Malware Analysis Report

2024-12-08 02:16

Sample ID 240516-pykhgsdb4w
Target 52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167
SHA256 52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167
Tags
glupteba discovery dropper evasion execution loader persistence upx rootkit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167

Threat Level: Known bad

The file 52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence upx rootkit

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Manipulates WinMonFS driver.

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 12:44

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 12:44

Reported

2024-05-16 12:46

Platform

win11-20240426-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-262 = "GMT Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4468 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4468 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4468 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2432 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2432 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2432 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2432 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe C:\Windows\system32\cmd.exe
PID 2432 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe C:\Windows\system32\cmd.exe
PID 648 wrote to memory of 3916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 648 wrote to memory of 3916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2432 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2432 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2432 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2432 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2432 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2432 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2432 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe C:\Windows\rss\csrss.exe
PID 2432 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe C:\Windows\rss\csrss.exe
PID 2432 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe C:\Windows\rss\csrss.exe
PID 1792 wrote to memory of 788 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 788 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 788 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 788 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 788 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 788 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe

"C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe

"C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 5b080d26-f396-4ba5-9744-e6f41f327d37.uuid.localstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server3.localstats.org udp
BG 185.82.216.111:443 server3.localstats.org tcp
US 74.125.250.129:19302 stun2.l.google.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.111:443 server3.localstats.org tcp
BG 185.82.216.111:443 server3.localstats.org tcp

Files

memory/4468-1-0x0000000002A20000-0x0000000002E1E000-memory.dmp

memory/4468-2-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/4468-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1148-4-0x0000000073E7E000-0x0000000073E7F000-memory.dmp

memory/1148-5-0x00000000025F0000-0x0000000002626000-memory.dmp

memory/1148-6-0x0000000004DA0000-0x00000000053CA000-memory.dmp

memory/1148-7-0x0000000073E70000-0x0000000074621000-memory.dmp

memory/1148-8-0x0000000073E70000-0x0000000074621000-memory.dmp

memory/1148-9-0x0000000004BD0000-0x0000000004BF2000-memory.dmp

memory/1148-10-0x00000000054D0000-0x0000000005536000-memory.dmp

memory/1148-11-0x0000000005540000-0x00000000055A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3mgypodr.au3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1148-20-0x00000000055B0000-0x0000000005907000-memory.dmp

memory/1148-21-0x0000000005A90000-0x0000000005AAE000-memory.dmp

memory/1148-22-0x0000000005AE0000-0x0000000005B2C000-memory.dmp

memory/1148-23-0x0000000006010000-0x0000000006056000-memory.dmp

memory/1148-25-0x00000000700E0000-0x000000007012C000-memory.dmp

memory/1148-24-0x0000000006EA0000-0x0000000006ED4000-memory.dmp

memory/1148-27-0x0000000070270000-0x00000000705C7000-memory.dmp

memory/1148-36-0x0000000006F00000-0x0000000006F1E000-memory.dmp

memory/1148-26-0x0000000073E70000-0x0000000074621000-memory.dmp

memory/1148-37-0x0000000006F20000-0x0000000006FC4000-memory.dmp

memory/1148-39-0x0000000073E70000-0x0000000074621000-memory.dmp

memory/1148-38-0x0000000007690000-0x0000000007D0A000-memory.dmp

memory/1148-40-0x0000000007040000-0x000000000705A000-memory.dmp

memory/1148-41-0x0000000007080000-0x000000000708A000-memory.dmp

memory/1148-42-0x0000000007190000-0x0000000007226000-memory.dmp

memory/1148-43-0x00000000070B0000-0x00000000070C1000-memory.dmp

memory/1148-44-0x00000000070F0000-0x00000000070FE000-memory.dmp

memory/1148-45-0x0000000007100000-0x0000000007115000-memory.dmp

memory/1148-46-0x0000000007150000-0x000000000716A000-memory.dmp

memory/1148-47-0x0000000007140000-0x0000000007148000-memory.dmp

memory/1148-50-0x0000000073E70000-0x0000000074621000-memory.dmp

memory/4468-52-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4468-53-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/2432-55-0x0000000002A20000-0x0000000002E27000-memory.dmp

memory/1792-56-0x0000000005DB0000-0x0000000006107000-memory.dmp

memory/1792-65-0x0000000006310000-0x000000000635C000-memory.dmp

memory/1792-66-0x00000000701F0000-0x000000007023C000-memory.dmp

memory/1792-67-0x0000000070440000-0x0000000070797000-memory.dmp

memory/1792-76-0x0000000007460000-0x0000000007504000-memory.dmp

memory/1792-77-0x0000000007810000-0x0000000007821000-memory.dmp

memory/1792-78-0x0000000007860000-0x0000000007875000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0a1c03735cb6db6a619c8f69a1e04c4d
SHA1 e2af6e53fbb8bd447eeab1377fc8119f77384e43
SHA256 38cc11a8bef5b223a2bad45566f434ec7699c58dc03b45e91e0f941a9deb6a7a
SHA512 a806d2a636421bbb9b39e8d6c7b43da9640774872ea4efd8f9da6af5e3522d81e845d0ecee147767451184c3b5c2e2ffce83dc4c54101ab4f268b13e1d604b23

memory/3024-91-0x00000000701F0000-0x000000007023C000-memory.dmp

memory/3024-92-0x0000000070440000-0x0000000070797000-memory.dmp

memory/1940-110-0x0000000006340000-0x0000000006697000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 824f7780c3e3a0f0ccdff1c80f060a84
SHA1 e24d3c7da6ad17e8aa8e07c17fb0d6a77e73a8fb
SHA256 3cd7897db6155abaf2396b7cca7e13595a56c6452edf6f3063593bbc1f8da98e
SHA512 ac1d54c08d047ee0dea49db3e0215ec6a12d788f74fc676ff705172bc4aa8be5c680e200f0eb234cf07646f4df741a3beb310a380c4db41dabae19ad248cbe98

memory/1940-112-0x00000000701F0000-0x000000007023C000-memory.dmp

memory/1940-113-0x0000000070370000-0x00000000706C7000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 7004fc2e943d77641b824abcc8fbda73
SHA1 40ed6b5c1967de4a824ef0865f2037228129cd3f
SHA256 52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167
SHA512 26ed8ee8fe7209faa8a42291e3286884899bf91a885a6ebf1d529e6db16de8ce23f680499875969dfab5bc28baf1cbe1fd3c08395fabb364956d7ea7a5e5835d

memory/3492-131-0x0000000005540000-0x0000000005897000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f4769325abf606a48e6a7a4753b24e7e
SHA1 dc45a170e4f3a03cbb93d8f9722ad82b2c33c4a0
SHA256 414001d14f1b8d08e15ae25b74107b058370bcbf449a5e598a99ef0e276cad1e
SHA512 b64a11b3f212926e48b54478f3ea39dbf371461a406af4cac04a5982d4a0614b40505f0d9961ae1d29e98fb4f2d3b6f07f1501b8788818951d4afaaa6d5de139

memory/3492-136-0x0000000006060000-0x00000000060AC000-memory.dmp

memory/2432-137-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3492-138-0x0000000070150000-0x000000007019C000-memory.dmp

memory/3492-139-0x00000000703A0000-0x00000000706F7000-memory.dmp

memory/3492-148-0x0000000006D30000-0x0000000006DD4000-memory.dmp

memory/3492-149-0x0000000007080000-0x0000000007091000-memory.dmp

memory/3492-150-0x00000000058F0000-0x0000000005905000-memory.dmp

memory/3892-160-0x0000000005BF0000-0x0000000005F47000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c661aaf2668f8116cbb3f28f780e2321
SHA1 9ff4b83382dfaf26b271c7e48a8aea7ccc5fe909
SHA256 c5accc3006bc7e8e2f28711881e570d2c05ca1988fa2bb633394872c3ca0481f
SHA512 f9e5688df81276fff0cec4d662397480fe5d4211f861c64d8db85be77effe0924d1b2a5247f44c38e7133d8e7a80f4460964fcd5bd4dea5cb5869a3d92ffa8a7

memory/3892-162-0x00000000061F0000-0x000000000623C000-memory.dmp

memory/3892-164-0x00000000701F0000-0x0000000070547000-memory.dmp

memory/3892-163-0x0000000070070000-0x00000000700BC000-memory.dmp

memory/3892-173-0x00000000073E0000-0x0000000007484000-memory.dmp

memory/3892-174-0x0000000007750000-0x0000000007761000-memory.dmp

memory/3892-175-0x0000000005F70000-0x0000000005F85000-memory.dmp

memory/4076-185-0x0000000006000000-0x0000000006357000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e177f6df30b51cb131cf2fed28ecbd46
SHA1 f8fab368ed9a4ca127701d25a44bd36acd4f1bbd
SHA256 313cd2f81f867caff6138cbf3cf7fbfa792d89a7c478b6a0da5ddaa0af8a5e33
SHA512 8c40905063303201e7186540b4b7b730134166655b5af6117c3d28ca16d95f96bc73c007d05c1e96f4febefd89b7c8028a8bd077dff075c1d54024269baf35fc

memory/4076-187-0x0000000070070000-0x00000000700BC000-memory.dmp

memory/4076-188-0x00000000702C0000-0x0000000070617000-memory.dmp

memory/2248-202-0x0000000074890000-0x00000000748AE000-memory.dmp

memory/2248-200-0x00000000747B0000-0x00000000747F1000-memory.dmp

memory/2248-199-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2432-203-0x0000000002A20000-0x0000000002E27000-memory.dmp

memory/1792-204-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2120-205-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1792-207-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2248-210-0x0000000074740000-0x00000000747A7000-memory.dmp

memory/2248-214-0x0000000074700000-0x0000000074741000-memory.dmp

memory/2248-213-0x0000000074720000-0x0000000074731000-memory.dmp

memory/2248-208-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2248-209-0x00000000747B0000-0x00000000747F1000-memory.dmp

memory/2120-217-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2248-219-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2248-229-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2120-237-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2248-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2248-248-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2248-259-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2248-269-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2248-279-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 12:44

Reported

2024-05-16 12:46

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2284 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2284 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2284 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3332 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3332 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3332 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3332 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe C:\Windows\system32\cmd.exe
PID 3332 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe C:\Windows\system32\cmd.exe
PID 4328 wrote to memory of 4884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4328 wrote to memory of 4884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3332 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3332 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3332 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3332 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3332 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3332 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3332 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe C:\Windows\rss\csrss.exe
PID 3332 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe C:\Windows\rss\csrss.exe
PID 3332 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe C:\Windows\rss\csrss.exe
PID 2772 wrote to memory of 3316 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 3316 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 3316 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 4908 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 4908 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 4908 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 2708 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 2708 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 2708 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 3656 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2772 wrote to memory of 3656 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1572 wrote to memory of 3228 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1572 wrote to memory of 3228 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1572 wrote to memory of 3228 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 4388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3228 wrote to memory of 4388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3228 wrote to memory of 4388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe

"C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe

"C:\Users\Admin\AppData\Local\Temp\52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 ffea5e1b-59ba-43d9-b9dc-6e8301244761.uuid.localstats.org udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server16.localstats.org udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun1.l.google.com udp
BG 185.82.216.111:443 server16.localstats.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.111:443 server16.localstats.org tcp
BG 185.82.216.111:443 server16.localstats.org tcp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
BG 185.82.216.111:443 server16.localstats.org tcp

Files

memory/2284-1-0x0000000002980000-0x0000000002D81000-memory.dmp

memory/2284-2-0x0000000002D90000-0x000000000367B000-memory.dmp

memory/2284-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2488-4-0x0000000074AEE000-0x0000000074AEF000-memory.dmp

memory/2488-5-0x0000000004EF0000-0x0000000004F26000-memory.dmp

memory/2488-6-0x0000000074AE0000-0x0000000075290000-memory.dmp

memory/2488-7-0x0000000005640000-0x0000000005C68000-memory.dmp

memory/2488-8-0x0000000005520000-0x0000000005542000-memory.dmp

memory/2488-9-0x0000000005E20000-0x0000000005E86000-memory.dmp

memory/2488-10-0x0000000005E90000-0x0000000005EF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0lvfz3vo.1gy.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2488-20-0x0000000005F00000-0x0000000006254000-memory.dmp

memory/2488-21-0x00000000064D0000-0x00000000064EE000-memory.dmp

memory/2488-22-0x0000000006520000-0x000000000656C000-memory.dmp

memory/2488-23-0x0000000006A40000-0x0000000006A84000-memory.dmp

memory/2488-24-0x0000000007810000-0x0000000007886000-memory.dmp

memory/2488-25-0x0000000007F10000-0x000000000858A000-memory.dmp

memory/2488-26-0x0000000007890000-0x00000000078AA000-memory.dmp

memory/2488-28-0x0000000070980000-0x00000000709CC000-memory.dmp

memory/2488-29-0x0000000074AE0000-0x0000000075290000-memory.dmp

memory/2488-27-0x0000000007A50000-0x0000000007A82000-memory.dmp

memory/2488-30-0x0000000071100000-0x0000000071454000-memory.dmp

memory/2488-41-0x0000000007AB0000-0x0000000007B53000-memory.dmp

memory/2488-40-0x0000000007A90000-0x0000000007AAE000-memory.dmp

memory/2488-42-0x0000000074AE0000-0x0000000075290000-memory.dmp

memory/2488-43-0x0000000007BA0000-0x0000000007BAA000-memory.dmp

memory/2488-44-0x0000000007C60000-0x0000000007CF6000-memory.dmp

memory/2488-45-0x0000000007BC0000-0x0000000007BD1000-memory.dmp

memory/2488-46-0x0000000007C00000-0x0000000007C0E000-memory.dmp

memory/2488-47-0x0000000007C10000-0x0000000007C24000-memory.dmp

memory/2488-48-0x0000000007D00000-0x0000000007D1A000-memory.dmp

memory/2488-49-0x0000000007C50000-0x0000000007C58000-memory.dmp

memory/2488-52-0x0000000074AE0000-0x0000000075290000-memory.dmp

memory/3332-54-0x0000000002950000-0x0000000002D4B000-memory.dmp

memory/3332-55-0x0000000002D50000-0x000000000363B000-memory.dmp

memory/1956-65-0x0000000070980000-0x00000000709CC000-memory.dmp

memory/1956-66-0x0000000071100000-0x0000000071454000-memory.dmp

memory/1956-76-0x00000000072B0000-0x0000000007353000-memory.dmp

memory/2284-78-0x0000000002980000-0x0000000002D81000-memory.dmp

memory/2284-79-0x0000000002D90000-0x000000000367B000-memory.dmp

memory/2284-77-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1956-80-0x00000000077A0000-0x00000000077B1000-memory.dmp

memory/1956-81-0x00000000077F0000-0x0000000007804000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7ccd965c0e6381a969a836a11664b847
SHA1 4d2471f4dabff925667c71601188f219695f10b9
SHA256 1635df41da814c2ca2056b437d682079d044d7eae422d6bd62e7ed2a084cd3cc
SHA512 5791b976bd58be6ff11ec633263087cabf5ea42f9295dada4a237e485e4f6253498dbf04c623fce970f7667a857a4118b7c0ed490438e6005581c95e4877c2ca

memory/4360-95-0x0000000070980000-0x00000000709CC000-memory.dmp

memory/4360-96-0x0000000071100000-0x0000000071454000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8e52c2cf3718b5f9306702ffa1a6fd5f
SHA1 45927e3f401803b2baaf18b7710049fba3bd08d2
SHA256 498302fda3bb51cc974fdfec33832b84d833cf13bd1532edff54ddd319b498f8
SHA512 13224c4a8c4677dcbcc02d830e92748b81a8cef7b2d503a4ad4b88782e4f81ccb913f65c7206987a8a3a73dba10558926c7e928ed772a84f930dff3764f03234

memory/4348-117-0x0000000070980000-0x00000000709CC000-memory.dmp

memory/4348-118-0x0000000071100000-0x0000000071454000-memory.dmp

memory/3332-128-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 7004fc2e943d77641b824abcc8fbda73
SHA1 40ed6b5c1967de4a824ef0865f2037228129cd3f
SHA256 52dcbfeeda2cf24e263bc50e6e426ecca5c13bef512c09dc4eb015f61b970167
SHA512 26ed8ee8fe7209faa8a42291e3286884899bf91a885a6ebf1d529e6db16de8ce23f680499875969dfab5bc28baf1cbe1fd3c08395fabb364956d7ea7a5e5835d

memory/3316-144-0x0000000006190000-0x00000000064E4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3e1ed4a39a2797f4c8584f600f7e86e8
SHA1 50ad887ff6bf46213e2207ad0047568f14cf4203
SHA256 26a5fbeb91cfac5dd1b2ad04c987a5c2cf3aeca8edf0221f1bd39d65b4257910
SHA512 3dce73548c6ef03bba48e1766a450c730ba60a7f6ff1eb409568a3fef6bc43d04a2f4e8148cd6d42e842125e617c819a85c5ae3f6b8e1500b2024400c4ae2a44

memory/3316-147-0x0000000070980000-0x00000000709CC000-memory.dmp

memory/3316-148-0x00000000710E0000-0x0000000071434000-memory.dmp

memory/4908-168-0x0000000006090000-0x00000000063E4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 eb5373ed3858cc335d68ae7c8a84a7c5
SHA1 35aeee5d6a827fefd531fa7805c40395406ad842
SHA256 955a228bed0805932ed55b109a6e11d151c0b326868bc5600e8b01355397dca8
SHA512 1671ebf3bfbc08484c5efa2769d3cb05e621037e57de4a6aa78a268b4f473da068ee24d604a959c0e27f9dfa0584d14777f968e6d654d74a8905e9d0668923a3

memory/4908-170-0x00000000065B0000-0x00000000065FC000-memory.dmp

memory/4908-171-0x00000000708A0000-0x00000000708EC000-memory.dmp

memory/4908-172-0x0000000070A20000-0x0000000070D74000-memory.dmp

memory/4908-182-0x0000000007790000-0x0000000007833000-memory.dmp

memory/4908-183-0x0000000005F30000-0x0000000005F41000-memory.dmp

memory/4908-184-0x0000000005F70000-0x0000000005F84000-memory.dmp

memory/2708-191-0x0000000005450000-0x00000000057A4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 61f313a0c0c3974255c1a84c5de28166
SHA1 d660a3501f781d7c5fa6f106c72bb69ca32a89cd
SHA256 1164c92c3845c0e0a7dbaea454963b684532d024a8f2ad074da87012866234f3
SHA512 f11ebc79967e1973c625834c86efd159c98ec2a16965752c260c0b733dc2f52da7c48ee1565f62533e689c8e1922804d10d81ac91866b5b9058f32cef950682a

memory/3332-197-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2708-198-0x00000000708A0000-0x00000000708EC000-memory.dmp

memory/2708-199-0x0000000071030000-0x0000000071384000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2772-213-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3332-217-0x0000000002950000-0x0000000002D4B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1572-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2772-223-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/972-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1572-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2772-232-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/972-233-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2772-236-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/972-241-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2772-240-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2772-244-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2772-248-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2772-252-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2772-256-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2772-260-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2772-264-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2772-268-0x0000000000400000-0x0000000000D1C000-memory.dmp