Malware Analysis Report

2024-12-08 02:12

Sample ID 240516-pv2mlach7z
Target 869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201
SHA256 869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201

Threat Level: Known bad

The file 869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Checks installed software on the system

Adds Run key to start application

Manipulates WinMonFS driver.

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 12:39

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 12:39

Reported

2024-05-16 12:42

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3236 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3236 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3236 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5076 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5076 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5076 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5076 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe C:\Windows\system32\cmd.exe
PID 5076 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe C:\Windows\system32\cmd.exe
PID 460 wrote to memory of 5100 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 460 wrote to memory of 5100 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 5076 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5076 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5076 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5076 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5076 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5076 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5076 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe C:\Windows\rss\csrss.exe
PID 5076 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe C:\Windows\rss\csrss.exe
PID 5076 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe C:\Windows\rss\csrss.exe
PID 2636 wrote to memory of 4736 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 4736 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 4736 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 3600 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 3600 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 3600 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 3596 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 3596 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 3596 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 4572 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2636 wrote to memory of 4572 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4124 wrote to memory of 2588 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4124 wrote to memory of 2588 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4124 wrote to memory of 2588 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 4888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2588 wrote to memory of 4888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2588 wrote to memory of 4888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe

"C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4208,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=4116 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe

"C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 f78d3ab6-d7d8-4d72-af2e-c95bee4a4513.uuid.createupdate.org udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server8.createupdate.org udp
US 162.159.133.233:443 cdn.discordapp.com tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
BG 185.82.216.104:443 server8.createupdate.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.104:443 server8.createupdate.org tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
BG 185.82.216.104:443 server8.createupdate.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
BG 185.82.216.104:443 server8.createupdate.org tcp

Files

memory/3236-1-0x0000000002A50000-0x0000000002E50000-memory.dmp

memory/3236-2-0x0000000002E50000-0x000000000373B000-memory.dmp

memory/3236-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4824-4-0x0000000074F5E000-0x0000000074F5F000-memory.dmp

memory/4824-5-0x0000000002F20000-0x0000000002F56000-memory.dmp

memory/4824-6-0x0000000005860000-0x0000000005E88000-memory.dmp

memory/4824-7-0x0000000074F50000-0x0000000075700000-memory.dmp

memory/4824-8-0x0000000074F50000-0x0000000075700000-memory.dmp

memory/4824-9-0x0000000005550000-0x0000000005572000-memory.dmp

memory/4824-10-0x0000000005E90000-0x0000000005EF6000-memory.dmp

memory/4824-11-0x0000000005F00000-0x0000000005F66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jt3vqxwx.0vq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4824-21-0x0000000005F70000-0x00000000062C4000-memory.dmp

memory/4824-22-0x0000000006520000-0x000000000653E000-memory.dmp

memory/4824-23-0x0000000006560000-0x00000000065AC000-memory.dmp

memory/4824-24-0x0000000006A90000-0x0000000006AD4000-memory.dmp

memory/4824-25-0x0000000007860000-0x00000000078D6000-memory.dmp

memory/4824-26-0x0000000007F60000-0x00000000085DA000-memory.dmp

memory/4824-27-0x00000000078E0000-0x00000000078FA000-memory.dmp

memory/4824-29-0x0000000070DF0000-0x0000000070E3C000-memory.dmp

memory/4824-30-0x0000000070F70000-0x00000000712C4000-memory.dmp

memory/4824-40-0x0000000007AE0000-0x0000000007AFE000-memory.dmp

memory/4824-28-0x0000000007AA0000-0x0000000007AD2000-memory.dmp

memory/4824-41-0x0000000074F50000-0x0000000075700000-memory.dmp

memory/4824-42-0x0000000007B00000-0x0000000007BA3000-memory.dmp

memory/4824-43-0x0000000074F50000-0x0000000075700000-memory.dmp

memory/4824-44-0x0000000007BF0000-0x0000000007BFA000-memory.dmp

memory/4824-45-0x0000000007CB0000-0x0000000007D46000-memory.dmp

memory/4824-46-0x0000000007C10000-0x0000000007C21000-memory.dmp

memory/4824-47-0x0000000007C50000-0x0000000007C5E000-memory.dmp

memory/4824-48-0x0000000007C60000-0x0000000007C74000-memory.dmp

memory/4824-49-0x0000000007D50000-0x0000000007D6A000-memory.dmp

memory/4824-50-0x0000000007C90000-0x0000000007C98000-memory.dmp

memory/4824-53-0x0000000074F50000-0x0000000075700000-memory.dmp

memory/3236-54-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3236-55-0x0000000002E50000-0x000000000373B000-memory.dmp

memory/5076-57-0x0000000002950000-0x0000000002D51000-memory.dmp

memory/4912-63-0x00000000059E0000-0x0000000005D34000-memory.dmp

memory/4912-68-0x0000000006390000-0x00000000063DC000-memory.dmp

memory/4912-69-0x0000000070EF0000-0x0000000070F3C000-memory.dmp

memory/4912-70-0x00000000716B0000-0x0000000071A04000-memory.dmp

memory/4912-80-0x0000000007260000-0x0000000007303000-memory.dmp

memory/4912-81-0x00000000075A0000-0x00000000075B1000-memory.dmp

memory/4912-82-0x00000000075F0000-0x0000000007604000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/1428-95-0x00000000064F0000-0x0000000006844000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2a53ed8384889e95d055943f3dbe84ae
SHA1 a0c7733e45ac4a55b8d176644df5206ee4e1649f
SHA256 aa53001c58dcf26f7165dede53334672b62ee826da5c609739304ad9a4913145
SHA512 dfec1aadb439d5cee4fb0e8542d631eef3f2098b4b918acf7c648a6afacf033b6779f1ec57a6e8338f900549d3952bcc72cbb6f8da60e11d40b61167e9dccea6

memory/1428-97-0x0000000070EF0000-0x0000000070F3C000-memory.dmp

memory/1428-98-0x0000000071070000-0x00000000713C4000-memory.dmp

memory/1744-118-0x0000000006100000-0x0000000006454000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 fadb089b18b79b40e46cf3d1d15c59fe
SHA1 b3091f546330ba77d4bab61033644829ad2e3edd
SHA256 1590a8ef8598deca7f53358361923ceca194d79cc07461f117b3ebb73ebd3d5e
SHA512 5d6d1508fb487b9977177a5aacb41793d64226eff0c93e16670f991ce17e96cf5b8eae3e5974a8f9e02406061dc1a4980d506418f86d1dbe11ca3567192bb6ac

memory/1744-120-0x0000000070EF0000-0x0000000070F3C000-memory.dmp

memory/1744-121-0x0000000071090000-0x00000000713E4000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 e4829369d712c9f3ea9e47bbafdab7d8
SHA1 af1a5f98bf6a9e9c41c409019432357ad07641e3
SHA256 869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201
SHA512 fc80bb17cd7c8f0def79d7481a60e2ff40b4f3372c50cde0a16ed4c4b4140fa4c374f9d3d309ce1abb809d2414a58deecf27b63eb21e415ae0801d51b8694e56

memory/5076-135-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4736-147-0x0000000005950000-0x0000000005CA4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 51844d420eee99b9004f3ad531ddd9f9
SHA1 ec7256a65d448c7af4b0d2ea100da666e18d3513
SHA256 ebf19af6322a448071c0e69aa4b48f09495051eb106e0f591cc1d02053303f8e
SHA512 f20874cb2c4e44047afcc11035297056d41e4dedac332c0fc67089dc046a0784bb2810e215e0aa5a493bce6567ddf4f62d71973b17b9297abcd1f76491a19e60

memory/4736-149-0x00000000063E0000-0x000000000642C000-memory.dmp

memory/4736-150-0x0000000070E50000-0x0000000070E9C000-memory.dmp

memory/4736-151-0x0000000070FD0000-0x0000000071324000-memory.dmp

memory/4736-161-0x0000000007190000-0x0000000007233000-memory.dmp

memory/4736-162-0x0000000007350000-0x0000000007361000-memory.dmp

memory/4736-163-0x0000000005D50000-0x0000000005D64000-memory.dmp

memory/3600-170-0x00000000054C0000-0x0000000005814000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 18980dbc034e84dabe924a544d4dc560
SHA1 cf17a3d0134f1533bced7e6b10b283432c6872cb
SHA256 a8f1a7cde6c4e1eac8994347c3a28f3e4b42d2637ad812e13d7e6128aa4bd6c2
SHA512 fac835e75e133d5d9ea56ba6000ce8d4fecaaa60a8fbff06ed886bb0b67a409d170fa4478350f574042fcdbe79003cad0a608b0681f03f91420335454a2abfff

memory/3600-176-0x0000000005ED0000-0x0000000005F1C000-memory.dmp

memory/3600-177-0x0000000070D70000-0x0000000070DBC000-memory.dmp

memory/3600-178-0x0000000071500000-0x0000000071854000-memory.dmp

memory/3600-188-0x0000000006DD0000-0x0000000006E73000-memory.dmp

memory/3600-189-0x0000000006F90000-0x0000000006FA1000-memory.dmp

memory/3600-190-0x0000000005960000-0x0000000005974000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4b49bd4aa42b6cf9169d706b12150e06
SHA1 c620103045d3d06e17528889ad49aebddec162dc
SHA256 3801524bec074d063e03eecac493ca97cf6c1e08c49fba87d063f5dc695a4f03
SHA512 232213238e895dbd85da433f75ddf475624112f99980dffc7088bae3e80ec781094eaec019491305e9fbc487497a2ca1ff2c09f8046d2842a7dfec90a9aacb13

memory/3596-202-0x0000000070D70000-0x0000000070DBC000-memory.dmp

memory/3596-203-0x0000000071500000-0x0000000071854000-memory.dmp

memory/2636-213-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4124-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2636-223-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4124-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2636-229-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2032-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2636-231-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2032-234-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2636-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2636-235-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2636-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2636-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2636-241-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2636-243-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2636-245-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2636-247-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 12:39

Reported

2024-05-16 12:42

Platform

win11-20240426-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2412 = "Marquesas Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4380 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4380 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4380 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 992 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 992 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 992 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 992 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe C:\Windows\system32\cmd.exe
PID 992 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe C:\Windows\system32\cmd.exe
PID 4520 wrote to memory of 1880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4520 wrote to memory of 1880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 992 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 992 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 992 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 992 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 992 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 992 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 992 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe C:\Windows\rss\csrss.exe
PID 992 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe C:\Windows\rss\csrss.exe
PID 992 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe C:\Windows\rss\csrss.exe
PID 3768 wrote to memory of 4500 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3768 wrote to memory of 4500 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3768 wrote to memory of 4500 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3768 wrote to memory of 1784 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3768 wrote to memory of 1784 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3768 wrote to memory of 1784 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3768 wrote to memory of 4832 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3768 wrote to memory of 4832 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3768 wrote to memory of 4832 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3768 wrote to memory of 744 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3768 wrote to memory of 744 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2524 wrote to memory of 4928 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 4928 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 4928 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4928 wrote to memory of 2124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4928 wrote to memory of 2124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4928 wrote to memory of 2124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe

"C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe

"C:\Users\Admin\AppData\Local\Temp\869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 e5902eeb-3263-4315-b234-8269c2b59cad.uuid.createupdate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server2.createupdate.org udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun.l.google.com udp
BG 185.82.216.104:443 server2.createupdate.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.104:443 server2.createupdate.org tcp
IE 52.111.236.21:443 tcp
BG 185.82.216.104:443 server2.createupdate.org tcp
N/A 127.0.0.1:31465 tcp

Files

memory/4380-1-0x0000000002A20000-0x0000000002E1A000-memory.dmp

memory/4380-2-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/4380-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3340-4-0x00000000744BE000-0x00000000744BF000-memory.dmp

memory/3340-5-0x0000000002F80000-0x0000000002FB6000-memory.dmp

memory/3340-7-0x00000000744B0000-0x0000000074C61000-memory.dmp

memory/3340-6-0x0000000005740000-0x0000000005D6A000-memory.dmp

memory/3340-8-0x00000000055B0000-0x00000000055D2000-memory.dmp

memory/3340-9-0x0000000005EA0000-0x0000000005F06000-memory.dmp

memory/3340-10-0x0000000005F10000-0x0000000005F76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r4juyxvb.1nw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3340-20-0x00000000060A0000-0x00000000063F7000-memory.dmp

memory/3340-19-0x00000000744B0000-0x0000000074C61000-memory.dmp

memory/3340-21-0x0000000006440000-0x000000000645E000-memory.dmp

memory/3340-22-0x0000000006480000-0x00000000064CC000-memory.dmp

memory/3340-23-0x0000000006860000-0x00000000068A6000-memory.dmp

memory/3340-36-0x00000000078B0000-0x00000000078CE000-memory.dmp

memory/3340-37-0x00000000078D0000-0x0000000007974000-memory.dmp

memory/3340-29-0x00000000744B0000-0x0000000074C61000-memory.dmp

memory/3340-26-0x00000000708A0000-0x0000000070BF7000-memory.dmp

memory/3340-24-0x0000000007850000-0x0000000007884000-memory.dmp

memory/3340-38-0x00000000744B0000-0x0000000074C61000-memory.dmp

memory/3340-25-0x0000000070720000-0x000000007076C000-memory.dmp

memory/3340-39-0x0000000008040000-0x00000000086BA000-memory.dmp

memory/3340-40-0x0000000007A00000-0x0000000007A1A000-memory.dmp

memory/3340-41-0x0000000007A40000-0x0000000007A4A000-memory.dmp

memory/3340-42-0x0000000007B50000-0x0000000007BE6000-memory.dmp

memory/3340-43-0x0000000007A60000-0x0000000007A71000-memory.dmp

memory/3340-44-0x0000000007AB0000-0x0000000007ABE000-memory.dmp

memory/3340-46-0x0000000007B10000-0x0000000007B2A000-memory.dmp

memory/3340-45-0x0000000007AC0000-0x0000000007AD5000-memory.dmp

memory/3340-47-0x0000000007B30000-0x0000000007B38000-memory.dmp

memory/3340-50-0x00000000744B0000-0x0000000074C61000-memory.dmp

memory/992-52-0x0000000002A90000-0x0000000002E8B000-memory.dmp

memory/1544-62-0x00000000708A0000-0x0000000070BF7000-memory.dmp

memory/1544-71-0x00000000073B0000-0x0000000007454000-memory.dmp

memory/1544-61-0x0000000070720000-0x000000007076C000-memory.dmp

memory/1544-72-0x00000000076E0000-0x00000000076F1000-memory.dmp

memory/1544-73-0x0000000007730000-0x0000000007745000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/4684-77-0x0000000005DB0000-0x0000000006107000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1cbd5ac9446656d94b95eee9f02b0fad
SHA1 17e174e80a2acc89693d5b18c585d3029a05adec
SHA256 a09f002cf0e4f48b6d132b7e86cd0aeed90092b4237a1aaecb8d82367d3a6fd1
SHA512 6d04c3644ba8a9a566573ff7522eb38c0841cd8f1b0da4ed1d73160b804202d8ef3bdf8236d033e72c504d89d5b9a76dc6506fcd3d69acec35915214d34a22d5

memory/4684-87-0x0000000070720000-0x000000007076C000-memory.dmp

memory/4684-88-0x0000000070970000-0x0000000070CC7000-memory.dmp

memory/4380-98-0x0000000002A20000-0x0000000002E1A000-memory.dmp

memory/4380-97-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4380-99-0x0000000002E20000-0x000000000370B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f0ce06501a0760704bcb4e6996e9bfc4
SHA1 39807d5538fa61de3d9ffcab49b2a84f38769aff
SHA256 6f1604ea13f584de3f9b8846d2e2138f8fe414b53f558fb45f2e50ec874d4b4c
SHA512 cccdd8dba24741e79b00e86651e935ac2199057ed559f26de2e5454f08a17651cc70885c6bf75fdec5e175e91bf127f79ccfe8facb82e9e3a0839bf5e299fd61

memory/228-110-0x0000000070720000-0x000000007076C000-memory.dmp

memory/228-111-0x0000000070970000-0x0000000070CC7000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 e4829369d712c9f3ea9e47bbafdab7d8
SHA1 af1a5f98bf6a9e9c41c409019432357ad07641e3
SHA256 869086676503ef842045aa014b52cc86549e5629781839500a5da88c36ad7201
SHA512 fc80bb17cd7c8f0def79d7481a60e2ff40b4f3372c50cde0a16ed4c4b4140fa4c374f9d3d309ce1abb809d2414a58deecf27b63eb21e415ae0801d51b8694e56

memory/992-124-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 919e43b71deabea4e757a34d714600ec
SHA1 1efe404d9949c065b24d646a6fa80725600576e2
SHA256 f4daaaf2213e4811a2e7ad4d52159980ccf704c0042fe4347ce1f459678b9e31
SHA512 59190bb829d65d9a428af4d98056fd4a6f2ccc44f73ecd500c0c9457cf3c1453ec7f216bd71da7685401e21124da3f61d5a5a9cf3a37ec3447def9b24cbfeb61

memory/4500-136-0x0000000070720000-0x000000007076C000-memory.dmp

memory/4500-137-0x0000000070970000-0x0000000070CC7000-memory.dmp

memory/1784-155-0x0000000005A20000-0x0000000005D77000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2b832dd921ce13ffbd8964e375cc85eb
SHA1 100d40ad2913182e0b59fb16b4392362835a2f0e
SHA256 22c54e05a426d5103e42cb7687dcc387b0b92d76fcf119d50e8ce4802568909d
SHA512 8f5fb67c3379c22ace2ebc08779b0e9b12160d6e28482c5f705628bb6180b7e2a53d1ca2496584d23cdcd632a487888bd1d485aad6d81a2a22837bf079b567b9

memory/1784-157-0x0000000005FA0000-0x0000000005FEC000-memory.dmp

memory/1784-158-0x0000000070640000-0x000000007068C000-memory.dmp

memory/1784-159-0x00000000707E0000-0x0000000070B37000-memory.dmp

memory/1784-168-0x0000000007200000-0x00000000072A4000-memory.dmp

memory/1784-169-0x0000000007540000-0x0000000007551000-memory.dmp

memory/1784-170-0x0000000005DD0000-0x0000000005DE5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 431484e73f060d153bda2515663c8ea0
SHA1 ff2aacaa8e10218e5a48df874cf76d207c3fefd2
SHA256 93767955debe302a01b083101e322e2a88effdd60fc59106a2a7d57962e5ba36
SHA512 745d9d1dd422f4f189113fdebadd08fd2cae177f2b8db00777a9d54cf79e89f883f7b4188806090d35b82c85396332ff78f90d208a5dac0943565923803d3117

memory/4832-181-0x0000000070640000-0x000000007068C000-memory.dmp

memory/4832-182-0x00000000707E0000-0x0000000070B37000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3768-198-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2524-203-0x0000000000400000-0x00000000008DF000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2524-207-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/688-206-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3768-209-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/688-210-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3768-212-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3768-215-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/688-216-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3768-218-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3768-221-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3768-224-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/688-225-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3768-227-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3768-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3768-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3768-236-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3768-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3768-242-0x0000000000400000-0x0000000000D1C000-memory.dmp