Malware Analysis Report

2024-12-08 02:20

Sample ID 240516-s9naasbh6s
Target e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695
SHA256 e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695

Threat Level: Known bad

The file e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Manipulates WinMonFS driver.

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 15:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 15:49

Reported

2024-05-16 15:52

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4732 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4732 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4732 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1160 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1160 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1160 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1160 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe C:\Windows\system32\cmd.exe
PID 1160 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe C:\Windows\system32\cmd.exe
PID 4900 wrote to memory of 1660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4900 wrote to memory of 1660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1160 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1160 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1160 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1160 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1160 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1160 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1160 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe C:\Windows\rss\csrss.exe
PID 1160 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe C:\Windows\rss\csrss.exe
PID 1160 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe C:\Windows\rss\csrss.exe
PID 2996 wrote to memory of 2304 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 2304 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 2304 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 4480 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 4480 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 4480 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 4908 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 4908 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 4908 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 4504 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2996 wrote to memory of 4504 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1960 wrote to memory of 3092 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 3092 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 3092 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3092 wrote to memory of 3256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3092 wrote to memory of 3256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3092 wrote to memory of 3256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe

"C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe

"C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 21.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.187:443 www.bing.com tcp
US 8.8.8.8:53 187.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 771fbaaf-2ad2-4977-92f5-f5d3fc197cdb.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 stun3.l.google.com udp
US 8.8.8.8:53 server13.thestatsfiles.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 74.125.250.129:19302 stun3.l.google.com udp
BG 185.82.216.96:443 server13.thestatsfiles.ru tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.96:443 server13.thestatsfiles.ru tcp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 52.111.229.43:443 tcp
BG 185.82.216.96:443 server13.thestatsfiles.ru tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp

Files

memory/4732-1-0x0000000002960000-0x0000000002D66000-memory.dmp

memory/4732-2-0x0000000002D70000-0x000000000365B000-memory.dmp

memory/4732-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1164-4-0x000000007417E000-0x000000007417F000-memory.dmp

memory/1164-5-0x0000000000D60000-0x0000000000D96000-memory.dmp

memory/1164-6-0x0000000074170000-0x0000000074920000-memory.dmp

memory/1164-7-0x0000000004C70000-0x0000000005298000-memory.dmp

memory/1164-8-0x0000000074170000-0x0000000074920000-memory.dmp

memory/1164-9-0x0000000004B30000-0x0000000004B52000-memory.dmp

memory/1164-10-0x0000000005310000-0x0000000005376000-memory.dmp

memory/1164-11-0x0000000005380000-0x00000000053E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bscug4yq.xkm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1164-21-0x00000000055C0000-0x0000000005914000-memory.dmp

memory/1164-22-0x0000000005B00000-0x0000000005B1E000-memory.dmp

memory/1164-23-0x0000000005B40000-0x0000000005B8C000-memory.dmp

memory/1164-24-0x0000000006070000-0x00000000060B4000-memory.dmp

memory/1164-25-0x0000000006E40000-0x0000000006EB6000-memory.dmp

memory/1164-26-0x0000000007540000-0x0000000007BBA000-memory.dmp

memory/1164-27-0x0000000006EC0000-0x0000000006EDA000-memory.dmp

memory/1164-28-0x0000000007080000-0x00000000070B2000-memory.dmp

memory/1164-30-0x0000000070190000-0x00000000704E4000-memory.dmp

memory/1164-29-0x0000000070010000-0x000000007005C000-memory.dmp

memory/1164-41-0x0000000074170000-0x0000000074920000-memory.dmp

memory/1164-40-0x00000000070C0000-0x00000000070DE000-memory.dmp

memory/1164-42-0x00000000070E0000-0x0000000007183000-memory.dmp

memory/1164-43-0x00000000071D0000-0x00000000071DA000-memory.dmp

memory/1164-44-0x0000000007290000-0x0000000007326000-memory.dmp

memory/1164-45-0x0000000074170000-0x0000000074920000-memory.dmp

memory/1164-46-0x00000000071F0000-0x0000000007201000-memory.dmp

memory/1164-47-0x0000000007230000-0x000000000723E000-memory.dmp

memory/1164-48-0x0000000007240000-0x0000000007254000-memory.dmp

memory/1164-49-0x0000000007330000-0x000000000734A000-memory.dmp

memory/1164-50-0x0000000007280000-0x0000000007288000-memory.dmp

memory/1164-53-0x0000000074170000-0x0000000074920000-memory.dmp

memory/1160-55-0x0000000002960000-0x0000000002D5D000-memory.dmp

memory/1756-56-0x0000000006280000-0x00000000065D4000-memory.dmp

memory/1756-66-0x0000000070010000-0x000000007005C000-memory.dmp

memory/1756-67-0x0000000070790000-0x0000000070AE4000-memory.dmp

memory/1756-77-0x0000000007A70000-0x0000000007B13000-memory.dmp

memory/1756-78-0x0000000007D90000-0x0000000007DA1000-memory.dmp

memory/1756-79-0x0000000007DE0000-0x0000000007DF4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/4732-84-0x0000000002960000-0x0000000002D66000-memory.dmp

memory/4732-83-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4732-85-0x0000000002D70000-0x000000000365B000-memory.dmp

memory/1324-86-0x0000000006280000-0x00000000065D4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 06bb2a2dc6a99337515f2fda2a42de94
SHA1 ef367b20f1b0cca14c700f21a4dbda318444f32e
SHA256 dc2926b5eb46e492a05c17d716986fbea4acee684348cd5b1941c0077d48237c
SHA512 469e021f794cfe622521b70c7e4c5db9dace64246a68e85e7bcd2e99e3dd94e5541c40218ce8799bfa9c0355e91cdb0969238a01f8dc835e1f1f371ed4920660

memory/1324-97-0x0000000070010000-0x000000007005C000-memory.dmp

memory/1324-98-0x00000000707B0000-0x0000000070B04000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9d737a61cc6a0bddab55a13fd95feb6b
SHA1 0e848eeec000102d626dc81cdc029b222528b4a7
SHA256 0637b776c426d04cd0b92af3f99b54ed2e085902e258cf2d2ffabae821d3629e
SHA512 77a2d716901f3d47a5866507e803b448cc78da167c7e5a88139454e61fce67eb58e19c669955aaa6742ac078c8ced22ffe6e6b67a7e4c645978b3259280ca0dc

memory/1840-119-0x0000000070010000-0x000000007005C000-memory.dmp

memory/1840-120-0x0000000070790000-0x0000000070AE4000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 70438379455039ae71058944b99da5fb
SHA1 decfb0a2434bbab04d87667d8bb72ffa95e59340
SHA256 e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695
SHA512 0adcfcbc143b52fda0de975dd8b0b9c30a4dbd44049f4c0c47d6c4ae734d63c01f7b344a5443ec09b519d9600b768a7c9ec774b4f660b79e0cc5207475365373

memory/1160-134-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0a8611cb7c74ecdc75b94ead4a763b90
SHA1 4bd721dae5745d06b35560cb8cc06881d298972d
SHA256 d9e0d89b757134011efe740b100ba574522d05b45c2695b69a806bd198eda767
SHA512 3cafcfb685dc25c0d3ea2bb1d448410cd0c5b8b65c65689e2bd98a483f208c4da0db8272ea2ac8558db5bcd3175d35d10e651f4f121280adfc26328c1ab18ee7

memory/2304-148-0x0000000070190000-0x00000000704E4000-memory.dmp

memory/2304-147-0x0000000070010000-0x000000007005C000-memory.dmp

memory/4480-159-0x0000000005AC0000-0x0000000005E14000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f64a3fffdf821fe5e83ae1cc9ea02cbe
SHA1 5c941f719ca95402fbd3ae242e0bde16e7b955d5
SHA256 2f6381af18c2be9411d519e29b701c0eddff16e9bbe2a5d7f12ff051b2a62ac5
SHA512 449944c540c47606e2e150fa5ed52197fa2b9a5c240ad018d88445a4f2d37ed1f75bcd408542654a5e5edb68fb27700cd42fb3d6448c12d4ada21b9818da672e

memory/4480-170-0x00000000061E0000-0x000000000622C000-memory.dmp

memory/4480-172-0x000000006FF30000-0x000000006FF7C000-memory.dmp

memory/4480-173-0x00000000706C0000-0x0000000070A14000-memory.dmp

memory/4480-183-0x00000000073A0000-0x0000000007443000-memory.dmp

memory/4480-184-0x00000000076C0000-0x00000000076D1000-memory.dmp

memory/4480-185-0x0000000005F60000-0x0000000005F74000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c1494be11de2381b4b8c9bde018d80fe
SHA1 eabb7d1d189ac8e6870e96083fba5cf56303b5e7
SHA256 0c8a8082f571bf29455996135c36273c54ae3ac55ab70174c8922002737991ae
SHA512 8b4ca3faac436c450168660386e0faf69068654f5cb89b1fd20b3e7d257cd796a6a0ac51300b16643b7005be1d95e7e943e286a071296babac25dca0fbb5941c

memory/4908-197-0x000000006FF30000-0x000000006FF7C000-memory.dmp

memory/4908-198-0x00000000706C0000-0x0000000070A14000-memory.dmp

memory/2996-209-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2996-219-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1960-220-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4132-223-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1960-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2996-226-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4132-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2996-229-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4132-233-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2996-232-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2996-235-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2996-238-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2996-241-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4132-242-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2996-244-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2996-247-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2996-250-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2996-253-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2996-256-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 15:49

Reported

2024-05-16 15:52

Platform

win11-20240426-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4264 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4264 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4264 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe C:\Windows\system32\cmd.exe
PID 2940 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe C:\Windows\system32\cmd.exe
PID 3536 wrote to memory of 2476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3536 wrote to memory of 2476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2940 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe C:\Windows\rss\csrss.exe
PID 2940 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe C:\Windows\rss\csrss.exe
PID 2940 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe C:\Windows\rss\csrss.exe
PID 3744 wrote to memory of 5040 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3744 wrote to memory of 5040 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3744 wrote to memory of 5040 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3744 wrote to memory of 1812 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3744 wrote to memory of 1812 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3744 wrote to memory of 1812 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3744 wrote to memory of 3096 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3744 wrote to memory of 3096 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3744 wrote to memory of 3096 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3744 wrote to memory of 2988 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3744 wrote to memory of 2988 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 5020 wrote to memory of 4952 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 5020 wrote to memory of 4952 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 5020 wrote to memory of 4952 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4952 wrote to memory of 4008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4952 wrote to memory of 4008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4952 wrote to memory of 4008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe

"C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe

"C:\Users\Admin\AppData\Local\Temp\e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 1caa2310-9faa-4bea-9cdf-a93bb2ad3721.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 server16.thestatsfiles.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun.l.google.com udp
BG 185.82.216.96:443 server16.thestatsfiles.ru tcp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.96:443 server16.thestatsfiles.ru tcp
BG 185.82.216.96:443 server16.thestatsfiles.ru tcp
US 52.111.229.48:443 tcp
BG 185.82.216.96:443 server16.thestatsfiles.ru tcp
N/A 127.0.0.1:31465 tcp

Files

memory/4264-1-0x0000000002A30000-0x0000000002E35000-memory.dmp

memory/4264-2-0x0000000002E40000-0x000000000372B000-memory.dmp

memory/4264-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4464-4-0x000000007474E000-0x000000007474F000-memory.dmp

memory/4464-5-0x0000000002590000-0x00000000025C6000-memory.dmp

memory/4464-7-0x0000000074740000-0x0000000074EF1000-memory.dmp

memory/4464-6-0x0000000004CF0000-0x000000000531A000-memory.dmp

memory/4464-9-0x0000000074740000-0x0000000074EF1000-memory.dmp

memory/4464-8-0x0000000004BB0000-0x0000000004BD2000-memory.dmp

memory/4464-10-0x0000000004C50000-0x0000000004CB6000-memory.dmp

memory/4464-11-0x0000000005320000-0x0000000005386000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tapu4ffa.qs1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4464-20-0x0000000005670000-0x00000000059C7000-memory.dmp

memory/4464-21-0x0000000005A40000-0x0000000005A5E000-memory.dmp

memory/4464-22-0x0000000005A90000-0x0000000005ADC000-memory.dmp

memory/4464-23-0x0000000006010000-0x0000000006056000-memory.dmp

memory/4464-25-0x00000000709B0000-0x00000000709FC000-memory.dmp

memory/4464-24-0x0000000006E80000-0x0000000006EB4000-memory.dmp

memory/4464-36-0x0000000006EC0000-0x0000000006EDE000-memory.dmp

memory/4464-27-0x0000000070B30000-0x0000000070E87000-memory.dmp

memory/4464-26-0x0000000074740000-0x0000000074EF1000-memory.dmp

memory/4464-37-0x0000000006EE0000-0x0000000006F84000-memory.dmp

memory/4464-38-0x0000000074740000-0x0000000074EF1000-memory.dmp

memory/4464-39-0x0000000007650000-0x0000000007CCA000-memory.dmp

memory/4464-40-0x0000000007010000-0x000000000702A000-memory.dmp

memory/4464-41-0x0000000007050000-0x000000000705A000-memory.dmp

memory/4464-42-0x0000000007160000-0x00000000071F6000-memory.dmp

memory/4464-43-0x0000000007070000-0x0000000007081000-memory.dmp

memory/4464-44-0x00000000070C0000-0x00000000070CE000-memory.dmp

memory/4464-45-0x00000000070D0000-0x00000000070E5000-memory.dmp

memory/4464-46-0x0000000007120000-0x000000000713A000-memory.dmp

memory/4464-47-0x0000000007140000-0x0000000007148000-memory.dmp

memory/4464-50-0x0000000074740000-0x0000000074EF1000-memory.dmp

memory/2940-52-0x0000000002A20000-0x0000000002E1F000-memory.dmp

memory/548-61-0x00000000709B0000-0x00000000709FC000-memory.dmp

memory/548-62-0x0000000070B30000-0x0000000070E87000-memory.dmp

memory/548-71-0x00000000078A0000-0x0000000007944000-memory.dmp

memory/548-72-0x0000000007B90000-0x0000000007BA1000-memory.dmp

memory/548-73-0x0000000007BE0000-0x0000000007BF5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/1112-85-0x0000000006150000-0x00000000064A7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 abf9a682144b32880ef450c0d79b97ae
SHA1 949588aecec5d50d7245bac70c6e09502ccac89c
SHA256 348466854c0b17be8fbfff6f2e245a9cf34f5367392bd468062c6e9916509a19
SHA512 f96f258fd9852827ef31bd2047287ed1343052687e7d139787bd4e792583816d0134b75889ef3cde26340a77a80bb3dc38bbe07a00faae2f8e23a94778485d15

memory/1112-87-0x00000000709B0000-0x00000000709FC000-memory.dmp

memory/4264-97-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1112-88-0x0000000070B60000-0x0000000070EB7000-memory.dmp

memory/4264-98-0x0000000002A30000-0x0000000002E35000-memory.dmp

memory/4264-99-0x0000000002E40000-0x000000000372B000-memory.dmp

memory/232-106-0x0000000005FD0000-0x0000000006327000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 357e596c9695bacbcc779bda629b4c9b
SHA1 e1a745d9b7dcd026481c9f60da2954789bfd6b8d
SHA256 b5d77ae6e7c9c14a303b4bdc3038b4483220fb77d15488c50a4aeadf0e68031c
SHA512 83920b3050895fcdef9029b0fad4edcfc3ced8a0c549ccf8b5227c69db7679a35f1227c6e9328fefd33fa4a8505167ffe328848647a70753beeabcb10070af16

memory/232-111-0x00000000709B0000-0x00000000709FC000-memory.dmp

memory/232-112-0x0000000070C00000-0x0000000070F57000-memory.dmp

memory/2940-125-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 70438379455039ae71058944b99da5fb
SHA1 decfb0a2434bbab04d87667d8bb72ffa95e59340
SHA256 e734308101b7635e382127beacc5c85527cb08a7a96b68f38052e7d42b962695
SHA512 0adcfcbc143b52fda0de975dd8b0b9c30a4dbd44049f4c0c47d6c4ae734d63c01f7b344a5443ec09b519d9600b768a7c9ec774b4f660b79e0cc5207475365373

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8528d2f1a3a3da11a47c0d4dcf25a769
SHA1 5011bb046c3bd2e945d8b13618ea28767f6deef3
SHA256 68083bbd5114f967a6c166b142d122313bf846b4aa4be2b875f84c0454541718
SHA512 0ecbfc68a94e2944854b322f2c7a35d2c96630dc0bac56d8c4fa4ba9d1b696560268cf0a92687fc276afddc44523c08770b2a501ed7a4c6daba226ce17affe6a

memory/5040-137-0x00000000709B0000-0x00000000709FC000-memory.dmp

memory/5040-138-0x0000000070C00000-0x0000000070F57000-memory.dmp

memory/1812-156-0x00000000063D0000-0x0000000006727000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ae12ea84ad7262830de6178fefd8aacc
SHA1 4609634999916dec9049dc7e23f71bef54bffc0a
SHA256 bb11d292a9737fb0b96ba2cd5092bdb575f368b9feaba246ffad20536f0996cd
SHA512 1f90e7c7c2b5fe489fdbb28943b90d2bbe780c3b255a6f159e236b4f159281e2ef1ca54df03d86a3ca7f1d5aa2607e97477e2efdeb4867ff2d6a0edd3c7c4d96

memory/1812-158-0x0000000006F10000-0x0000000006F5C000-memory.dmp

memory/1812-159-0x00000000708D0000-0x000000007091C000-memory.dmp

memory/1812-160-0x0000000070A70000-0x0000000070DC7000-memory.dmp

memory/1812-169-0x0000000007C10000-0x0000000007CB4000-memory.dmp

memory/1812-170-0x0000000007F50000-0x0000000007F61000-memory.dmp

memory/1812-171-0x0000000006770000-0x0000000006785000-memory.dmp

memory/3096-181-0x0000000005640000-0x0000000005997000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8adaf65a1a68f139b5f984b7ec5e2d08
SHA1 e6949d8e86b16439dbe5e281ed93b31dc0d07534
SHA256 f30436530222a5d5abd600b136e59b357806bfdb3c2dca1385a6917f2f32a4b4
SHA512 ecf330c9fe67ed4d2abefd6434a9e37c4860de58d927712d72718fe57b1cb713fc840f07a412ced38c151f7e3fe131ba3556c84e00208fd47619f2ead251e0f0

memory/3096-183-0x00000000708D0000-0x000000007091C000-memory.dmp

memory/3096-184-0x0000000070A50000-0x0000000070DA7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3744-200-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/5020-205-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3460-208-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5020-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3744-210-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3460-212-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3744-213-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3744-216-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3460-218-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3744-219-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3744-222-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3744-225-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3460-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3744-228-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3744-231-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3744-234-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3744-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3744-240-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3744-243-0x0000000000400000-0x0000000000D1C000-memory.dmp