Malware Analysis Report

2024-12-08 02:20

Sample ID 240516-s8v9hsbh2z
Target 39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77
SHA256 39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77

Threat Level: Known bad

The file 39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Adds Run key to start application

Checks installed software on the system

Manipulates WinMonFS driver.

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 15:48

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 15:48

Reported

2024-05-16 15:50

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-162 = "Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2136 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2136 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2136 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3544 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3544 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3544 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3544 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe C:\Windows\system32\cmd.exe
PID 3544 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe C:\Windows\system32\cmd.exe
PID 3208 wrote to memory of 3016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3208 wrote to memory of 3016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3544 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3544 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3544 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3544 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3544 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3544 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3544 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe C:\Windows\rss\csrss.exe
PID 3544 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe C:\Windows\rss\csrss.exe
PID 3544 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe C:\Windows\rss\csrss.exe
PID 3684 wrote to memory of 4976 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3684 wrote to memory of 4976 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3684 wrote to memory of 4976 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3684 wrote to memory of 2888 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3684 wrote to memory of 2888 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3684 wrote to memory of 2888 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3684 wrote to memory of 4348 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3684 wrote to memory of 4348 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3684 wrote to memory of 4348 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3684 wrote to memory of 2140 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3684 wrote to memory of 2140 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4956 wrote to memory of 4384 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4956 wrote to memory of 4384 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4956 wrote to memory of 4384 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4384 wrote to memory of 4988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4384 wrote to memory of 4988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4384 wrote to memory of 4988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe

"C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe

"C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 a4bfa9e0-469b-484c-a81b-eee2988f10e8.uuid.localstats.org udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server6.localstats.org udp
BG 185.82.216.111:443 server6.localstats.org tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun2.l.google.com udp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.111:443 server6.localstats.org tcp
BG 185.82.216.111:443 server6.localstats.org tcp
BG 185.82.216.111:443 server6.localstats.org tcp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

memory/2136-1-0x00000000029D0000-0x0000000002DD0000-memory.dmp

memory/2136-2-0x0000000002DD0000-0x00000000036BB000-memory.dmp

memory/2136-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4640-4-0x0000000074CCE000-0x0000000074CCF000-memory.dmp

memory/4640-5-0x0000000003300000-0x0000000003336000-memory.dmp

memory/4640-7-0x0000000005AC0000-0x00000000060E8000-memory.dmp

memory/4640-6-0x0000000074CC0000-0x0000000075470000-memory.dmp

memory/4640-8-0x0000000074CC0000-0x0000000075470000-memory.dmp

memory/4640-9-0x00000000058F0000-0x0000000005912000-memory.dmp

memory/4640-10-0x00000000061E0000-0x0000000006246000-memory.dmp

memory/4640-11-0x0000000006250000-0x00000000062B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zffszqah.c4u.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4640-21-0x00000000062C0000-0x0000000006614000-memory.dmp

memory/4640-22-0x00000000068A0000-0x00000000068BE000-memory.dmp

memory/4640-23-0x00000000068E0000-0x000000000692C000-memory.dmp

memory/4640-24-0x0000000006CA0000-0x0000000006CE4000-memory.dmp

memory/4640-25-0x0000000007C40000-0x0000000007CB6000-memory.dmp

memory/4640-26-0x0000000008340000-0x00000000089BA000-memory.dmp

memory/4640-27-0x0000000007BE0000-0x0000000007BFA000-memory.dmp

memory/4640-28-0x0000000007E20000-0x0000000007E52000-memory.dmp

memory/4640-29-0x0000000070B60000-0x0000000070BAC000-memory.dmp

memory/4640-30-0x0000000074CC0000-0x0000000075470000-memory.dmp

memory/4640-31-0x0000000070CE0000-0x0000000071034000-memory.dmp

memory/4640-41-0x0000000007E60000-0x0000000007E7E000-memory.dmp

memory/4640-42-0x0000000074CC0000-0x0000000075470000-memory.dmp

memory/4640-43-0x0000000007E80000-0x0000000007F23000-memory.dmp

memory/4640-44-0x0000000007F70000-0x0000000007F7A000-memory.dmp

memory/4640-45-0x0000000074CC0000-0x0000000075470000-memory.dmp

memory/4640-46-0x0000000008080000-0x0000000008116000-memory.dmp

memory/4640-47-0x0000000007F80000-0x0000000007F91000-memory.dmp

memory/4640-48-0x0000000007FC0000-0x0000000007FCE000-memory.dmp

memory/4640-49-0x0000000007FE0000-0x0000000007FF4000-memory.dmp

memory/4640-50-0x0000000008030000-0x000000000804A000-memory.dmp

memory/4640-51-0x0000000008020000-0x0000000008028000-memory.dmp

memory/4640-54-0x0000000074CC0000-0x0000000075470000-memory.dmp

memory/2136-56-0x00000000029D0000-0x0000000002DD0000-memory.dmp

memory/2136-57-0x0000000002DD0000-0x00000000036BB000-memory.dmp

memory/3544-58-0x0000000002970000-0x0000000002D6B000-memory.dmp

memory/2652-68-0x0000000070B60000-0x0000000070BAC000-memory.dmp

memory/2652-69-0x0000000070CE0000-0x0000000071034000-memory.dmp

memory/2652-79-0x00000000070C0000-0x0000000007163000-memory.dmp

memory/2652-80-0x00000000073D0000-0x00000000073E1000-memory.dmp

memory/2136-82-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2652-83-0x0000000007420000-0x0000000007434000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6dc4a9b5b632f205011a0e888cd2c627
SHA1 68ab68c15883d57072fd29a0003e5374ce92a3bc
SHA256 60b05edc368718150be0d1ee57aea08bad9a1b504ee3165ae9616ad3e417df93
SHA512 618645dcd187380b2b49a48813a0d0e825969253e04c6d9c71d5fc541de09c2ba364033e120fdd473b35b88bc2650e4a4137b61df5a06da7708bd4f40cec95aa

memory/2592-97-0x0000000070B60000-0x0000000070BAC000-memory.dmp

memory/2592-98-0x0000000070CE0000-0x0000000071034000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 61efdfce06b1a082a0c317288823ff80
SHA1 2c33a29e9e435588486229dce173bb418f8ffd01
SHA256 60d37e8e7bda1ef6d36c676dffa273edc89dd98bdceb0969758af8c502e0a4a0
SHA512 fc86d18d705fcae21f1b2efa235d868cd58b4fbe87a996285ce34da05db902c046e3597ad189b7a6c8df842823886ee1492bfe7519a98120e9147aeebf1c4fe8

memory/1032-119-0x0000000070B60000-0x0000000070BAC000-memory.dmp

memory/1032-120-0x0000000070CE0000-0x0000000071034000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 eebd746a771e4a486df57e532c4ddbf3
SHA1 d2584aad8fb704611b07e909039f683ae9880de8
SHA256 39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77
SHA512 75f21ff3ebcf17313c1053161b7325235ed00157d52076e020693e992bccf4e7966464d79a42d1eff3e9781ea442ba56835bbdcfa056852633e1e51563a3eb6d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 21752837b6de0efb504aef7d892d5ab5
SHA1 6fb4a60a4514725dbae1f3a559c2f2cd8dd39c37
SHA256 2bea96a2f661f4a944a8824e350283f9988b93be7c966b79b2e46577ba3e40f7
SHA512 4eff1e9f6de3cffa2a2c20c364aa4aff7de1ca32a35f4d120a075ac15659f03d652bbfa053cf9182b1e202b5348a4cf17b7c9d22d456a8827cda43c242c28dcd

memory/4976-146-0x0000000070B60000-0x0000000070BAC000-memory.dmp

memory/4976-147-0x0000000070CE0000-0x0000000071034000-memory.dmp

memory/3544-159-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2888-169-0x0000000005680000-0x00000000059D4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2dcab019bbe32e173bd220a6c1de5864
SHA1 8fbba2c9193968f471a60621769dd336cefa1fe6
SHA256 5034de742dbe16d0e74044ee3def0269b5fa25ba7b2fab172a2e824206a471c0
SHA512 6c0fbb85857753ebc564c1a315d0968c47130410224cd595a9e7ab9c04f6c0778f5c10d69cb073c1d8b67f3652c6622585fc4e0fbf35c28489fc677dd3edd4d2

memory/2888-171-0x0000000006000000-0x000000000604C000-memory.dmp

memory/2888-172-0x0000000070A80000-0x0000000070ACC000-memory.dmp

memory/2888-173-0x0000000071210000-0x0000000071564000-memory.dmp

memory/2888-183-0x0000000006F70000-0x0000000007013000-memory.dmp

memory/2888-184-0x00000000072E0000-0x00000000072F1000-memory.dmp

memory/2888-185-0x0000000005B50000-0x0000000005B64000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a9d46b4d2aca1f2c4d9654d669572a04
SHA1 8ea3958d3d114ef63aa872027a540106879dea4a
SHA256 b2fc43b759a45a04b4b746ec10d5b85c63a179292c844ad567cfafdbee609fdc
SHA512 f19194c2b4be338241fd39c878fda98e373443f625774924ab2fa46fbf4b3a49ccfd57287530cdfd586d71d68a693cbd81838d8366b7e5cc41c3c6c337d7e89c

memory/4348-197-0x0000000070A80000-0x0000000070ACC000-memory.dmp

memory/4348-198-0x0000000071210000-0x0000000071564000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3684-215-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3544-217-0x0000000002970000-0x0000000002D6B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4956-221-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4828-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4956-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3684-228-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4828-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3684-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3684-236-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4828-238-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3684-240-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3684-244-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3684-249-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4828-250-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3684-252-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3684-256-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3684-260-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3684-265-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3684-268-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3684-272-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 15:48

Reported

2024-05-16 15:50

Platform

win11-20240426-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1684 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1684 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1684 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe C:\Windows\system32\cmd.exe
PID 2424 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe C:\Windows\system32\cmd.exe
PID 4320 wrote to memory of 3996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4320 wrote to memory of 3996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2424 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe C:\Windows\rss\csrss.exe
PID 2424 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe C:\Windows\rss\csrss.exe
PID 2424 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe C:\Windows\rss\csrss.exe
PID 2800 wrote to memory of 404 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 404 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 404 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 1520 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 1520 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 1520 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 1140 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 1140 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 1140 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 2472 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2800 wrote to memory of 2472 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3524 wrote to memory of 1036 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3524 wrote to memory of 1036 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3524 wrote to memory of 1036 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1036 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1036 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1036 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe

"C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe

"C:\Users\Admin\AppData\Local\Temp\39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 7ce78c48-93d2-49cb-a3ef-ac4df68f6847.uuid.localstats.org udp
US 8.8.8.8:53 server5.localstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server5.localstats.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
N/A 127.0.0.1:3478 udp
BG 185.82.216.111:443 server5.localstats.org tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
BG 185.82.216.111:443 server5.localstats.org tcp
BG 185.82.216.111:443 server5.localstats.org tcp
BG 185.82.216.111:443 server5.localstats.org tcp
N/A 127.0.0.1:31465 tcp

Files

memory/1684-1-0x0000000002A60000-0x0000000002E62000-memory.dmp

memory/1684-2-0x0000000002E70000-0x000000000375B000-memory.dmp

memory/1684-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/996-4-0x000000007490E000-0x000000007490F000-memory.dmp

memory/996-5-0x0000000005270000-0x00000000052A6000-memory.dmp

memory/996-7-0x00000000058E0000-0x0000000005F0A000-memory.dmp

memory/996-6-0x0000000074900000-0x00000000750B1000-memory.dmp

memory/996-8-0x0000000074900000-0x00000000750B1000-memory.dmp

memory/996-9-0x0000000005860000-0x0000000005882000-memory.dmp

memory/996-10-0x0000000006080000-0x00000000060E6000-memory.dmp

memory/996-11-0x0000000006130000-0x0000000006196000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sgdl3heh.rr2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/996-20-0x00000000061E0000-0x0000000006537000-memory.dmp

memory/996-21-0x00000000066E0000-0x00000000066FE000-memory.dmp

memory/996-22-0x0000000006C40000-0x0000000006C8C000-memory.dmp

memory/996-23-0x00000000076E0000-0x0000000007726000-memory.dmp

memory/996-36-0x0000000007B70000-0x0000000007B8E000-memory.dmp

memory/996-27-0x0000000074900000-0x00000000750B1000-memory.dmp

memory/996-26-0x0000000070D80000-0x00000000710D7000-memory.dmp

memory/996-37-0x0000000007B90000-0x0000000007C34000-memory.dmp

memory/996-25-0x0000000070B70000-0x0000000070BBC000-memory.dmp

memory/996-24-0x0000000007B10000-0x0000000007B44000-memory.dmp

memory/996-38-0x0000000074900000-0x00000000750B1000-memory.dmp

memory/996-40-0x0000000007CB0000-0x0000000007CCA000-memory.dmp

memory/996-39-0x00000000082F0000-0x000000000896A000-memory.dmp

memory/996-41-0x0000000007CF0000-0x0000000007CFA000-memory.dmp

memory/996-42-0x0000000007E00000-0x0000000007E96000-memory.dmp

memory/996-43-0x0000000007D10000-0x0000000007D21000-memory.dmp

memory/996-44-0x0000000007D60000-0x0000000007D6E000-memory.dmp

memory/996-45-0x0000000007D70000-0x0000000007D85000-memory.dmp

memory/996-46-0x0000000007DC0000-0x0000000007DDA000-memory.dmp

memory/996-47-0x0000000007DE0000-0x0000000007DE8000-memory.dmp

memory/996-50-0x0000000074900000-0x00000000750B1000-memory.dmp

memory/2424-52-0x0000000002A20000-0x0000000002E1C000-memory.dmp

memory/4880-58-0x0000000005610000-0x0000000005967000-memory.dmp

memory/4880-62-0x0000000070B70000-0x0000000070BBC000-memory.dmp

memory/4880-72-0x0000000006D90000-0x0000000006E34000-memory.dmp

memory/4880-63-0x0000000070DA0000-0x00000000710F7000-memory.dmp

memory/4880-73-0x00000000070E0000-0x00000000070F1000-memory.dmp

memory/4880-74-0x0000000007130000-0x0000000007145000-memory.dmp

memory/1684-77-0x0000000002A60000-0x0000000002E62000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/2340-87-0x0000000005D70000-0x00000000060C7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d8b5b8d5d97b8f0980b20b76b3a6a689
SHA1 ad6e6a32815e4fa7e07e02a1967dff3ee89db125
SHA256 a269c6338d338a2eaff57f1467a81997094a4d872ea4967dc1fb72662e333271
SHA512 4c6002e831ee51f14da69e4d86a8121a8d302d13063f19fda94d68c328039c045c0504b1f691a40e1f7e79cc117884fdb9711a164bc90e069d894b6a6d9b2e72

memory/2340-90-0x0000000070D20000-0x0000000071077000-memory.dmp

memory/2340-89-0x0000000070B70000-0x0000000070BBC000-memory.dmp

memory/2532-105-0x0000000005A20000-0x0000000005D77000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4df6afae1277ebe2ddb69430714ad58f
SHA1 967873b4738fa4aaa99ebfbba2ce2484411c36d2
SHA256 8477bc7d5b168f31f7cd768b5469524c8f2a6420a4d14c417bd8d175540d89a6
SHA512 ba220708fcc99243031d1103dd24e56ab7d9a534139c9e4e65206b9ddd0aa1850d4e089976e3bf835134133f336b8c5fdbc5716d0e698ba0fc3579c88eba3edf

memory/2532-110-0x0000000070B70000-0x0000000070BBC000-memory.dmp

memory/2532-111-0x0000000070DC0000-0x0000000071117000-memory.dmp

memory/1684-120-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1684-121-0x0000000002E70000-0x000000000375B000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 eebd746a771e4a486df57e532c4ddbf3
SHA1 d2584aad8fb704611b07e909039f683ae9880de8
SHA256 39b4aee988d51830f280b9494464ca407b165e30e64d1f1dbe18cd37ec01be77
SHA512 75f21ff3ebcf17313c1053161b7325235ed00157d52076e020693e992bccf4e7966464d79a42d1eff3e9781ea442ba56835bbdcfa056852633e1e51563a3eb6d

memory/404-136-0x00000000054B0000-0x0000000005807000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d10983f3d2d93cc5c4b88b634e943d7f
SHA1 2bde179efb7566867024905aab620ed4c78b4c0e
SHA256 2fbf96c770e3a6914e26461fcf6c660877c840d5136bf13cbf33a529f659fc6e
SHA512 df0cd525cde3bd03bb9f91559c786989e86c6d95d1eb51b7fdb78a2552999e873fd9d9e7f6439f64acb4aa76f2563bafdaf0ed016b41a7ea0d79561978947407

memory/404-138-0x0000000070B70000-0x0000000070BBC000-memory.dmp

memory/404-139-0x0000000070D10000-0x0000000071067000-memory.dmp

memory/1520-157-0x0000000006000000-0x0000000006357000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cce405d20aeace16df4fbb416a302194
SHA1 49e33e8c97132d1a5b39872e581698b6445d7d14
SHA256 579e450d81e2d43d060e4e7d766422968abae09a74cd08f353d0c6ae46da4044
SHA512 ac076bb66871fc604f674590dd6acfa43a8b23ec9bfb49df678610c4a5ddfc9a93cd707e967966db2bc3489fc10acc501e47e732e6bc0b5d7781415cf534ac7b

memory/1520-159-0x00000000064D0000-0x000000000651C000-memory.dmp

memory/1520-160-0x0000000070A90000-0x0000000070ADC000-memory.dmp

memory/1520-161-0x0000000070C10000-0x0000000070F67000-memory.dmp

memory/1520-170-0x00000000076F0000-0x0000000007794000-memory.dmp

memory/1520-171-0x0000000007A10000-0x0000000007A21000-memory.dmp

memory/2424-172-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1520-173-0x0000000005870000-0x0000000005885000-memory.dmp

memory/1140-183-0x00000000059E0000-0x0000000005D37000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 54505a77a56e41a6ca3a88cd53b59c72
SHA1 3891bb49362a6e8f4498b8586229ce7d746825fc
SHA256 15f1d37c5e0bbbe05de76ce21dc137400114a781507f8059b1cdda24f34fef7a
SHA512 1c952b93d8a00e435a1772ad020b6439b923536ff824e65bc4069d82a5185aa0782d44e0fa69972c169e7dc9c9d3e921ca8ad53530d9c2dc542fcb48f4103cdd

memory/1140-185-0x0000000070A90000-0x0000000070ADC000-memory.dmp

memory/1140-186-0x0000000070C40000-0x0000000070F97000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2800-202-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3524-207-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2424-210-0x0000000002A20000-0x0000000002E1C000-memory.dmp

memory/3524-212-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3448-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2800-215-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3448-217-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2800-219-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2800-223-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3448-225-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2800-227-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2800-231-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2800-235-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2800-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2800-243-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2800-247-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2800-251-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2800-255-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2800-259-0x0000000000400000-0x0000000000D1C000-memory.dmp