Malware Analysis Report

2024-12-08 02:09

Sample ID 240516-pv5dgsch8w
Target 62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f
SHA256 62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f

Threat Level: Known bad

The file 62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Manipulates WinMonFS driver.

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 12:39

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 12:39

Reported

2024-05-16 12:42

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-492 = "India Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1388 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1388 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1388 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe C:\Windows\system32\cmd.exe
PID 1664 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe C:\Windows\system32\cmd.exe
PID 1608 wrote to memory of 3224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1608 wrote to memory of 3224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1664 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe C:\Windows\rss\csrss.exe
PID 1664 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe C:\Windows\rss\csrss.exe
PID 1664 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe C:\Windows\rss\csrss.exe
PID 4440 wrote to memory of 2056 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 2056 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 2056 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 2636 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 2636 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 2636 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 1056 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 1056 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 1056 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 1228 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4440 wrote to memory of 1228 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3880 wrote to memory of 1224 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3880 wrote to memory of 1224 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3880 wrote to memory of 1224 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1224 wrote to memory of 1452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1224 wrote to memory of 1452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1224 wrote to memory of 1452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe

"C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe

"C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.90:443 www.bing.com tcp
US 8.8.8.8:53 90.61.62.23.in-addr.arpa udp
NL 23.62.61.90:443 www.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 e22cfe3c-6013-4f6b-9d2a-d57ab1c67ec5.uuid.statscreate.org udp
US 8.8.8.8:53 stun.sipgate.net udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server2.statscreate.org udp
US 15.197.250.192:3478 stun.sipgate.net udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server2.statscreate.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 192.250.197.15.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
BG 185.82.216.96:443 server2.statscreate.org tcp
BG 185.82.216.96:443 server2.statscreate.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
BG 185.82.216.96:443 server2.statscreate.org tcp
N/A 127.0.0.1:31465 tcp

Files

memory/1388-1-0x0000000002920000-0x0000000002D23000-memory.dmp

memory/1388-2-0x0000000002D30000-0x000000000361B000-memory.dmp

memory/1388-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/372-4-0x00000000746BE000-0x00000000746BF000-memory.dmp

memory/372-5-0x00000000023D0000-0x0000000002406000-memory.dmp

memory/372-7-0x00000000746B0000-0x0000000074E60000-memory.dmp

memory/372-6-0x0000000005110000-0x0000000005738000-memory.dmp

memory/372-8-0x00000000746B0000-0x0000000074E60000-memory.dmp

memory/372-9-0x0000000004E50000-0x0000000004E72000-memory.dmp

memory/372-11-0x0000000005090000-0x00000000050F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dkpqgh30.j5h.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/372-10-0x0000000004F70000-0x0000000004FD6000-memory.dmp

memory/372-17-0x0000000005740000-0x0000000005A94000-memory.dmp

memory/372-22-0x0000000005D20000-0x0000000005D3E000-memory.dmp

memory/372-23-0x0000000005D50000-0x0000000005D9C000-memory.dmp

memory/372-24-0x0000000006280000-0x00000000062C4000-memory.dmp

memory/372-25-0x0000000006E40000-0x0000000006EB6000-memory.dmp

memory/372-27-0x00000000070E0000-0x00000000070FA000-memory.dmp

memory/372-26-0x0000000007740000-0x0000000007DBA000-memory.dmp

memory/372-28-0x0000000007290000-0x00000000072C2000-memory.dmp

memory/372-29-0x0000000070550000-0x000000007059C000-memory.dmp

memory/372-41-0x00000000072D0000-0x00000000072EE000-memory.dmp

memory/372-42-0x00000000072F0000-0x0000000007393000-memory.dmp

memory/372-43-0x00000000073E0000-0x00000000073EA000-memory.dmp

memory/372-44-0x00000000746B0000-0x0000000074E60000-memory.dmp

memory/372-31-0x00000000746B0000-0x0000000074E60000-memory.dmp

memory/372-30-0x0000000070CD0000-0x0000000071024000-memory.dmp

memory/372-45-0x00000000074F0000-0x0000000007586000-memory.dmp

memory/372-46-0x00000000073F0000-0x0000000007401000-memory.dmp

memory/372-48-0x0000000007450000-0x0000000007464000-memory.dmp

memory/372-49-0x0000000007490000-0x00000000074AA000-memory.dmp

memory/372-50-0x0000000007480000-0x0000000007488000-memory.dmp

memory/372-47-0x0000000007430000-0x000000000743E000-memory.dmp

memory/372-53-0x00000000746B0000-0x0000000074E60000-memory.dmp

memory/1388-55-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1388-56-0x0000000002D30000-0x000000000361B000-memory.dmp

memory/1664-58-0x0000000002920000-0x0000000002D1B000-memory.dmp

memory/2332-68-0x00000000057A0000-0x0000000005AF4000-memory.dmp

memory/2332-69-0x0000000005EC0000-0x0000000005F0C000-memory.dmp

memory/2332-70-0x0000000070650000-0x000000007069C000-memory.dmp

memory/2332-81-0x0000000006F30000-0x0000000006FD3000-memory.dmp

memory/2332-71-0x00000000707F0000-0x0000000070B44000-memory.dmp

memory/2332-82-0x0000000007250000-0x0000000007261000-memory.dmp

memory/2332-83-0x00000000072A0000-0x00000000072B4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/1620-87-0x00000000053E0000-0x0000000005734000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e1f854f8713f8f1e98024641dd5a5563
SHA1 0346c1192dd38b2dd762e3f3944db59480d13f40
SHA256 d5a98b08e08934be211c91057593d557eb619096b7f7f2bb94d14abe9319a85d
SHA512 b651f415f38def2de131ca70b53896379bf744f789d6c10f8b3429f2ac28b2c11b91bb675282d9bc8dcc0ce31b2f99e794843649f1eeff5ad1be61c1a0d02dfe

memory/1620-99-0x0000000070E10000-0x0000000071164000-memory.dmp

memory/1620-98-0x0000000070650000-0x000000007069C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 315f80424379fa9fa972884c9dc3240f
SHA1 6ea0923c032bcb1cbd6bc6ffeaf510eb63123012
SHA256 e70b65aa4be20b0e2f4fa4cf8747cec7d049911c35d6fcfb61a9cebe484c60ea
SHA512 7f609802cbff12b926ac7f251faa47f13111f766baa22fff57c52106c5ba469d281e10ddc058ade8cd1caa3f0d85f127a5aae62d594e0205237a3020013bce79

memory/4552-120-0x0000000070650000-0x000000007069C000-memory.dmp

memory/4552-121-0x0000000070E10000-0x0000000071164000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 8f66157297e86c7ac5093624d6725f2e
SHA1 0e4557927ab4e552abdcd09cd00f416cd11e4344
SHA256 62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f
SHA512 d0cd8969efc646051eb7fa5b3728ea5c7d4a3747f753ca909877a780171b6d738cbea1e51f434af79cdb02e5de7d728876764bb72418d9966849882bbf15e9e7

memory/2056-142-0x0000000005A70000-0x0000000005DC4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 02ee9c6d4676f3f65e652af93dc08b22
SHA1 43eca459e52418ed4defdcffe5d4bd83e7fe0e8f
SHA256 1435629fc7b2c9852add1cd0a3dc7ca0025c6ef65d399c1400d2493f82920af9
SHA512 2c3e5284dd8b9c1b1c7b77955664aae5881727f1f35df39bc12f4022b880a53247be84ec5641abc6d8cd54a77b4cf48d70de41587332def996b38298af224fcc

memory/2056-148-0x0000000006120000-0x000000000616C000-memory.dmp

memory/2056-149-0x00000000705B0000-0x00000000705FC000-memory.dmp

memory/2056-160-0x0000000007360000-0x0000000007403000-memory.dmp

memory/2056-150-0x0000000070D50000-0x00000000710A4000-memory.dmp

memory/2056-161-0x0000000007500000-0x0000000007511000-memory.dmp

memory/2056-162-0x0000000005EF0000-0x0000000005F04000-memory.dmp

memory/2636-164-0x0000000005B30000-0x0000000005E84000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c4637928cb5db1c2f5b4553c746a5638
SHA1 0e640198671778998402d0a3b54617dac5057b3a
SHA256 02cf1b5fa67f5154d14f361f66912222a4a8882debbf77ec8d238fb90c02364e
SHA512 c2dabf7907310e8e737355f31086f4ab1c99ece5b631f79693bfa85da4230686cf955d1e5a8836b93d6e18d25fdfb2ec050f0f221a1b3fe4aded0df8882ca1b9

memory/2636-175-0x0000000006200000-0x000000000624C000-memory.dmp

memory/2636-177-0x0000000070C90000-0x0000000070FE4000-memory.dmp

memory/2636-187-0x00000000073F0000-0x0000000007493000-memory.dmp

memory/2636-176-0x00000000704D0000-0x000000007051C000-memory.dmp

memory/2636-188-0x0000000007720000-0x0000000007731000-memory.dmp

memory/2636-189-0x0000000005FC0000-0x0000000005FD4000-memory.dmp

memory/1056-200-0x0000000005560000-0x00000000058B4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 873c04b0b66aeb54c38be56d905863bc
SHA1 014aa9dfcab656863fa5e80402b5209b68f002ee
SHA256 ef22b9eabe16d1f9d82cbc876ce4f7d7e1e8ce1f0ca06a0d3a09a5d84642c3a3
SHA512 030048b0beab608a25030cea95d9c0ab3908b1f6eab03f0142c7c784a8038a8021225b8b1ed684a7e6b53246d798e4438e2310ecd4936cb77b988f862d28e14e

memory/1056-203-0x0000000070680000-0x00000000709D4000-memory.dmp

memory/1056-202-0x00000000704D0000-0x000000007051C000-memory.dmp

memory/1664-213-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4440-220-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1664-226-0x0000000002920000-0x0000000002D1B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3464-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3880-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3880-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4440-231-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3464-233-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4440-234-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4440-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3464-239-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4440-240-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4440-243-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4440-246-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4440-249-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4440-252-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4440-255-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4440-258-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4440-261-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4440-264-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 12:39

Reported

2024-05-16 12:42

Platform

win11-20240419-en

Max time kernel

150s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-491 = "India Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 656 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 656 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 656 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3684 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3684 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3684 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3684 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe C:\Windows\system32\cmd.exe
PID 3684 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe C:\Windows\system32\cmd.exe
PID 4156 wrote to memory of 5024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4156 wrote to memory of 5024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3684 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3684 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3684 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3684 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3684 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3684 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3684 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe C:\Windows\rss\csrss.exe
PID 3684 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe C:\Windows\rss\csrss.exe
PID 3684 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe C:\Windows\rss\csrss.exe
PID 4940 wrote to memory of 860 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4940 wrote to memory of 860 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4940 wrote to memory of 860 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4940 wrote to memory of 400 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4940 wrote to memory of 400 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4940 wrote to memory of 400 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4940 wrote to memory of 4204 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4940 wrote to memory of 4204 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4940 wrote to memory of 4204 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4940 wrote to memory of 3596 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4940 wrote to memory of 3596 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4496 wrote to memory of 3552 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4496 wrote to memory of 3552 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4496 wrote to memory of 3552 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3552 wrote to memory of 5108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3552 wrote to memory of 5108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3552 wrote to memory of 5108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe

"C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe

"C:\Users\Admin\AppData\Local\Temp\62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 7ba3157b-77bb-4d31-ad39-7922c1a973a1.uuid.statscreate.org udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 server16.statscreate.org udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun2.l.google.com udp
BG 185.82.216.96:443 server16.statscreate.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.96:443 server16.statscreate.org tcp
BG 185.82.216.96:443 server16.statscreate.org tcp

Files

memory/656-1-0x0000000002A40000-0x0000000002E43000-memory.dmp

memory/656-2-0x0000000002E50000-0x000000000373B000-memory.dmp

memory/656-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5104-4-0x00000000746DE000-0x00000000746DF000-memory.dmp

memory/5104-5-0x0000000002FF0000-0x0000000003026000-memory.dmp

memory/5104-6-0x0000000005890000-0x0000000005EBA000-memory.dmp

memory/5104-7-0x00000000746D0000-0x0000000074E81000-memory.dmp

memory/5104-8-0x0000000005600000-0x0000000005622000-memory.dmp

memory/5104-9-0x0000000005F30000-0x0000000005F96000-memory.dmp

memory/5104-11-0x00000000746D0000-0x0000000074E81000-memory.dmp

memory/5104-10-0x0000000005FA0000-0x0000000006006000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a325xocg.qdm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5104-20-0x0000000006010000-0x0000000006367000-memory.dmp

memory/5104-21-0x00000000064B0000-0x00000000064CE000-memory.dmp

memory/5104-22-0x0000000006500000-0x000000000654C000-memory.dmp

memory/5104-23-0x0000000006A40000-0x0000000006A86000-memory.dmp

memory/5104-25-0x0000000070940000-0x000000007098C000-memory.dmp

memory/5104-24-0x00000000078F0000-0x0000000007924000-memory.dmp

memory/5104-37-0x00000000746D0000-0x0000000074E81000-memory.dmp

memory/5104-36-0x0000000007950000-0x00000000079F4000-memory.dmp

memory/5104-35-0x0000000007930000-0x000000000794E000-memory.dmp

memory/5104-26-0x0000000070B50000-0x0000000070EA7000-memory.dmp

memory/5104-39-0x00000000080C0000-0x000000000873A000-memory.dmp

memory/5104-40-0x0000000007A80000-0x0000000007A9A000-memory.dmp

memory/5104-38-0x00000000746D0000-0x0000000074E81000-memory.dmp

memory/5104-41-0x0000000007AC0000-0x0000000007ACA000-memory.dmp

memory/5104-42-0x0000000007BD0000-0x0000000007C66000-memory.dmp

memory/5104-43-0x0000000007AE0000-0x0000000007AF1000-memory.dmp

memory/5104-44-0x0000000007B30000-0x0000000007B3E000-memory.dmp

memory/5104-45-0x0000000007B40000-0x0000000007B55000-memory.dmp

memory/5104-46-0x0000000007B90000-0x0000000007BAA000-memory.dmp

memory/5104-47-0x0000000007BB0000-0x0000000007BB8000-memory.dmp

memory/5104-50-0x00000000746D0000-0x0000000074E81000-memory.dmp

memory/3684-52-0x0000000002A40000-0x0000000002E3A000-memory.dmp

memory/4444-61-0x0000000005920000-0x0000000005C77000-memory.dmp

memory/4444-62-0x0000000070940000-0x000000007098C000-memory.dmp

memory/4444-63-0x0000000070AC0000-0x0000000070E17000-memory.dmp

memory/4444-72-0x0000000006F00000-0x0000000006FA4000-memory.dmp

memory/656-74-0x0000000002A40000-0x0000000002E43000-memory.dmp

memory/656-75-0x0000000002E50000-0x000000000373B000-memory.dmp

memory/656-73-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4444-76-0x0000000007220000-0x0000000007231000-memory.dmp

memory/4444-77-0x0000000007270000-0x0000000007285000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/4516-82-0x0000000006390000-0x00000000066E7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5127d19ad8e809ab8c52cf7e2012635b
SHA1 9914e7583b8fa19601df5725e189d69048316c5e
SHA256 b95bbd86126ac5f04083d7e046d25d7739ff08cdc6c0ef4ae368f0b932c0c593
SHA512 1387a7f5e850f4d04f873fef6d2a9822b3ecf70ff4f5d366ced285ae8ce15110ff434fe8275649b5350ba0cf84c4b662c21917de0e99cf0774d01f137426a9e7

memory/4516-91-0x0000000070940000-0x000000007098C000-memory.dmp

memory/4516-92-0x0000000070B90000-0x0000000070EE7000-memory.dmp

memory/3276-110-0x0000000006400000-0x0000000006757000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 178dbbe3d636982b4b9f4ba8b557ac0b
SHA1 eb6540697c71f1b99e03decf5e45b48069dab865
SHA256 a352a67ae9aa4c9d7160e84f3e394556f37cde5a936b425b146e88dfe44214a2
SHA512 26c9805347fe20fdc487daadfb03df5b2e2611b23056970c6b2e194914e5ccc40f5f83e60567d5828a692ad4ddc3e1de9688e7ac2d135584182c98b849e619f3

memory/3276-112-0x0000000070940000-0x000000007098C000-memory.dmp

memory/3276-113-0x0000000070B10000-0x0000000070E67000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 8f66157297e86c7ac5093624d6725f2e
SHA1 0e4557927ab4e552abdcd09cd00f416cd11e4344
SHA256 62b7f9719e9833c886468e1066c5cd78731942c51915dda411e42d6010be683f
SHA512 d0cd8969efc646051eb7fa5b3728ea5c7d4a3747f753ca909877a780171b6d738cbea1e51f434af79cdb02e5de7d728876764bb72418d9966849882bbf15e9e7

memory/3684-136-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4d3ba26c448d71c2e3e87b306feb2fe8
SHA1 0e65abf61ea55b8bef512e9d9de9f0f5cd7e774f
SHA256 b69e1eb8a16b1ca4f17adee4c5978c8233f0271ec2d3dd2b9f2b011837a3cb88
SHA512 f3795e0be765789b679f8b64f2cce7c19a46b1f74a001085e3cc8a661fc5119e0dabcf6e5d87f1910d9a4700f62976216f04e175fa32c9b2fd8f1c3d2f21dac6

memory/860-138-0x0000000070940000-0x000000007098C000-memory.dmp

memory/860-139-0x0000000070AC0000-0x0000000070E17000-memory.dmp

memory/400-158-0x0000000005D90000-0x00000000060E7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 807dbb56606a7221967d776df53af2fd
SHA1 193b296fafa9b35ccbd52386a949b1e7db40551a
SHA256 76b436f6d7503b5e9d42ac8eaf556b72cc40e16f8cd4f2ccc3ed6dc5705195af
SHA512 fb089b6bf0beaa2f4c68865e1e7ec6b51693a1bd0974e6ff23034864a0bf9903f3d029cc36d24cdb6cb7e1a4e5ffe730318402d9ac6f6cbc4510a9c0cfa84589

memory/400-160-0x00000000062F0000-0x000000000633C000-memory.dmp

memory/400-162-0x00000000709E0000-0x0000000070D37000-memory.dmp

memory/400-161-0x0000000070860000-0x00000000708AC000-memory.dmp

memory/400-171-0x0000000007510000-0x00000000075B4000-memory.dmp

memory/400-172-0x0000000007850000-0x0000000007861000-memory.dmp

memory/400-173-0x0000000006110000-0x0000000006125000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5ec9efd4f16e8a3a6734e70a506ac57b
SHA1 4ba2b5844397d185920a58e83dd4100606439d5b
SHA256 1168eaadb686d497387f5eed3eec1309b317af66062b117b4b00133f9fe746ee
SHA512 5732cda765ffa038e9084dc5eb7ae20c5f66ebe6c6bdf1aa17fd17963043c327e09b9b96e0c7941628e513da9c4cf9b8a81bb325566e26b5487798915cdfc351

memory/4204-184-0x0000000070860000-0x00000000708AC000-memory.dmp

memory/4204-185-0x00000000709E0000-0x0000000070D37000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4940-202-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3684-203-0x0000000002A40000-0x0000000002E3A000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4496-208-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3440-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4496-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4940-215-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3440-217-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4940-219-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4940-222-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4940-225-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3440-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4940-229-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4940-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4940-238-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4940-241-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4940-245-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4940-249-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4940-254-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4940-257-0x0000000000400000-0x0000000000D1C000-memory.dmp