Malware Analysis Report

2024-12-08 02:18

Sample ID 240516-pjxt9scg64
Target f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b
SHA256 f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b

Threat Level: Known bad

The file f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Manipulates WinMonFS driver.

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 12:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 12:22

Reported

2024-05-16 12:24

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4384 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4384 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4384 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5100 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5100 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5100 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5100 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe C:\Windows\system32\cmd.exe
PID 5100 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe C:\Windows\system32\cmd.exe
PID 8 wrote to memory of 3452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 8 wrote to memory of 3452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5100 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5100 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5100 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5100 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5100 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5100 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5100 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe C:\Windows\rss\csrss.exe
PID 5100 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe C:\Windows\rss\csrss.exe
PID 5100 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe C:\Windows\rss\csrss.exe
PID 3044 wrote to memory of 668 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 668 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 668 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 1064 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 1064 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 1064 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 428 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 428 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 428 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 3732 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3044 wrote to memory of 3732 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1360 wrote to memory of 4008 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1360 wrote to memory of 4008 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1360 wrote to memory of 4008 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4008 wrote to memory of 3108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4008 wrote to memory of 3108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4008 wrote to memory of 3108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe

"C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe

"C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.138:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 138.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.138:443 www.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 341af1a0-2499-4a16-9e39-ed13d228dd03.uuid.localstats.org udp
US 8.8.8.8:53 stun3.l.google.com udp
US 8.8.8.8:53 server10.localstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 74.125.250.129:19302 stun3.l.google.com udp
BG 185.82.216.111:443 server10.localstats.org tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
BG 185.82.216.111:443 server10.localstats.org tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
BG 185.82.216.111:443 server10.localstats.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
BG 185.82.216.111:443 server10.localstats.org tcp
N/A 127.0.0.1:31465 tcp

Files

memory/4384-1-0x0000000002A00000-0x0000000002E03000-memory.dmp

memory/4384-2-0x0000000002E10000-0x00000000036FB000-memory.dmp

memory/4384-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4444-4-0x00000000742AE000-0x00000000742AF000-memory.dmp

memory/4444-5-0x00000000053E0000-0x0000000005416000-memory.dmp

memory/4444-7-0x00000000742A0000-0x0000000074A50000-memory.dmp

memory/4444-6-0x0000000005A50000-0x0000000006078000-memory.dmp

memory/4444-8-0x00000000060D0000-0x00000000060F2000-memory.dmp

memory/4444-10-0x00000000062E0000-0x0000000006346000-memory.dmp

memory/4444-11-0x00000000742A0000-0x0000000074A50000-memory.dmp

memory/4444-9-0x0000000006270000-0x00000000062D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jzdmdipf.yy2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4444-21-0x0000000006350000-0x00000000066A4000-memory.dmp

memory/4444-22-0x0000000006970000-0x000000000698E000-memory.dmp

memory/4444-23-0x0000000006A00000-0x0000000006A4C000-memory.dmp

memory/4444-24-0x0000000006EC0000-0x0000000006F04000-memory.dmp

memory/4444-25-0x0000000007C80000-0x0000000007CF6000-memory.dmp

memory/4444-26-0x0000000008380000-0x00000000089FA000-memory.dmp

memory/4444-27-0x0000000007D20000-0x0000000007D3A000-memory.dmp

memory/4444-28-0x00000000742A0000-0x0000000074A50000-memory.dmp

memory/4444-30-0x0000000070140000-0x000000007018C000-memory.dmp

memory/4444-29-0x0000000007ED0000-0x0000000007F02000-memory.dmp

memory/4444-41-0x0000000007F10000-0x0000000007F2E000-memory.dmp

memory/4444-31-0x00000000708A0000-0x0000000070BF4000-memory.dmp

memory/4444-43-0x00000000742A0000-0x0000000074A50000-memory.dmp

memory/4444-42-0x0000000007F30000-0x0000000007FD3000-memory.dmp

memory/4444-44-0x0000000008020000-0x000000000802A000-memory.dmp

memory/4444-45-0x00000000742A0000-0x0000000074A50000-memory.dmp

memory/4444-46-0x0000000008140000-0x00000000081D6000-memory.dmp

memory/4444-47-0x0000000008040000-0x0000000008051000-memory.dmp

memory/4444-48-0x0000000008080000-0x000000000808E000-memory.dmp

memory/4444-49-0x00000000080A0000-0x00000000080B4000-memory.dmp

memory/4444-50-0x00000000080E0000-0x00000000080FA000-memory.dmp

memory/4444-51-0x00000000080D0000-0x00000000080D8000-memory.dmp

memory/4444-54-0x00000000742A0000-0x0000000074A50000-memory.dmp

memory/5100-56-0x00000000029B0000-0x0000000002DB4000-memory.dmp

memory/4384-58-0x0000000002E10000-0x00000000036FB000-memory.dmp

memory/4384-57-0x0000000002A00000-0x0000000002E03000-memory.dmp

memory/2104-64-0x0000000005D10000-0x0000000006064000-memory.dmp

memory/2104-69-0x0000000070140000-0x000000007018C000-memory.dmp

memory/2104-70-0x0000000070EF0000-0x0000000071244000-memory.dmp

memory/2104-80-0x0000000007600000-0x00000000076A3000-memory.dmp

memory/2104-81-0x0000000007930000-0x0000000007941000-memory.dmp

memory/2104-82-0x0000000007980000-0x0000000007994000-memory.dmp

memory/4384-85-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/1840-94-0x0000000005A60000-0x0000000005DB4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bd21f037df78c0efb6e386870cc13e1a
SHA1 8aa3262f961fe1f09bd21e7ee3ff3dccb046189d
SHA256 5d585b4e9cdbb87167d3de2c148b7c3a2b37533e4cb09c97026f600972f8981b
SHA512 d839855c338176f96d2c822bc337f42bbf00b166cf0e6e94c2befddaaa8d876fa8c44cab52dd3262e72a37859ab600a749ad762762c89559eb451d3908023dcd

memory/1840-99-0x00000000708C0000-0x0000000070C14000-memory.dmp

memory/1840-98-0x0000000070140000-0x000000007018C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 eb0cfc6c91748254db4c1322c6c445b6
SHA1 bd04ef9f82223201a29638233345f382b6a5cc54
SHA256 fe7e40291b88efb6e04f20a0a09b6527dac1d9299cc25065d0bbfeb43f674a6f
SHA512 e8c728199b92b8d02cd5aa744ad05b18e212380f8f562bf1279a74341bb8983d3400147b93c1f38821c952b4452653a91bb75180025c00ae0bbdef8f25ebff06

memory/3656-121-0x00000000708C0000-0x0000000070C14000-memory.dmp

memory/3656-120-0x0000000070140000-0x000000007018C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 9d989d4ff312ee6c9ed20b8678ce29b9
SHA1 27897eb5494a276e23a2045120d98bbd708febb8
SHA256 f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b
SHA512 0b5a2a0fe91215c1b4666fc34f1ca7016c4d5df83db42d5096184e50ec046b8340cb8d0c625bc4a6b26105be1d83de10fe0d901f577810d2feee808443fae864

memory/668-146-0x0000000005EF0000-0x0000000006244000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 48d92ae60f847e62c89a8787ec4ee2d6
SHA1 101d97801e6ed4952bd8497a79d2689210eae006
SHA256 8c40681a45e82c780be48d00436e2d9b8d892ff337f0b6df8863519e5581bad8
SHA512 01bba2e7acbc82585be775e8e85e42b1bf1531d3b6079804db3d222d2ff5a39812d60563320e274f4056036596926b54624c08b6a093d13add20b378b6b09257

memory/668-148-0x0000000070140000-0x000000007018C000-memory.dmp

memory/668-149-0x0000000070510000-0x0000000070864000-memory.dmp

memory/1064-169-0x0000000005B20000-0x0000000005E74000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b19a3ad7c1cd5d32e04e4a7765198040
SHA1 51e5dd1542cc3383e582624f8d91d17c47108a05
SHA256 76925eb3f25745e57ee80e8deb70ef6b2236bf79a7189945e759dcf537bf90dd
SHA512 4aa618a44278607216b0aae6e6167123542aa876408df539a1010f248039d62ae0433919dbdc9b0cc52f49613ea25296f868049e7d1facaf21143ff5c3d692ab

memory/1064-171-0x0000000006520000-0x000000000656C000-memory.dmp

memory/1064-173-0x00000000701E0000-0x0000000070534000-memory.dmp

memory/1064-183-0x0000000007290000-0x0000000007333000-memory.dmp

memory/1064-172-0x0000000070060000-0x00000000700AC000-memory.dmp

memory/1064-184-0x0000000007610000-0x0000000007621000-memory.dmp

memory/1064-185-0x0000000005980000-0x0000000005994000-memory.dmp

memory/428-193-0x0000000005C10000-0x0000000005F64000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 fe5b839c6af17d89d43d79bc688d4ced
SHA1 6717eb0265f2f2375198195adeee23d6af063e78
SHA256 6286fd77d9a1ce6b629861f4ce9d83f13c2bac0a0b9e5538a8817af5d8a765ea
SHA512 fe40004bdbcdb9881330917c015306e71d11131857f4b49ab2041e07bb0b703f0deab1f9590431967036d27619c247f9f1c64afbfa42185bbc45d81259972a92

memory/5100-198-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/428-199-0x0000000070060000-0x00000000700AC000-memory.dmp

memory/428-200-0x0000000070790000-0x0000000070AE4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3044-217-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5100-219-0x00000000029B0000-0x0000000002DB4000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1360-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1480-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1360-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3044-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1480-233-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3044-234-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3044-238-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1480-241-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3044-242-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3044-246-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3044-250-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3044-254-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3044-258-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3044-262-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3044-266-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3044-270-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3044-274-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 12:22

Reported

2024-05-16 12:24

Platform

win11-20240419-en

Max time kernel

150s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-492 = "India Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3856 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3856 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3856 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4344 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4344 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4344 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4344 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe C:\Windows\system32\cmd.exe
PID 4344 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe C:\Windows\system32\cmd.exe
PID 4516 wrote to memory of 3588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4516 wrote to memory of 3588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4344 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4344 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4344 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4344 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4344 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4344 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4344 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe C:\Windows\rss\csrss.exe
PID 4344 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe C:\Windows\rss\csrss.exe
PID 4344 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe C:\Windows\rss\csrss.exe
PID 4504 wrote to memory of 2412 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4504 wrote to memory of 2412 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4504 wrote to memory of 2412 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4504 wrote to memory of 4596 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4504 wrote to memory of 4596 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4504 wrote to memory of 4596 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4504 wrote to memory of 1516 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4504 wrote to memory of 1516 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4504 wrote to memory of 1516 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4504 wrote to memory of 4644 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4504 wrote to memory of 4644 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4472 wrote to memory of 3452 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4472 wrote to memory of 3452 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4472 wrote to memory of 3452 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3452 wrote to memory of 944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3452 wrote to memory of 944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3452 wrote to memory of 944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe

"C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe

"C:\Users\Admin\AppData\Local\Temp\f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 c6ce0b90-058d-43d1-9ad1-9671444c0663.uuid.localstats.org udp
US 8.8.8.8:53 server6.localstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
N/A 127.0.0.1:3478 udp
BG 185.82.216.111:443 server6.localstats.org tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.111:443 server6.localstats.org tcp
US 74.125.250.129:19302 stun4.l.google.com udp
BG 185.82.216.111:443 server6.localstats.org tcp

Files

memory/3856-1-0x0000000002A50000-0x0000000002E54000-memory.dmp

memory/3856-2-0x0000000002E60000-0x000000000374B000-memory.dmp

memory/3856-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4832-4-0x00000000749BE000-0x00000000749BF000-memory.dmp

memory/4832-5-0x0000000002800000-0x0000000002836000-memory.dmp

memory/4832-6-0x00000000749B0000-0x0000000075161000-memory.dmp

memory/4832-7-0x0000000005320000-0x000000000594A000-memory.dmp

memory/4832-9-0x0000000005060000-0x0000000005082000-memory.dmp

memory/4832-8-0x00000000749B0000-0x0000000075161000-memory.dmp

memory/4832-10-0x0000000005950000-0x00000000059B6000-memory.dmp

memory/4832-11-0x0000000005AC0000-0x0000000005B26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0vnhmul5.fnm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4832-20-0x0000000005B30000-0x0000000005E87000-memory.dmp

memory/4832-21-0x0000000006000000-0x000000000601E000-memory.dmp

memory/4832-22-0x0000000006040000-0x000000000608C000-memory.dmp

memory/4832-23-0x00000000064E0000-0x0000000006526000-memory.dmp

memory/4832-26-0x00000000749B0000-0x0000000075161000-memory.dmp

memory/4832-25-0x0000000070C20000-0x0000000070C6C000-memory.dmp

memory/4832-24-0x0000000007410000-0x0000000007444000-memory.dmp

memory/4832-27-0x0000000070E30000-0x0000000071187000-memory.dmp

memory/4832-37-0x0000000007490000-0x0000000007534000-memory.dmp

memory/4832-36-0x0000000007470000-0x000000000748E000-memory.dmp

memory/4832-40-0x00000000075B0000-0x00000000075CA000-memory.dmp

memory/4832-39-0x00000000749B0000-0x0000000075161000-memory.dmp

memory/4832-38-0x0000000007C00000-0x000000000827A000-memory.dmp

memory/4832-41-0x00000000075F0000-0x00000000075FA000-memory.dmp

memory/4832-42-0x0000000007700000-0x0000000007796000-memory.dmp

memory/4832-43-0x0000000007620000-0x0000000007631000-memory.dmp

memory/4832-44-0x0000000007660000-0x000000000766E000-memory.dmp

memory/4832-45-0x0000000007670000-0x0000000007685000-memory.dmp

memory/4832-46-0x00000000076C0000-0x00000000076DA000-memory.dmp

memory/4832-47-0x00000000076E0000-0x00000000076E8000-memory.dmp

memory/4832-50-0x00000000749B0000-0x0000000075161000-memory.dmp

memory/3856-52-0x0000000002A50000-0x0000000002E54000-memory.dmp

memory/4344-53-0x0000000002A40000-0x0000000002E3B000-memory.dmp

memory/416-62-0x0000000005FA0000-0x00000000062F7000-memory.dmp

memory/416-64-0x0000000070DA0000-0x00000000710F7000-memory.dmp

memory/416-63-0x0000000070C20000-0x0000000070C6C000-memory.dmp

memory/416-73-0x0000000007580000-0x0000000007624000-memory.dmp

memory/416-74-0x0000000007890000-0x00000000078A1000-memory.dmp

memory/3856-76-0x0000000002E60000-0x000000000374B000-memory.dmp

memory/3856-75-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/416-77-0x00000000078E0000-0x00000000078F5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0eda1bab141090244115364486faa6f6
SHA1 7ff3baf048771cba418fdb970a98bac03a587a06
SHA256 fff8c32ea710c2616b9da03bc175e32e2f61ccbafe7918ace85ec958303be41f
SHA512 03edf35080dc96ad238a30ebbf3510aac0ef20c6486a6ea638eefbbf77b3040a9439e7693c22ae1710ec8335e81f82d614f37721b7d09e391b366b246ccbd0ca

memory/3596-90-0x0000000070C20000-0x0000000070C6C000-memory.dmp

memory/3596-91-0x0000000070DA0000-0x00000000710F7000-memory.dmp

memory/2884-101-0x0000000005EB0000-0x0000000006207000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 fab0cb89f807c63d78252895ef82ffaf
SHA1 92a1981b1b3be0ac17dd89b231b282556db710fd
SHA256 32fbfc4a88498c0a73e109dbf1b9c716904e0cea589b8666b3c09217ed3eac18
SHA512 3fb03c7b0a41011d76fb5f12a6e5fc41f72563ca7ef0d9b878c0ee2c8bb63e2a8a80f360146ce981470ba0c9410680adabf85596e86fd34c8699b89bf6ffeedf

memory/2884-111-0x0000000070C20000-0x0000000070C6C000-memory.dmp

memory/2884-112-0x0000000070E90000-0x00000000711E7000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 9d989d4ff312ee6c9ed20b8678ce29b9
SHA1 27897eb5494a276e23a2045120d98bbd708febb8
SHA256 f222a754f076013d880c23d6f41a7feceb6825b931b45e8d84969e3395b28a4b
SHA512 0b5a2a0fe91215c1b4666fc34f1ca7016c4d5df83db42d5096184e50ec046b8340cb8d0c625bc4a6b26105be1d83de10fe0d901f577810d2feee808443fae864

memory/4344-125-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2412-129-0x00000000055D0000-0x0000000005927000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 36a3897bdf208f83c783c36ecadd601f
SHA1 d0f8e72053f738098450296109fe3a7036e94631
SHA256 d4907defddbe1d179436ba677ba903654a69c52b6b4b41f4713fe020f328ff24
SHA512 cd1c55549314e9bc14feb728d6d2c6d0869bb8b35d6090c6b2955f2e53d41ca44159aab8c12f4eb689e54adfe321969e3e34ff951eebf9a71d9e68b10dcafbe9

memory/2412-140-0x0000000070E70000-0x00000000711C7000-memory.dmp

memory/2412-139-0x0000000070C20000-0x0000000070C6C000-memory.dmp

memory/4596-158-0x00000000063B0000-0x0000000006707000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9aaf07cd87a8a6d9fbde5f9b7488303c
SHA1 16ea092f4ba151308edd124f44f5c63493ee5ccc
SHA256 81c09d90767d11a8d582b0931c66de400f589be841ab86b140364e8625adfbcc
SHA512 4846a7684823b18fe72c34db34a688a07544757c5aaf8ec14d499326237a356c7d09391b33fa48d0111a8d7ea83ba45b5176c919958f57a22612534301a01aaf

memory/4596-160-0x00000000068A0000-0x00000000068EC000-memory.dmp

memory/4596-162-0x0000000070CE0000-0x0000000071037000-memory.dmp

memory/4596-161-0x0000000070B40000-0x0000000070B8C000-memory.dmp

memory/4596-171-0x0000000007A90000-0x0000000007B34000-memory.dmp

memory/4596-172-0x0000000007E10000-0x0000000007E21000-memory.dmp

memory/4596-173-0x0000000006090000-0x00000000060A5000-memory.dmp

memory/1516-183-0x0000000005F90000-0x00000000062E7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 300182265b39809ba0a2bbe576f574e4
SHA1 5fd27592dee06c0569a74ee03671d3d4e1e6b006
SHA256 0d1c11af811c702202c0103895130fe6519fd08ed15b8fa32e55a643c891a91c
SHA512 9e0f0aab1c4a27fbd9d4333ce0410df2fade47242db0365d4205096a89c150befd3ae9e0bf4fa519f8a0b54e4e1de4218c63f0c271cae5afe6c87093d474bce7

memory/1516-185-0x0000000070B40000-0x0000000070B8C000-memory.dmp

memory/1516-186-0x0000000070D90000-0x00000000710E7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4504-202-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4472-206-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4472-210-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4504-212-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4504-214-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2752-215-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4504-217-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2752-219-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4504-221-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4504-224-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4504-227-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4504-229-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4504-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4504-236-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4504-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4504-240-0x0000000000400000-0x0000000000D1C000-memory.dmp