Malware Analysis Report

2024-12-08 02:16

Sample ID 240516-pwkepsde68
Target 406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b
SHA256 406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b

Threat Level: Known bad

The file 406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Manipulates WinMonFS driver.

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 12:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 12:40

Reported

2024-05-16 12:43

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4552 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4552 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4552 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3364 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3364 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3364 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3364 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe C:\Windows\system32\cmd.exe
PID 3364 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe C:\Windows\system32\cmd.exe
PID 4176 wrote to memory of 4524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4176 wrote to memory of 4524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3364 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3364 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3364 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3364 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3364 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3364 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3364 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe C:\Windows\rss\csrss.exe
PID 3364 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe C:\Windows\rss\csrss.exe
PID 3364 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe C:\Windows\rss\csrss.exe
PID 4652 wrote to memory of 4060 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4652 wrote to memory of 4060 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4652 wrote to memory of 4060 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4652 wrote to memory of 3648 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4652 wrote to memory of 3648 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4652 wrote to memory of 3648 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4652 wrote to memory of 2688 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4652 wrote to memory of 2688 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4652 wrote to memory of 2688 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4652 wrote to memory of 1824 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4652 wrote to memory of 1824 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4396 wrote to memory of 3368 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 3368 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 3368 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3368 wrote to memory of 1412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3368 wrote to memory of 1412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3368 wrote to memory of 1412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe

"C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe

"C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
NL 23.62.61.57:443 www.bing.com tcp
US 8.8.8.8:53 57.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 3c6cc606-7c4f-46f8-bfdc-b1fc344686b0.uuid.localstats.org udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 server15.localstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.111:443 server15.localstats.org tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.111:443 server15.localstats.org tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BG 185.82.216.111:443 server15.localstats.org tcp

Files

memory/4552-1-0x0000000002990000-0x0000000002D89000-memory.dmp

memory/4552-2-0x0000000002D90000-0x000000000367B000-memory.dmp

memory/4552-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3496-4-0x000000007403E000-0x000000007403F000-memory.dmp

memory/3496-5-0x0000000004840000-0x0000000004876000-memory.dmp

memory/3496-6-0x0000000004EB0000-0x00000000054D8000-memory.dmp

memory/3496-7-0x0000000074030000-0x00000000747E0000-memory.dmp

memory/3496-8-0x0000000074030000-0x00000000747E0000-memory.dmp

memory/3496-9-0x0000000004DD0000-0x0000000004DF2000-memory.dmp

memory/3496-10-0x0000000005650000-0x00000000056B6000-memory.dmp

memory/3496-11-0x0000000005770000-0x00000000057D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ftxpddzp.v2v.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3496-21-0x00000000057E0000-0x0000000005B34000-memory.dmp

memory/3496-22-0x0000000005D90000-0x0000000005DAE000-memory.dmp

memory/3496-23-0x0000000005DD0000-0x0000000005E1C000-memory.dmp

memory/3496-24-0x0000000006300000-0x0000000006344000-memory.dmp

memory/3496-25-0x0000000006EC0000-0x0000000006F36000-memory.dmp

memory/3496-26-0x00000000075C0000-0x0000000007C3A000-memory.dmp

memory/3496-27-0x0000000006F60000-0x0000000006F7A000-memory.dmp

memory/3496-28-0x0000000007310000-0x0000000007342000-memory.dmp

memory/3496-30-0x0000000074030000-0x00000000747E0000-memory.dmp

memory/3496-31-0x0000000070480000-0x00000000707D4000-memory.dmp

memory/3496-29-0x000000006FED0000-0x000000006FF1C000-memory.dmp

memory/3496-41-0x0000000007350000-0x000000000736E000-memory.dmp

memory/3496-42-0x0000000007370000-0x0000000007413000-memory.dmp

memory/3496-43-0x0000000007460000-0x000000000746A000-memory.dmp

memory/3496-44-0x0000000074030000-0x00000000747E0000-memory.dmp

memory/3496-45-0x0000000007C40000-0x0000000007CD6000-memory.dmp

memory/3496-46-0x00000000074D0000-0x00000000074E1000-memory.dmp

memory/3496-47-0x00000000074B0000-0x00000000074BE000-memory.dmp

memory/3496-48-0x00000000074F0000-0x0000000007504000-memory.dmp

memory/3496-49-0x0000000007540000-0x000000000755A000-memory.dmp

memory/3496-50-0x0000000007530000-0x0000000007538000-memory.dmp

memory/3496-53-0x0000000074030000-0x00000000747E0000-memory.dmp

memory/4552-55-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3364-57-0x00000000029D0000-0x0000000002DD1000-memory.dmp

memory/4552-56-0x0000000002990000-0x0000000002D89000-memory.dmp

memory/3364-58-0x0000000002DE0000-0x00000000036CB000-memory.dmp

memory/4552-59-0x0000000002D90000-0x000000000367B000-memory.dmp

memory/4044-60-0x0000000005850000-0x0000000005BA4000-memory.dmp

memory/4044-70-0x000000006FED0000-0x000000006FF1C000-memory.dmp

memory/4044-71-0x0000000070650000-0x00000000709A4000-memory.dmp

memory/4044-81-0x0000000007110000-0x00000000071B3000-memory.dmp

memory/4044-82-0x00000000073C0000-0x00000000073D1000-memory.dmp

memory/4044-83-0x0000000007410000-0x0000000007424000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ea20912dec2f072383837b6d6c78db21
SHA1 da35ef07a385e1905cf473832ac6acf108a1bce9
SHA256 0f37be87023b614ca08d1272d1bd57eb043506574966895bb1450af2bdabc9a4
SHA512 cbc703051b5c6505003d64f33b82a44a03d92f647639b45f3eeb1f4ea00ff5a60eda6b2e1bc6658cf50a118776c6af51c572e437adb0daf89d9307d8f659fe93

memory/4964-97-0x000000006FED0000-0x000000006FF1C000-memory.dmp

memory/4964-98-0x0000000070650000-0x00000000709A4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e8a135153cd119ac0c96afdcaf4f3d65
SHA1 cba77928adeb271858e530b0657c00aa6b4409c2
SHA256 742fd6de4e296c15c3adfdf744b0249401a6a072364ac217c16a6ae7cd88def1
SHA512 b526f797ecd65051b9962487dbf3c28edf7603ef8b1485d7bc4fcae75d15fa63f3f6c59336276040f6f74fcc3aec5b15d4d5cd6fec283a6cc669afa4d6885910

memory/8-119-0x000000006FED0000-0x000000006FF1C000-memory.dmp

memory/8-120-0x0000000070650000-0x00000000709A4000-memory.dmp

memory/3364-131-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3364-136-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 53cea1724c673ae863cc4c110878122a
SHA1 93194ec549be4cfc29e03f80a8bcf1542f16332b
SHA256 406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b
SHA512 1efb02d0ded0155d60b23bfd3ec7d2e95fd6adf156eab202cbcb8d8f043fee262ee97dc587ca59791a99d47a7d00f1d1a020562cdbccdd16c42ee345b8535ba6

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d631867c6b5f9db984c4edc5802af007
SHA1 1e8e7395dbaf5c4b516260ac7f4dc3a5d41a0566
SHA256 a408da740592d33a8e539bfdb4645e106b1024761dc9546ed9671ed910f26b8d
SHA512 b9451b9129270920da7f8cb21dcf37119618f460b0efeb76d30613c23b77089b355202e4b9b773a2beea0b7059a7146d6eb4b65f07ec73c1c4d0bcb1ddc27166

memory/4060-149-0x000000006FED0000-0x000000006FF1C000-memory.dmp

memory/4060-150-0x0000000070650000-0x00000000709A4000-memory.dmp

memory/3648-170-0x0000000005890000-0x0000000005BE4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ba2c54b68af16f97497e0d12f8cb562b
SHA1 482d4cd840570e45146d7be34cea75ec6e5f5483
SHA256 45ca66201960ba14a0a0f4f9451b59bf2fde96c07daf8cacacfe99bccbc674e8
SHA512 4c7eb2096ce1ba47fa492a8008c1f88dfcb21263f2b560a3bfaf685f49db6847ec3173e08d3093fe3d2c6cbfeeb14d40ef6c59bf56dc5a966a4c5f27a0dccb35

memory/3648-172-0x0000000005DC0000-0x0000000005E0C000-memory.dmp

memory/3648-173-0x000000006FDF0000-0x000000006FE3C000-memory.dmp

memory/3648-174-0x000000006FF70000-0x00000000702C4000-memory.dmp

memory/3648-184-0x0000000006FF0000-0x0000000007093000-memory.dmp

memory/3648-185-0x00000000072A0000-0x00000000072B1000-memory.dmp

memory/3648-186-0x0000000005770000-0x0000000005784000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9753f29da0c67a0e7e6ffac588e46e7e
SHA1 12ad8e1aab32c0599cdf557af5a1542955693d6b
SHA256 d93e04fce58cd338f857e937231677b38f0c1db316de1bd1af7d0262a105cba4
SHA512 200904a41603194138c119cd14c8cfc37c43d4573687506bc5075b16823051a3946412e3c50a5281cb43c64c6f3c7ec414f9524deef97fdfa7055f4d52da144a

memory/2688-198-0x000000006FDF0000-0x000000006FE3C000-memory.dmp

memory/2688-199-0x000000006FF70000-0x00000000702C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4652-216-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4396-222-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3796-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4396-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4652-227-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3796-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4652-229-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4652-232-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3796-236-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4652-235-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4652-238-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4652-242-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4652-244-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4652-247-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4652-250-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4652-254-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4652-256-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 12:40

Reported

2024-05-16 12:43

Platform

win11-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1972 = "Belarus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-571 = "China Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5004 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5004 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5004 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4224 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4224 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4224 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4224 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe C:\Windows\system32\cmd.exe
PID 4224 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe C:\Windows\system32\cmd.exe
PID 3644 wrote to memory of 708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3644 wrote to memory of 708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4224 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4224 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4224 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4224 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4224 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4224 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4224 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe C:\Windows\rss\csrss.exe
PID 4224 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe C:\Windows\rss\csrss.exe
PID 4224 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe C:\Windows\rss\csrss.exe
PID 2364 wrote to memory of 4400 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2364 wrote to memory of 4400 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2364 wrote to memory of 4400 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2364 wrote to memory of 4596 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2364 wrote to memory of 4596 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2364 wrote to memory of 4596 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2364 wrote to memory of 2004 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2364 wrote to memory of 2004 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2364 wrote to memory of 2004 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2364 wrote to memory of 1580 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2364 wrote to memory of 1580 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1824 wrote to memory of 2908 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1824 wrote to memory of 2908 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1824 wrote to memory of 2908 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 5052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2908 wrote to memory of 5052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2908 wrote to memory of 5052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe

"C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe

"C:\Users\Admin\AppData\Local\Temp\406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 d9e621ea-63b9-444e-adc6-02fe156b347e.uuid.localstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server10.localstats.org udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun.l.google.com udp
BG 185.82.216.111:443 server10.localstats.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.111:443 server10.localstats.org tcp
BG 185.82.216.111:443 server10.localstats.org tcp

Files

memory/5004-1-0x0000000002A20000-0x0000000002E1B000-memory.dmp

memory/5004-2-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/5004-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4688-4-0x0000000074D3E000-0x0000000074D3F000-memory.dmp

memory/4688-5-0x0000000004FB0000-0x0000000004FE6000-memory.dmp

memory/4688-6-0x0000000074D30000-0x00000000754E1000-memory.dmp

memory/4688-7-0x0000000005660000-0x0000000005C8A000-memory.dmp

memory/4688-8-0x00000000054D0000-0x00000000054F2000-memory.dmp

memory/4688-9-0x0000000005EC0000-0x0000000005F26000-memory.dmp

memory/4688-10-0x0000000005F30000-0x0000000005F96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q4fjaxcj.jst.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4688-16-0x0000000005FA0000-0x00000000062F7000-memory.dmp

memory/4688-20-0x0000000006470000-0x000000000648E000-memory.dmp

memory/4688-21-0x0000000006500000-0x000000000654C000-memory.dmp

memory/4688-22-0x0000000006A10000-0x0000000006A56000-memory.dmp

memory/4688-24-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

memory/4688-23-0x0000000007890000-0x00000000078C4000-memory.dmp

memory/4688-25-0x00000000711B0000-0x0000000071507000-memory.dmp

memory/4688-34-0x00000000078D0000-0x00000000078EE000-memory.dmp

memory/4688-35-0x00000000078F0000-0x0000000007994000-memory.dmp

memory/4688-36-0x0000000074D30000-0x00000000754E1000-memory.dmp

memory/4688-37-0x0000000008060000-0x00000000086DA000-memory.dmp

memory/4688-38-0x0000000007A20000-0x0000000007A3A000-memory.dmp

memory/4688-39-0x0000000074D30000-0x00000000754E1000-memory.dmp

memory/4688-40-0x0000000007A60000-0x0000000007A6A000-memory.dmp

memory/4688-41-0x0000000007B70000-0x0000000007C06000-memory.dmp

memory/4688-42-0x0000000007A80000-0x0000000007A91000-memory.dmp

memory/4688-43-0x0000000007AD0000-0x0000000007ADE000-memory.dmp

memory/4688-44-0x0000000007AE0000-0x0000000007AF5000-memory.dmp

memory/4688-45-0x0000000007B30000-0x0000000007B4A000-memory.dmp

memory/4688-46-0x0000000007B50000-0x0000000007B58000-memory.dmp

memory/4688-49-0x0000000074D30000-0x00000000754E1000-memory.dmp

memory/4224-51-0x0000000002A70000-0x0000000002E6D000-memory.dmp

memory/3216-57-0x0000000005B30000-0x0000000005E87000-memory.dmp

memory/3216-61-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

memory/3216-62-0x00000000711F0000-0x0000000071547000-memory.dmp

memory/3216-71-0x0000000007280000-0x0000000007324000-memory.dmp

memory/5004-73-0x0000000002A20000-0x0000000002E1B000-memory.dmp

memory/3216-74-0x00000000075D0000-0x00000000075E1000-memory.dmp

memory/5004-75-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/5004-72-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3216-76-0x0000000007620000-0x0000000007635000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/4968-88-0x0000000005EE0000-0x0000000006237000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a3bbea0089657e7f0cd0104c378807df
SHA1 0d45b4071310ff75d66c6f319407ffa595b55e6b
SHA256 fff125123f68b7d3e0cf4dcd2f123223ed0214a9cb3a6b319d663fe122657dc8
SHA512 91da89f9dc95bd5f2558b70995fb2abe541aeeb80ba54357fa0cf8db2bfbe4026519950b8a5bf4394332329392d2ba5051f18a9140be5d03d763e6ac7f320be6

memory/4968-91-0x0000000071120000-0x0000000071477000-memory.dmp

memory/4968-90-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 42dce509b1fac734e1e636fa01610af6
SHA1 03a5032a0a38dedfd34413486f1663ae7cc43234
SHA256 395a4845f48b518575660a59f9e078533148a38d8fdd32a9666d2c07e2f38e03
SHA512 e4ee7dfc172e6b787cadd47414405bd41ff17bbf483ce7f78b30cdd52e790dacdf8f327f0b0f62a34444f2176bd06cf52b9468236bdf8789fc78dd22b2c523ab

memory/2160-110-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

memory/2160-111-0x00000000711F0000-0x0000000071547000-memory.dmp

memory/4224-120-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 53cea1724c673ae863cc4c110878122a
SHA1 93194ec549be4cfc29e03f80a8bcf1542f16332b
SHA256 406c0dc1244ed53523af78cacbf311951c3dc31ca5f64d6beb7edb99e379e55b
SHA512 1efb02d0ded0155d60b23bfd3ec7d2e95fd6adf156eab202cbcb8d8f043fee262ee97dc587ca59791a99d47a7d00f1d1a020562cdbccdd16c42ee345b8535ba6

memory/4224-125-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4400-136-0x0000000006120000-0x0000000006477000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 431e6f77db5536ef6dcb7db7ae570dd8
SHA1 6350af39a1b4f1090bf9855677f199d796c0200e
SHA256 6c045973889143c596290c3abfd7f213851c40495b1c3ca04213a629032ec4e5
SHA512 2b5503476025debe33904ac6186e0fcde342eeb47098ef72b25f6d545b98fb9d275e1b5bb7fa02923c7528bc0451a56ed870ffb121577fc28db14d809e862aed

memory/4400-138-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

memory/4400-139-0x0000000071140000-0x0000000071497000-memory.dmp

memory/4596-158-0x0000000005B40000-0x0000000005E97000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b4a204495a73337adf74f8e80b0d223d
SHA1 e158a1d2d4ae9ad0efa904b53385d6d5e78e138c
SHA256 3c935917e7bc563a5cb2c091c2880eb83f7749e19824155dab0f228596f4fbae
SHA512 f70abe058de224af0fb018379210f28a819253aa00502c99a46fe9d83ae1365cfe4c677a8b589c7b5991880ce012c25cdc6d1ef1ce52d6a2a29a1ee566865259

memory/4596-160-0x00000000065B0000-0x00000000065FC000-memory.dmp

memory/4596-161-0x0000000070EC0000-0x0000000070F0C000-memory.dmp

memory/4596-162-0x00000000710D0000-0x0000000071427000-memory.dmp

memory/4596-171-0x00000000072F0000-0x0000000007394000-memory.dmp

memory/4596-172-0x0000000007600000-0x0000000007611000-memory.dmp

memory/4596-173-0x0000000005A10000-0x0000000005A25000-memory.dmp

memory/2004-183-0x00000000063E0000-0x0000000006737000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 26f94fbe0f2ca12a2e4a9c852014a24f
SHA1 727da6c447ad9817f12cfc3562043218f9df83be
SHA256 18e0d12d83e11074e766c9043158c000c92f0e11de99bc11c98641660d9d1e6b
SHA512 bfae386df164abdd96056ce79b290b56bfa9a18abbe2d5e98a849feeedb881af58563c33145728263c5723eee609c194031122ccdfc0b26451c07691e05970e3

memory/2004-185-0x0000000070EC0000-0x0000000070F0C000-memory.dmp

memory/2004-186-0x0000000071040000-0x0000000071397000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2364-201-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1824-206-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1360-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1824-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2364-212-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1360-215-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2364-214-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2364-219-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1360-220-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2364-221-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2364-224-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2364-227-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2364-231-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2364-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2364-236-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2364-238-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2364-243-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2364-245-0x0000000000400000-0x0000000000D1C000-memory.dmp