000-0x0000000070294000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1048-217-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3024-219-0x0000000002960000-0x0000000002D5C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4616-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2144-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4616-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1048-229-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2144-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1048-231-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1048-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2144-239-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1048-241-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1048-245-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1048-247-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2144-251-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1048-253-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1048-257-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1048-261-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1048-263-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1048-269-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1048-273-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 10:23

Reported

2024-05-16 10:25

Platform

win11-20240426-en

Max time kernel

149s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-262 = "GMT Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2412 = "Marquesas Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 240 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 240 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 240 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4088 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4088 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4088 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4088 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe C:\Windows\system32\cmd.exe
PID 4088 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe C:\Windows\system32\cmd.exe
PID 4424 wrote to memory of 2116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4424 wrote to memory of 2116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4088 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4088 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4088 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4088 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4088 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4088 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4088 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe C:\Windows\rss\csrss.exe
PID 4088 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe C:\Windows\rss\csrss.exe
PID 4088 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe C:\Windows\rss\csrss.exe
PID 8 wrote to memory of 1948 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 8 wrote to memory of 1948 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 8 wrote to memory of 1948 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 8 wrote to memory of 3260 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 8 wrote to memory of 3260 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 8 wrote to memory of 3260 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 8 wrote to memory of 4024 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 8 wrote to memory of 4024 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 8 wrote to memory of 4024 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 8 wrote to memory of 2884 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 8 wrote to memory of 2884 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1720 wrote to memory of 1392 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 1392 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 1392 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1392 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1392 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1392 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe

"C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe

"C:\Users\Admin\AppData\Local\Temp\5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 cd09f35c-3c36-4ecb-9d10-2c58ac351b32.uuid.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server15.statsexplorer.org udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun1.l.google.com udp
BG 185.82.216.108:443 server15.statsexplorer.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.108:443 server15.statsexplorer.org tcp
BG 185.82.216.108:443 server15.statsexplorer.org tcp

Files

memory/240-1-0x0000000002A20000-0x0000000002E21000-memory.dmp

memory/240-2-0x0000000002E30000-0x000000000371B000-memory.dmp

memory/240-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4552-4-0x000000007474E000-0x000000007474F000-memory.dmp

memory/4552-5-0x0000000005230000-0x0000000005266000-memory.dmp

memory/4552-6-0x00000000059A0000-0x0000000005FCA000-memory.dmp

memory/4552-7-0x0000000074740000-0x0000000074EF1000-memory.dmp

memory/4552-8-0x0000000005920000-0x0000000005942000-memory.dmp

memory/4552-9-0x0000000006100000-0x0000000006166000-memory.dmp

memory/4552-10-0x0000000006170000-0x00000000061D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zuuqsg3l.ds2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4552-16-0x0000000074740000-0x0000000074EF1000-memory.dmp

memory/4552-20-0x00000000061E0000-0x0000000006537000-memory.dmp

memory/4552-21-0x00000000066C0000-0x00000000066DE000-memory.dmp

memory/4552-22-0x0000000006710000-0x000000000675C000-memory.dmp

memory/4552-23-0x00000000078A0000-0x00000000078E6000-memory.dmp

memory/4552-25-0x00000000709B0000-0x00000000709FC000-memory.dmp

memory/4552-27-0x0000000070B30000-0x0000000070E87000-memory.dmp

memory/4552-36-0x0000000007B30000-0x0000000007B4E000-memory.dmp

memory/4552-24-0x0000000007AD0000-0x0000000007B04000-memory.dmp

memory/4552-26-0x0000000074740000-0x0000000074EF1000-memory.dmp

memory/4552-37-0x0000000007B50000-0x0000000007BF4000-memory.dmp

memory/4552-38-0x0000000074740000-0x0000000074EF1000-memory.dmp

memory/4552-40-0x0000000007C80000-0x0000000007C9A000-memory.dmp

memory/4552-39-0x00000000082C0000-0x000000000893A000-memory.dmp

memory/4552-41-0x0000000007CC0000-0x0000000007CCA000-memory.dmp

memory/4552-42-0x0000000007D80000-0x0000000007E16000-memory.dmp

memory/4552-43-0x0000000007CF0000-0x0000000007D01000-memory.dmp

memory/4552-44-0x0000000007D30000-0x0000000007D3E000-memory.dmp

memory/4552-45-0x0000000007D40000-0x0000000007D55000-memory.dmp

memory/4552-46-0x0000000007E40000-0x0000000007E5A000-memory.dmp

memory/4552-47-0x0000000007E20000-0x0000000007E28000-memory.dmp

memory/4552-50-0x0000000074740000-0x0000000074EF1000-memory.dmp

memory/4088-52-0x0000000002A60000-0x0000000002E5D000-memory.dmp

memory/988-61-0x00000000058C0000-0x0000000005C17000-memory.dmp

memory/988-62-0x00000000709B0000-0x00000000709FC000-memory.dmp

memory/988-63-0x0000000070C00000-0x0000000070F57000-memory.dmp

memory/988-72-0x0000000006FE0000-0x0000000007084000-memory.dmp

memory/988-73-0x0000000007330000-0x0000000007341000-memory.dmp

memory/988-74-0x0000000007380000-0x0000000007395000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/5048-86-0x0000000005EB0000-0x0000000006207000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 456394b054beecd97b534599d1245087
SHA1 339a722f3afa45e3a96803c6828f80736bb5f108
SHA256 bba6bfc679e1009fa3761f7ce0fbc308150ee9cc5d2a56ac683e80b0d6336f60
SHA512 c8a4396519915054042ef6ea8ca664360ed2bff67eb45a8df61a2c41e9bcf41178d05d7899bb26cb9860206dd1d179661ffe2334b84bcc95a9fe74a032b82eb3

memory/5048-88-0x00000000709B0000-0x00000000709FC000-memory.dmp

memory/5048-89-0x0000000070BC0000-0x0000000070F17000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3924e6dd2248df79dca3f050f2c4d8df
SHA1 f481b3416d597e962884360b46295af3b99dd9e9
SHA256 e44ed2253f038d5dd70a7361aae943d05b7c874fe69fe7084d4dd395bef62757
SHA512 2b80fd2745b7ad8791265cb4253d57ed3d39acd4ebb7594bfe708d71175c5d6420a575f6424335a4325d126c2f8567575d9950f4c2f022f71d7439469671553f

memory/240-109-0x0000000002A20000-0x0000000002E21000-memory.dmp

memory/240-108-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/240-110-0x0000000002E30000-0x000000000371B000-memory.dmp

memory/3648-111-0x00000000709B0000-0x00000000709FC000-memory.dmp

memory/3648-112-0x0000000070C00000-0x0000000070F57000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 974f4810c8505e86a531a72e16f0a15b
SHA1 974b32aea0e50d60e81a1aa4e4e5f1c43d6d065f
SHA256 5aa07ee45b591e48f20f14dd794ecdb1e5e6e695a566ac53fa68d327940623af
SHA512 6030a08684e582eb9f99f199fad9c60638b9e2eb18cee1c7deb49a09d92cd9f7c8ea28ceb3df4e6acade1a6724318d67ec7782421c689982a9a9718d0f18e8e9

memory/4088-126-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bf1f89ba4753c9c4168903fc9fc9532e
SHA1 2b4918e8e44590af663d5b8653a038fb07ee6f7f
SHA256 8e3b0e626537f2d81ec3657635a74936be7a190737caa24aab8b92abc33c2ab2
SHA512 ba89a1ac0438c1d75f158ac9e493f0c42bbd3a7b8b6ed22041a6722441abe338b51eaa446e4bf0965da5ba15b10e96e50e883b6e7b50a333ec07844fc3eeeed7

memory/1948-137-0x00000000709B0000-0x00000000709FC000-memory.dmp

memory/1948-138-0x0000000070B30000-0x0000000070E87000-memory.dmp

memory/3260-156-0x0000000005580000-0x00000000058D7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cf48bfd4df4ee8708c6af9aa95813438
SHA1 a1ac63cdc18ad7c846a689134971ee663431829c
SHA256 b752b71e26e9341d351423ccc78337cb0e1733dc08594c451b9c6fa9314bf345
SHA512 550dfffba9807a3018637a7f285522fec2617d7f93f9257ed0c90fc47750a8e203b0e62f09b1914095163426b655ab261c9f4f191354efc98ae7dd57b349f07e

memory/3260-158-0x0000000005A90000-0x0000000005ADC000-memory.dmp

memory/3260-159-0x00000000708D0000-0x000000007091C000-memory.dmp

memory/3260-160-0x0000000070A50000-0x0000000070DA7000-memory.dmp

memory/3260-169-0x0000000006CC0000-0x0000000006D64000-memory.dmp

memory/3260-170-0x0000000006FF0000-0x0000000007001000-memory.dmp

memory/3260-171-0x0000000005510000-0x0000000005525000-memory.dmp

memory/4024-178-0x00000000063C0000-0x0000000006717000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 139d3d71ef8ad00883dcbe710ae32484
SHA1 8e400b5a3cbffb99d677a3580bcc1fed95ba1d02
SHA256 c1342e16c34b94bcb2ba561cf74378b1a3d2365caadfdf33ea34b3c13a61b2f0
SHA512 bd5f2cd8c6f238ad1b404c61637f4edc4092959d9be7de44c4fc404cba18fec85b00351f38a2bcd4f8d3d5fc9b40d67747bd9d60aad296d6abbe4948d39c33bd

memory/4024-184-0x00000000708D0000-0x000000007091C000-memory.dmp

memory/4024-185-0x0000000070AE0000-0x0000000070E37000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/8-200-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1720-205-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2920-208-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1720-210-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/8-211-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2920-214-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/8-213-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/8-217-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2920-219-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/8-220-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/8-223-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/8-226-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/8-229-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/8-232-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/8-235-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/8-238-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/8-240-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/8-244-0x0000000000400000-0x0000000000D1C000-memory.dmp