Malware Analysis Report

2024-12-08 02:09

Sample ID 240516-pyy1wadf99
Target e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889
SHA256 e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889

Threat Level: Known bad

The file e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Adds Run key to start application

Checks installed software on the system

Manipulates WinMonFS driver.

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 12:44

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 12:44

Reported

2024-05-16 12:47

Platform

win11-20240508-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-572 = "China Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3142 = "South Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3244 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3244 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3244 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 752 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 752 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 752 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 752 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe C:\Windows\system32\cmd.exe
PID 752 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe C:\Windows\system32\cmd.exe
PID 1180 wrote to memory of 2444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1180 wrote to memory of 2444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 752 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 752 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 752 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 752 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 752 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 752 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 752 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe C:\Windows\rss\csrss.exe
PID 752 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe C:\Windows\rss\csrss.exe
PID 752 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe C:\Windows\rss\csrss.exe
PID 1408 wrote to memory of 2464 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1408 wrote to memory of 2464 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1408 wrote to memory of 2464 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1408 wrote to memory of 3316 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1408 wrote to memory of 3316 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1408 wrote to memory of 3316 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1408 wrote to memory of 792 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1408 wrote to memory of 792 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1408 wrote to memory of 792 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1408 wrote to memory of 1744 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1408 wrote to memory of 1744 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1104 wrote to memory of 1928 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 1928 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 1928 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 4248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1928 wrote to memory of 4248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1928 wrote to memory of 4248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe

"C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe

"C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 server16.localstats.org udp
DE 81.3.27.44:3478 stun.ipfire.org udp
BG 185.82.216.111:443 server16.localstats.org tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
BG 185.82.216.111:443 server16.localstats.org tcp
BG 185.82.216.111:443 server16.localstats.org tcp

Files

memory/3244-1-0x0000000002A50000-0x0000000002E49000-memory.dmp

memory/3244-2-0x0000000002E50000-0x000000000373B000-memory.dmp

memory/3244-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3264-4-0x0000000074DAE000-0x0000000074DAF000-memory.dmp

memory/3264-5-0x0000000002AA0000-0x0000000002AD6000-memory.dmp

memory/3264-6-0x0000000005530000-0x0000000005B5A000-memory.dmp

memory/3264-7-0x0000000074DA0000-0x0000000075551000-memory.dmp

memory/3264-8-0x0000000074DA0000-0x0000000075551000-memory.dmp

memory/3264-9-0x0000000005500000-0x0000000005522000-memory.dmp

memory/3264-11-0x0000000005D70000-0x0000000005DD6000-memory.dmp

memory/3264-10-0x0000000005C50000-0x0000000005CB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nrxjs0wh.jkr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3264-20-0x0000000005DE0000-0x0000000006137000-memory.dmp

memory/3264-21-0x00000000062A0000-0x00000000062BE000-memory.dmp

memory/3264-22-0x00000000062F0000-0x000000000633C000-memory.dmp

memory/3264-23-0x0000000006810000-0x0000000006856000-memory.dmp

memory/3264-24-0x00000000076D0000-0x0000000007704000-memory.dmp

memory/3264-26-0x0000000074DA0000-0x0000000075551000-memory.dmp

memory/3264-25-0x0000000071010000-0x000000007105C000-memory.dmp

memory/3264-27-0x00000000711B0000-0x0000000071507000-memory.dmp

memory/3264-36-0x0000000007710000-0x000000000772E000-memory.dmp

memory/3264-37-0x0000000007730000-0x00000000077D4000-memory.dmp

memory/3264-38-0x0000000074DA0000-0x0000000075551000-memory.dmp

memory/3264-39-0x0000000007EA0000-0x000000000851A000-memory.dmp

memory/3264-40-0x0000000007850000-0x000000000786A000-memory.dmp

memory/3264-41-0x0000000007890000-0x000000000789A000-memory.dmp

memory/3264-42-0x0000000007950000-0x00000000079E6000-memory.dmp

memory/3264-43-0x00000000078D0000-0x00000000078E1000-memory.dmp

memory/3264-44-0x0000000007900000-0x000000000790E000-memory.dmp

memory/3264-45-0x0000000007910000-0x0000000007925000-memory.dmp

memory/3264-46-0x0000000007A10000-0x0000000007A2A000-memory.dmp

memory/3264-47-0x00000000079F0000-0x00000000079F8000-memory.dmp

memory/3264-50-0x0000000074DA0000-0x0000000075551000-memory.dmp

memory/752-52-0x0000000002A20000-0x0000000002E24000-memory.dmp

memory/336-58-0x0000000005B00000-0x0000000005E57000-memory.dmp

memory/3244-63-0x0000000002A50000-0x0000000002E49000-memory.dmp

memory/3244-62-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3244-64-0x0000000002E50000-0x000000000373B000-memory.dmp

memory/336-65-0x0000000071010000-0x000000007105C000-memory.dmp

memory/336-66-0x0000000071260000-0x00000000715B7000-memory.dmp

memory/336-75-0x0000000007230000-0x00000000072D4000-memory.dmp

memory/336-76-0x0000000007580000-0x0000000007591000-memory.dmp

memory/336-77-0x00000000075D0000-0x00000000075E5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/1936-81-0x0000000005D40000-0x0000000006097000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6fcff5e72a248ac6f7d396380ff4df8c
SHA1 c85405e03a8441e6bcb363fb562b44fd59e2ce34
SHA256 aeceee01f13879ed9e100291c31bec3aee96cd160654ffa29c5407b032075ca4
SHA512 ae110151c82c5169b4124994868ad4662835ed8266bd1abd0fe654eb34dc341666314c2158d6260b0078e595325b0c6d22456fbd8822efff53f70d6ac48c8627

memory/1936-91-0x0000000071010000-0x000000007105C000-memory.dmp

memory/1936-92-0x0000000071240000-0x0000000071597000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 09d14279e80d9cf32e703a50ae94449b
SHA1 bec5853ad11adcd93b4d6d9f9e0a676a6ac0f88b
SHA256 5d8aacf076799bd85551b6b4c58c1e69ff8624c40cf8235582946f622c7c6ba0
SHA512 a1c7ea2997e193ce25d3a833d79144bb0bb3ae331e0c2e5d0022de0e064b38ffe7ba6652e762baca63143f7fe8571c86142338c22eb030c4cd5a9dd560c843db

memory/3992-111-0x0000000071010000-0x000000007105C000-memory.dmp

memory/3992-112-0x0000000071240000-0x0000000071597000-memory.dmp

memory/752-122-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 82f516461e7545486763518f7dbb6214
SHA1 18d75fa4a95ea8cd9d2db5aa79588d86ed26f912
SHA256 e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889
SHA512 96b9a6781902f6b0ad3b357d92317938d77550448ce9afb0fc58e806a411c017f2c8173dd5ec795df74d668affde0d06f83bfee008381d5f9a73349ce6e5caed

memory/752-127-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 46ea66cf02c0e3b2e39dfb1f04b36eb7
SHA1 8c2b229136c9677cec3681a5938b807a9bb85707
SHA256 42be8ef0b8e3c72983a69606f65c4b9fbb9a22c2bed8608394c50234db16d180
SHA512 cc746ccd0c289324b83cfb57efec4bbc4f5cdb6415d8ada830cc0c53941a4eaf70b9a98d52eaa395ce84f81c365613ee4eac385520dd9b57b237e7a51a876905

memory/2464-139-0x0000000071010000-0x000000007105C000-memory.dmp

memory/2464-140-0x0000000071240000-0x0000000071597000-memory.dmp

memory/3316-158-0x0000000006330000-0x0000000006687000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6669f31df48ba5b46e733c3b8feabf9d
SHA1 66baa073db073e4388871a6ee2b8422141ddeec9
SHA256 33cee928ef43a84a8d5c3e914f99dce85fa2cac093010c49a8017388c9a0b8db
SHA512 309c1c52df501d1f0a2b4554066111798b43bb12183d662a9866b9f0ee885898ef58ca9b472778ba191ab0b294ef7c2cc4b6f44e086b5cfba2334c71959eb67d

memory/3316-160-0x0000000006CB0000-0x0000000006CFC000-memory.dmp

memory/3316-161-0x0000000070F30000-0x0000000070F7C000-memory.dmp

memory/3316-162-0x00000000710D0000-0x0000000071427000-memory.dmp

memory/3316-171-0x0000000007A10000-0x0000000007AB4000-memory.dmp

memory/3316-172-0x0000000007D40000-0x0000000007D51000-memory.dmp

memory/3316-173-0x0000000006250000-0x0000000006265000-memory.dmp

memory/792-183-0x00000000056B0000-0x0000000005A07000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5c1128ef3ffd564dfc84549308fd20a7
SHA1 e89c9bfeb1135b15171a058be66425a97410bffb
SHA256 c03f426db9889bae418ffa4aabc32ad5a823efea73bfd91423692baf7f8759c3
SHA512 da9ea75bd72d1314c0ca29d112cb389aae66dfc114835eb80a990685f9d953334dee4255ab735cc215ea4f53bc07f4b4976ae33429ffd6076d3d732f739a1b4e

memory/792-185-0x0000000070F30000-0x0000000070F7C000-memory.dmp

memory/792-186-0x0000000071180000-0x00000000714D7000-memory.dmp

memory/1408-197-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1104-207-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4624-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1408-210-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1104-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4624-216-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1408-215-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1408-218-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4624-222-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1408-221-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1408-224-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1408-227-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1408-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1408-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1408-236-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1408-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1408-242-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 12:44

Reported

2024-05-16 12:47

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1972 = "Belarus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 728 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 728 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 728 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4236 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4236 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4236 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4236 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe C:\Windows\system32\cmd.exe
PID 4348 wrote to memory of 1312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4348 wrote to memory of 1312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4236 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4236 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4236 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4236 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4236 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4236 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4236 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe C:\Windows\rss\csrss.exe
PID 4236 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe C:\Windows\rss\csrss.exe
PID 4236 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe C:\Windows\rss\csrss.exe
PID 428 wrote to memory of 4920 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 428 wrote to memory of 4920 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 428 wrote to memory of 4920 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 428 wrote to memory of 4024 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 428 wrote to memory of 4024 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 428 wrote to memory of 4024 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 428 wrote to memory of 2452 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 428 wrote to memory of 2452 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 428 wrote to memory of 2452 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 428 wrote to memory of 3232 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 428 wrote to memory of 3232 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2880 wrote to memory of 648 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 648 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 648 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 648 wrote to memory of 1440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 648 wrote to memory of 1440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 648 wrote to memory of 1440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe

"C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe

"C:\Users\Admin\AppData\Local\Temp\e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.219:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 219.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
BE 88.221.83.219:443 www.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 a8f6e8d1-8a0e-4e40-a4fa-90228468c940.uuid.localstats.org udp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 8.8.8.8:53 server10.localstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server10.localstats.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
N/A 127.0.0.1:3478 udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.111:443 server10.localstats.org tcp
US 8.8.8.8:53 stun3.l.google.com udp
US 74.125.250.129:19302 stun3.l.google.com udp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
BG 185.82.216.111:443 server10.localstats.org tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BG 185.82.216.111:443 server10.localstats.org tcp

Files

memory/728-1-0x00000000029F0000-0x0000000002DED000-memory.dmp

memory/728-2-0x0000000002DF0000-0x00000000036DB000-memory.dmp

memory/728-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3340-4-0x00000000743EE000-0x00000000743EF000-memory.dmp

memory/3340-5-0x0000000002A80000-0x0000000002AB6000-memory.dmp

memory/3340-7-0x00000000053C0000-0x00000000059E8000-memory.dmp

memory/3340-6-0x00000000743E0000-0x0000000074B90000-memory.dmp

memory/3340-8-0x00000000743E0000-0x0000000074B90000-memory.dmp

memory/3340-9-0x00000000050A0000-0x00000000050C2000-memory.dmp

memory/3340-10-0x0000000005340000-0x00000000053A6000-memory.dmp

memory/3340-11-0x00000000059F0000-0x0000000005A56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vlhbwpva.svz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3340-21-0x0000000005A60000-0x0000000005DB4000-memory.dmp

memory/3340-22-0x0000000006060000-0x000000000607E000-memory.dmp

memory/3340-23-0x0000000006120000-0x000000000616C000-memory.dmp

memory/3340-24-0x0000000006F90000-0x0000000006FD4000-memory.dmp

memory/3340-25-0x00000000071B0000-0x0000000007226000-memory.dmp

memory/3340-27-0x0000000007430000-0x000000000744A000-memory.dmp

memory/3340-26-0x0000000007AB0000-0x000000000812A000-memory.dmp

memory/3340-31-0x0000000070680000-0x00000000709D4000-memory.dmp

memory/3340-30-0x00000000743E0000-0x0000000074B90000-memory.dmp

memory/3340-29-0x0000000070280000-0x00000000702CC000-memory.dmp

memory/3340-41-0x0000000007630000-0x000000000764E000-memory.dmp

memory/3340-28-0x00000000075F0000-0x0000000007622000-memory.dmp

memory/3340-42-0x0000000007650000-0x00000000076F3000-memory.dmp

memory/3340-43-0x0000000007740000-0x000000000774A000-memory.dmp

memory/3340-44-0x0000000007850000-0x00000000078E6000-memory.dmp

memory/3340-45-0x0000000007750000-0x0000000007761000-memory.dmp

memory/3340-46-0x00000000743E0000-0x0000000074B90000-memory.dmp

memory/3340-47-0x0000000007790000-0x000000000779E000-memory.dmp

memory/3340-48-0x00000000077B0000-0x00000000077C4000-memory.dmp

memory/3340-49-0x0000000007800000-0x000000000781A000-memory.dmp

memory/3340-50-0x00000000077F0000-0x00000000077F8000-memory.dmp

memory/3340-53-0x00000000743E0000-0x0000000074B90000-memory.dmp

memory/728-54-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/728-55-0x0000000002DF0000-0x00000000036DB000-memory.dmp

memory/4236-57-0x0000000002950000-0x0000000002D49000-memory.dmp

memory/4088-58-0x0000000005A40000-0x0000000005D94000-memory.dmp

memory/4088-68-0x0000000006110000-0x000000000615C000-memory.dmp

memory/4088-70-0x0000000070B20000-0x0000000070E74000-memory.dmp

memory/4088-69-0x0000000070380000-0x00000000703CC000-memory.dmp

memory/4088-80-0x00000000072A0000-0x0000000007343000-memory.dmp

memory/4088-81-0x00000000075D0000-0x00000000075E1000-memory.dmp

memory/4088-82-0x0000000007620000-0x0000000007634000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/1576-95-0x0000000005E50000-0x00000000061A4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2643d945766cadaa1c056284d547c921
SHA1 fa7ced3fa6a13bf966ad0a20ca847664d4179c33
SHA256 e981630e46eedfeb5938f0bce762e48d7539c742839fdaf75112da36e522c444
SHA512 b1bb881f29371f4909686f3b4540e70ac2269ff05bc4a55499a9c67035a1f5a31b78119a5114c0d2fd091b5d6acb9ae01f703aba21125916fb71194753229c2a

memory/1576-97-0x0000000070380000-0x00000000703CC000-memory.dmp

memory/1576-98-0x0000000070500000-0x0000000070854000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e4cab5667265894bfe7d9c19909a52e2
SHA1 0b748c6d4db7377f61dace9fe649d329a7e7f351
SHA256 a6f1cfdc73879f48944c36f5dd5e5b8b78fa4d24c3a959f327e9d6a033d14957
SHA512 c35da17a7be281509b12182f8c586ac4078120b74353544f3240db62bf4a025012b38c82bf61c934d4846dbd21cbc3047bed8343cb5f543525e1e7438a55fd92

memory/4300-119-0x0000000070380000-0x00000000703CC000-memory.dmp

memory/4300-120-0x0000000070B20000-0x0000000070E74000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 82f516461e7545486763518f7dbb6214
SHA1 18d75fa4a95ea8cd9d2db5aa79588d86ed26f912
SHA256 e696d8b3afdc0cb47f204ff8cf259b32127b9389e99740fd4c6fa08e4664b889
SHA512 96b9a6781902f6b0ad3b357d92317938d77550448ce9afb0fc58e806a411c017f2c8173dd5ec795df74d668affde0d06f83bfee008381d5f9a73349ce6e5caed

memory/4920-145-0x0000000005F80000-0x00000000062D4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 41e31587f6e834a9e633d2eee74cd7aa
SHA1 d88742fb6dcf3a9bad7dd6aae377ce27de38d5ae
SHA256 4ed34a48486786f8b10fe9ff1decf430c6977b737b28704411d7be51c726035b
SHA512 a206eb6e8ac4527ce053e9be4ec70dfd5f6d3f45182dfb3e5076bb25b93b67364d0bf84ee1f37e85fdd6051b3ac18725f95d6332622830f9495714384fed74a9

memory/4920-147-0x0000000006930000-0x000000000697C000-memory.dmp

memory/4920-149-0x0000000070460000-0x00000000707B4000-memory.dmp

memory/4920-148-0x00000000702E0000-0x000000007032C000-memory.dmp

memory/4920-159-0x0000000007600000-0x00000000076A3000-memory.dmp

memory/4920-160-0x0000000007990000-0x00000000079A1000-memory.dmp

memory/4920-161-0x0000000005E10000-0x0000000005E24000-memory.dmp

memory/4024-172-0x0000000005C50000-0x0000000005FA4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b9fe6bcf28b08304a0664112fa80110e
SHA1 329f01c711831ca8e5ae336c657871bd9e17ab3f
SHA256 c9f74123bcb0e69d3d1ecb53976c80bb7268dc2caa2ca33693dc0bda62e2dd9f
SHA512 a74e7fdfa609bccfbf3d5cc13f894dcf027bc6656489b04891cc4ce9361dc5ac3a7264f303a6bde6319a562d1bcca6d5e485657c6f3640a08aea9cb31e82afbb

memory/4236-174-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4024-175-0x00000000062E0000-0x000000000632C000-memory.dmp

memory/4024-176-0x0000000070200000-0x000000007024C000-memory.dmp

memory/4024-177-0x0000000070380000-0x00000000706D4000-memory.dmp

memory/4024-187-0x00000000073F0000-0x0000000007493000-memory.dmp

memory/4024-188-0x0000000007730000-0x0000000007741000-memory.dmp

memory/4024-189-0x0000000005AA0000-0x0000000005AB4000-memory.dmp

memory/2452-196-0x00000000060A0000-0x00000000063F4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 774952406405ed25973e4acdfb21ec17
SHA1 dafc498e7b0dde900734aa048ddab2224fde9334
SHA256 de46d9148edba24fd2ca77398a1cd73ca6f0c1fdefbd331f8e77931a1e7cf800
SHA512 2b0d3866806351ccffcbdcd85e99b0498a79ff09b690b4964d3093f1eef0e7c775f1128ba814e4ecffaa32dd42078c467a280c85f4c5bb614ae04c36ed3adb9a

memory/2452-202-0x0000000070200000-0x000000007024C000-memory.dmp

memory/2452-203-0x00000000709A0000-0x0000000070CF4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/428-219-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4236-221-0x0000000002950000-0x0000000002D49000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2880-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/380-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2880-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/428-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/380-233-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/428-232-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/428-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/380-238-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/428-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/428-241-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/428-244-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/428-247-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/428-251-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/428-254-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/428-256-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/428-259-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/428-264-0x0000000000400000-0x0000000000D1C000-memory.dmp