Malware Analysis Report

2024-12-08 02:17

Sample ID 240516-py2rrsdb61
Target efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e
SHA256 efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e

Threat Level: Known bad

The file efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Manipulates WinMonFS driver.

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 12:45

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 12:45

Reported

2024-05-16 12:47

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4532 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4532 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4532 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5044 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5044 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5044 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5044 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe C:\Windows\system32\cmd.exe
PID 5044 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe C:\Windows\system32\cmd.exe
PID 3992 wrote to memory of 5048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3992 wrote to memory of 5048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5044 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5044 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5044 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5044 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5044 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5044 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5044 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe C:\Windows\rss\csrss.exe
PID 5044 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe C:\Windows\rss\csrss.exe
PID 5044 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe C:\Windows\rss\csrss.exe
PID 3400 wrote to memory of 2424 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3400 wrote to memory of 2424 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3400 wrote to memory of 2424 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3400 wrote to memory of 5092 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3400 wrote to memory of 5092 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3400 wrote to memory of 5092 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3400 wrote to memory of 3476 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3400 wrote to memory of 3476 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3400 wrote to memory of 3476 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3400 wrote to memory of 1112 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3400 wrote to memory of 1112 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4580 wrote to memory of 2472 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4580 wrote to memory of 2472 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4580 wrote to memory of 2472 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 1088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2472 wrote to memory of 1088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2472 wrote to memory of 1088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe

"C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe

"C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 fe9b20ec-7919-49ef-a9b4-b83835c360ba.uuid.statsexplorer.org udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 stun.sipgate.net udp
US 8.8.8.8:53 server9.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 15.197.250.192:3478 stun.sipgate.net udp
BG 185.82.216.108:443 server9.statsexplorer.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 192.250.197.15.in-addr.arpa udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.108:443 server9.statsexplorer.org tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
BG 185.82.216.108:443 server9.statsexplorer.org tcp

Files

memory/4532-1-0x0000000002940000-0x0000000002D44000-memory.dmp

memory/4532-2-0x0000000002D50000-0x000000000363B000-memory.dmp

memory/4532-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1028-4-0x000000007432E000-0x000000007432F000-memory.dmp

memory/1028-5-0x0000000002F30000-0x0000000002F66000-memory.dmp

memory/1028-6-0x0000000074320000-0x0000000074AD0000-memory.dmp

memory/1028-7-0x00000000057E0000-0x0000000005E08000-memory.dmp

memory/1028-8-0x0000000074320000-0x0000000074AD0000-memory.dmp

memory/1028-9-0x0000000005750000-0x0000000005772000-memory.dmp

memory/1028-10-0x0000000005E80000-0x0000000005EE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bfmqarbj.oxi.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1028-16-0x0000000005EF0000-0x0000000005F56000-memory.dmp

memory/1028-21-0x00000000060A0000-0x00000000063F4000-memory.dmp

memory/1028-22-0x00000000065A0000-0x00000000065BE000-memory.dmp

memory/1028-23-0x00000000065F0000-0x000000000663C000-memory.dmp

memory/1028-24-0x0000000006AF0000-0x0000000006B34000-memory.dmp

memory/1028-25-0x00000000078C0000-0x0000000007936000-memory.dmp

memory/1028-26-0x0000000007FC0000-0x000000000863A000-memory.dmp

memory/1028-27-0x0000000007960000-0x000000000797A000-memory.dmp

memory/1028-28-0x0000000007B20000-0x0000000007B52000-memory.dmp

memory/1028-29-0x00000000701C0000-0x000000007020C000-memory.dmp

memory/1028-30-0x0000000074320000-0x0000000074AD0000-memory.dmp

memory/1028-41-0x0000000007B60000-0x0000000007B7E000-memory.dmp

memory/1028-42-0x0000000007B80000-0x0000000007C23000-memory.dmp

memory/1028-43-0x0000000074320000-0x0000000074AD0000-memory.dmp

memory/1028-31-0x0000000070340000-0x0000000070694000-memory.dmp

memory/1028-44-0x0000000007C70000-0x0000000007C7A000-memory.dmp

memory/1028-45-0x0000000007D50000-0x0000000007DE6000-memory.dmp

memory/1028-46-0x0000000007CB0000-0x0000000007CC1000-memory.dmp

memory/1028-47-0x0000000007CF0000-0x0000000007CFE000-memory.dmp

memory/1028-48-0x0000000007D00000-0x0000000007D14000-memory.dmp

memory/1028-49-0x0000000007DF0000-0x0000000007E0A000-memory.dmp

memory/1028-50-0x0000000007D40000-0x0000000007D48000-memory.dmp

memory/1028-53-0x0000000074320000-0x0000000074AD0000-memory.dmp

memory/4532-55-0x0000000002940000-0x0000000002D44000-memory.dmp

memory/5044-56-0x00000000029D0000-0x0000000002DD4000-memory.dmp

memory/4532-57-0x0000000002D50000-0x000000000363B000-memory.dmp

memory/4532-58-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4044-64-0x0000000005650000-0x00000000059A4000-memory.dmp

memory/4044-69-0x00000000701C0000-0x000000007020C000-memory.dmp

memory/4044-70-0x0000000070940000-0x0000000070C94000-memory.dmp

memory/4044-80-0x0000000006CC0000-0x0000000006D63000-memory.dmp

memory/4044-81-0x00000000071C0000-0x00000000071D1000-memory.dmp

memory/4044-82-0x0000000007210000-0x0000000007224000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f19d69faa289af7f35ee0f2789a0132b
SHA1 6d94f2ed8f30e6f655842e1375366f870a13fd71
SHA256 03dd947f4ec11e08492402e85c296ea11167c9a10d47bb39574a326168229052
SHA512 0a778a3689e0ceb42991ddaf5dd9ff8333153012e9ce771c2a1d8f7bede6be31b37f22670c705f33e6243a43d025c2065bc1970d210e4718b6d43ce4336c3ef8

memory/2300-96-0x00000000701C0000-0x000000007020C000-memory.dmp

memory/2300-97-0x0000000070340000-0x0000000070694000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 443212af60632bb117aac5c181c8feb5
SHA1 d9bc913e8560563ea0f7722c04e8549ac186fd80
SHA256 2d011e45d68fd4f16f9b264fb751cce3e51b08cede27b354fa72d8328d465ba6
SHA512 e93b861af22edf54c0b19af86cb1acbda490e88146d0bf38973b57a5aa6d44c6c61d3a0a13cfe122fa2ac8a554d20f29b39afe5cdb589885223dfd84f1f9d131

memory/1336-118-0x00000000701C0000-0x000000007020C000-memory.dmp

memory/1336-119-0x0000000070940000-0x0000000070C94000-memory.dmp

memory/5044-130-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 4c3e68699d947fc838d86fb65ae61c62
SHA1 9ebfa2b4b2d50e2fd2844edaf55b665fd8734de0
SHA256 efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e
SHA512 4bef7f426df1b8b4895cee594594049f158772cb11834786cbfe623db0a0201f83a972c620931f5b7e8dd57e80b7813eee2ffea51071dc27b7164d6b800cd133

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 22ec42a59901843883cbe6be2525eb06
SHA1 d0222c906ac6967fcc6520c7b5732ee2306a2d4a
SHA256 df988559f0ce45cfc4d8051a71cf51a740f0dfff5e680a10030b9ead4fa7b704
SHA512 355e842bf60c2e8387db649d1e9737398ed9733764321e7cdf74a7f7e6efcbb41bd9604f58155124134aa7f05899deedb47ecdb2eb16827223242e75361feb0f

memory/2424-147-0x00000000701C0000-0x000000007020C000-memory.dmp

memory/2424-148-0x0000000070340000-0x0000000070694000-memory.dmp

memory/5092-159-0x00000000057E0000-0x0000000005B34000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 09157836352a30fb08a99446856ffe60
SHA1 72a3f9b49be13a8020bc06ed432a87d9847882ae
SHA256 c7d131729ffcdafd20cbab0a089bad571389cc349ecd82f769172dee702e6b11
SHA512 563d068c648d0138a5c96d1b7b1fcac23c71a35c949091bacedf85a0572da1b0fc9b773e41c9cedb3330cfec646160a9b5840eb64206097090f382f1e33560a5

memory/5092-170-0x00000000063F0000-0x000000000643C000-memory.dmp

memory/5092-171-0x00000000700E0000-0x000000007012C000-memory.dmp

memory/5092-172-0x0000000070870000-0x0000000070BC4000-memory.dmp

memory/5092-182-0x00000000070F0000-0x0000000007193000-memory.dmp

memory/5092-183-0x00000000072D0000-0x00000000072E1000-memory.dmp

memory/5092-184-0x0000000005CB0000-0x0000000005CC4000-memory.dmp

memory/3476-195-0x00000000055B0000-0x0000000005904000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4ef4f10a9921c00b545fb5e09a2507cd
SHA1 13eed630a81370fbd4e97d15564d0e2407697582
SHA256 5c15483b8777c71c7e2cc67ca71e328c5096d61056efc43ae67ddb3b10e5b428
SHA512 15a22b89a60df145b7b4cb1367c5fa28adf4e6d1a50bb6392af5f5b81e1f1401608932c9b6ba0f64948f444977eaafe2dbfa20e2907621279f4029cb4bdf8132

memory/5044-197-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3476-198-0x00000000700E0000-0x000000007012C000-memory.dmp

memory/3476-199-0x0000000070260000-0x00000000705B4000-memory.dmp

memory/3400-211-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/5044-217-0x00000000029D0000-0x0000000002DD4000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4580-223-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4580-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3400-228-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3460-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3400-231-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3400-235-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3400-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3460-240-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3400-243-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3400-247-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3460-252-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3400-251-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3400-255-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3400-259-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3400-264-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3400-267-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 12:45

Reported

2024-05-16 12:47

Platform

win11-20240419-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2392 = "Aleutian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-162 = "Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-262 = "GMT Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2820 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2820 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2820 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4296 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4296 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4296 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4296 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe C:\Windows\system32\cmd.exe
PID 4296 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe C:\Windows\system32\cmd.exe
PID 1380 wrote to memory of 1964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1380 wrote to memory of 1964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4296 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4296 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4296 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4296 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4296 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4296 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4296 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe C:\Windows\rss\csrss.exe
PID 4296 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe C:\Windows\rss\csrss.exe
PID 4296 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe C:\Windows\rss\csrss.exe
PID 1604 wrote to memory of 2152 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1604 wrote to memory of 2152 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1604 wrote to memory of 2152 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1604 wrote to memory of 408 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1604 wrote to memory of 408 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1604 wrote to memory of 408 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1604 wrote to memory of 5024 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1604 wrote to memory of 5024 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1604 wrote to memory of 5024 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1604 wrote to memory of 2040 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1604 wrote to memory of 2040 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4620 wrote to memory of 388 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 388 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 388 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 388 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 388 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 388 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe

"C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe

"C:\Users\Admin\AppData\Local\Temp\efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 b204f1a0-3ba1-472d-9aaa-342ad8f8e4d4.uuid.statsexplorer.org udp
US 8.8.8.8:53 server8.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun4.l.google.com udp
BG 185.82.216.108:443 server8.statsexplorer.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.108:443 server8.statsexplorer.org tcp
BG 185.82.216.108:443 server8.statsexplorer.org tcp

Files

memory/2820-1-0x0000000002AB0000-0x0000000002EAD000-memory.dmp

memory/2820-2-0x0000000002EB0000-0x000000000379B000-memory.dmp

memory/2820-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2332-4-0x0000000073FCE000-0x0000000073FCF000-memory.dmp

memory/2332-5-0x0000000002DA0000-0x0000000002DD6000-memory.dmp

memory/2332-6-0x0000000073FC0000-0x0000000074771000-memory.dmp

memory/2332-7-0x0000000005760000-0x0000000005D8A000-memory.dmp

memory/2332-8-0x0000000005690000-0x00000000056B2000-memory.dmp

memory/2332-10-0x0000000005FF0000-0x0000000006056000-memory.dmp

memory/2332-9-0x0000000005E80000-0x0000000005EE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1nyvpldx.erb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2332-19-0x0000000006060000-0x00000000063B7000-memory.dmp

memory/2332-20-0x0000000006560000-0x000000000657E000-memory.dmp

memory/2332-21-0x0000000006590000-0x00000000065DC000-memory.dmp

memory/2332-22-0x0000000006AD0000-0x0000000006B16000-memory.dmp

memory/2332-23-0x0000000007980000-0x00000000079B4000-memory.dmp

memory/2332-24-0x0000000070230000-0x000000007027C000-memory.dmp

memory/2332-36-0x00000000079E0000-0x0000000007A84000-memory.dmp

memory/2332-35-0x00000000079C0000-0x00000000079DE000-memory.dmp

memory/2332-37-0x0000000073FC0000-0x0000000074771000-memory.dmp

memory/2332-26-0x0000000073FC0000-0x0000000074771000-memory.dmp

memory/2332-25-0x0000000070440000-0x0000000070797000-memory.dmp

memory/2332-38-0x0000000008150000-0x00000000087CA000-memory.dmp

memory/2332-39-0x0000000007B10000-0x0000000007B2A000-memory.dmp

memory/2332-40-0x0000000007B50000-0x0000000007B5A000-memory.dmp

memory/2332-41-0x0000000007C60000-0x0000000007CF6000-memory.dmp

memory/2332-42-0x0000000007B70000-0x0000000007B81000-memory.dmp

memory/2332-43-0x0000000007BC0000-0x0000000007BCE000-memory.dmp

memory/2332-44-0x0000000007BD0000-0x0000000007BE5000-memory.dmp

memory/2332-45-0x0000000007C20000-0x0000000007C3A000-memory.dmp

memory/2332-46-0x0000000007C00000-0x0000000007C08000-memory.dmp

memory/2332-49-0x0000000073FC0000-0x0000000074771000-memory.dmp

memory/2820-51-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4296-52-0x0000000002A40000-0x0000000002E42000-memory.dmp

memory/3948-53-0x0000000005D60000-0x00000000060B7000-memory.dmp

memory/3948-62-0x0000000070230000-0x000000007027C000-memory.dmp

memory/3948-63-0x0000000070480000-0x00000000707D7000-memory.dmp

memory/3948-72-0x0000000007450000-0x00000000074F4000-memory.dmp

memory/2820-73-0x0000000002AB0000-0x0000000002EAD000-memory.dmp

memory/2820-74-0x0000000002EB0000-0x000000000379B000-memory.dmp

memory/3948-75-0x00000000077A0000-0x00000000077B1000-memory.dmp

memory/3948-76-0x00000000077F0000-0x0000000007805000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/1172-88-0x00000000062E0000-0x0000000006637000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 80e1a915451a7b226f1bf515e35dbb5c
SHA1 22b2789b5a0d5e6881a0bce143935f86ad67e2d5
SHA256 0c346b8777f91ca1cdf6f9ede10b908960a42455621dd6788413dee749465321
SHA512 f25be1cda4d3dcbe18b84007969a3929923110f7358501662262fb4deabfd705056bd22018eee951761ed93d61f8796327a7d00b5f45c14e2a053e12fde30db2

memory/1172-90-0x0000000070230000-0x000000007027C000-memory.dmp

memory/1172-91-0x0000000070B70000-0x0000000070EC7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 007ef75c2d387c2c7d67609af46773d0
SHA1 b9893d58fdfc620027e577e4e1b2ade7c11b5930
SHA256 f4544fa5ce5c1b45bdf4910a2d417b307743aea6cf1c01e2318b5578cd87151f
SHA512 b2cf8721a7cebde2e5d03c07afaee14d1f5969a4e44c7bc72b0f8a375010391723bb4e4a010e1abee80c6d8a856cc4d33837ec1f4c79b6c5afd97f030df7bb49

memory/2372-110-0x0000000070230000-0x000000007027C000-memory.dmp

memory/2372-111-0x0000000070480000-0x00000000707D7000-memory.dmp

memory/4296-121-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 4c3e68699d947fc838d86fb65ae61c62
SHA1 9ebfa2b4b2d50e2fd2844edaf55b665fd8734de0
SHA256 efc73c9797822a16ff47d51a398a0dad583fe49e7326ee54c5af199032bed47e
SHA512 4bef7f426df1b8b4895cee594594049f158772cb11834786cbfe623db0a0201f83a972c620931f5b7e8dd57e80b7813eee2ffea51071dc27b7164d6b800cd133

memory/4296-127-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2152-137-0x0000000005FD0000-0x0000000006327000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 fd0d594cb88d6a0c83031c532affe808
SHA1 0d83891dfbec4744c6919b3673c6f15355ff87f6
SHA256 d8cf92ee5aed2f8c606014e1de95c9ed3bdd88f3d4f1be2267c1189de0289ab8
SHA512 96fbcaadb82c774d5a533752ee6c65b0f18ba3a64f8181dafd0bcaa5b57abf7ecb50ed079f4293106e83b02b9cc87aab464a6b19f62d29d66129adb6cebc6289

memory/2152-139-0x0000000070230000-0x000000007027C000-memory.dmp

memory/2152-140-0x00000000703B0000-0x0000000070707000-memory.dmp

memory/408-155-0x0000000005D00000-0x0000000006057000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9964a12d9999613f3d4d196ce3dafe6b
SHA1 791df7c2b192af2b1c7f38d5d52c708a3b79b261
SHA256 3c8e2f1667d7426be12cb8de36e9e0f0ff1a391e07cc3fbf91e3b4d4a5026def
SHA512 8319fbcac05fc61d78c4f6b6f913eb762d208671b3dd9e0ca348955f1c3a59f5a7a1ffc7e67081be98c26f9e5ad69de8113b4f8ec8492e241422c5bf98182b73

memory/408-160-0x0000000006700000-0x000000000674C000-memory.dmp

memory/408-161-0x0000000070150000-0x000000007019C000-memory.dmp

memory/408-162-0x0000000070380000-0x00000000706D7000-memory.dmp

memory/408-171-0x00000000075D0000-0x0000000007674000-memory.dmp

memory/408-172-0x0000000007970000-0x0000000007981000-memory.dmp

memory/408-173-0x0000000006170000-0x0000000006185000-memory.dmp

memory/5024-176-0x00000000054F0000-0x0000000005847000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bf2cd4e2449bf46a69e890e0fd66ecd2
SHA1 47403ac91525581a55799ac0905bee30282ef050
SHA256 406879b4ca08c2db6e66ed4c7c958177bdec7d5c8784ffcd9ad81466167d0eb6
SHA512 569e4debbd0bf3acf15f939d14fb93d93f8907af923bd2527a3e24efc4f878a1c6c32a90fd2cd05258bad501156953d7b96e81176eb87c397ebb1a3990fba083

memory/5024-186-0x0000000070150000-0x000000007019C000-memory.dmp

memory/5024-187-0x00000000703A0000-0x00000000706F7000-memory.dmp

memory/1604-197-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4620-207-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2896-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4620-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1604-210-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2896-215-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1604-216-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1604-218-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2896-222-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1604-221-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1604-224-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1604-227-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1604-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1604-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1604-236-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1604-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1604-242-0x0000000000400000-0x0000000000D1C000-memory.dmp