Malware Analysis Report

2024-12-08 02:18

Sample ID 240516-ssgq7aba79
Target 9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245
SHA256 9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245

Threat Level: Known bad

The file 9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Checks installed software on the system

Manipulates WinMonFS driver.

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 15:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 15:23

Reported

2024-05-16 15:25

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2392 = "Aleutian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3142 = "South Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-571 = "China Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4900 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4900 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4900 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2984 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2984 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2984 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2984 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe C:\Windows\system32\cmd.exe
PID 2984 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe C:\Windows\system32\cmd.exe
PID 456 wrote to memory of 832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 456 wrote to memory of 832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2984 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2984 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2984 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2984 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2984 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2984 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2984 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe C:\Windows\rss\csrss.exe
PID 2984 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe C:\Windows\rss\csrss.exe
PID 2984 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe C:\Windows\rss\csrss.exe
PID 2752 wrote to memory of 2028 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2752 wrote to memory of 2028 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2752 wrote to memory of 2028 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2752 wrote to memory of 1764 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2752 wrote to memory of 1764 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2752 wrote to memory of 1764 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2752 wrote to memory of 2468 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2752 wrote to memory of 2468 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2752 wrote to memory of 2468 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2752 wrote to memory of 3480 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2752 wrote to memory of 3480 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3756 wrote to memory of 4396 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3756 wrote to memory of 4396 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3756 wrote to memory of 4396 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4396 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4396 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe

"C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe

"C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
NL 23.62.61.154:443 www.bing.com tcp
US 8.8.8.8:53 154.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 989c8213-f623-4205-9809-11601d1e63ed.uuid.localstats.org udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 stun.sipgate.net udp
US 8.8.8.8:53 server3.localstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 15.197.250.192:3478 stun.sipgate.net udp
BG 185.82.216.111:443 server3.localstats.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 192.250.197.15.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.111:443 server3.localstats.org tcp
BG 185.82.216.111:443 server3.localstats.org tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

memory/4900-1-0x0000000002930000-0x0000000002D2A000-memory.dmp

memory/4900-2-0x0000000002D30000-0x000000000361B000-memory.dmp

memory/4900-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1220-4-0x0000000074D1E000-0x0000000074D1F000-memory.dmp

memory/1220-5-0x0000000002910000-0x0000000002946000-memory.dmp

memory/1220-7-0x0000000074D10000-0x00000000754C0000-memory.dmp

memory/1220-6-0x0000000005590000-0x0000000005BB8000-memory.dmp

memory/1220-8-0x0000000074D10000-0x00000000754C0000-memory.dmp

memory/1220-9-0x0000000005380000-0x00000000053A2000-memory.dmp

memory/1220-10-0x0000000005520000-0x0000000005586000-memory.dmp

memory/1220-11-0x0000000005C30000-0x0000000005C96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1dayao5m.jhe.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1220-17-0x0000000005CA0000-0x0000000005FF4000-memory.dmp

memory/1220-22-0x0000000006250000-0x000000000626E000-memory.dmp

memory/1220-23-0x00000000062F0000-0x000000000633C000-memory.dmp

memory/1220-24-0x00000000067F0000-0x0000000006834000-memory.dmp

memory/1220-25-0x0000000007370000-0x00000000073E6000-memory.dmp

memory/1220-26-0x0000000007A70000-0x00000000080EA000-memory.dmp

memory/1220-27-0x0000000007410000-0x000000000742A000-memory.dmp

memory/1220-28-0x00000000077B0000-0x00000000077E2000-memory.dmp

memory/1220-31-0x0000000071330000-0x0000000071684000-memory.dmp

memory/1220-41-0x00000000077F0000-0x000000000780E000-memory.dmp

memory/1220-30-0x0000000074D10000-0x00000000754C0000-memory.dmp

memory/1220-42-0x0000000007810000-0x00000000078B3000-memory.dmp

memory/1220-29-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

memory/1220-43-0x0000000007900000-0x000000000790A000-memory.dmp

memory/1220-45-0x0000000074D10000-0x00000000754C0000-memory.dmp

memory/1220-44-0x00000000079D0000-0x0000000007A66000-memory.dmp

memory/1220-46-0x0000000007930000-0x0000000007941000-memory.dmp

memory/1220-47-0x0000000007970000-0x000000000797E000-memory.dmp

memory/1220-48-0x0000000007980000-0x0000000007994000-memory.dmp

memory/1220-49-0x00000000080F0000-0x000000000810A000-memory.dmp

memory/1220-50-0x00000000079B0000-0x00000000079B8000-memory.dmp

memory/1220-53-0x0000000074D10000-0x00000000754C0000-memory.dmp

memory/2984-55-0x0000000002980000-0x0000000002D83000-memory.dmp

memory/2872-65-0x00000000055D0000-0x0000000005924000-memory.dmp

memory/2872-66-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

memory/2872-67-0x0000000070D30000-0x0000000071084000-memory.dmp

memory/2872-77-0x0000000006C90000-0x0000000006D33000-memory.dmp

memory/2872-78-0x0000000006FD0000-0x0000000006FE1000-memory.dmp

memory/2872-79-0x0000000007020000-0x0000000007034000-memory.dmp

memory/4900-80-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4900-81-0x0000000002930000-0x0000000002D2A000-memory.dmp

memory/4900-82-0x0000000002D30000-0x000000000361B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3e9c0a1e142ff094b7ea7247d8ce3606
SHA1 9546c33d817fca9b48dcc73a69d21887e8483230
SHA256 272bb6da2132c9336124e4b827222188d0a2f17148cd22c54400353f114b8756
SHA512 db162361ed0c330e47632e6b3c122fa25fe60e8aa547fff0ea45c3d10c836894affc68514a4b77157bb2576c7023e2d92ff852d4ee0a9a08886c5823a8bfe5dc

memory/4568-97-0x0000000071330000-0x0000000071684000-memory.dmp

memory/4568-96-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c8297c51224b551e44c1320696fb6e47
SHA1 500ef9cdec30de965c00f3edaf19bd78c82a29eb
SHA256 dfe4ea1f07a7661ce27c4500bec6c2faa1ef291c8c49c926e46d9cd11e0d261f
SHA512 2247c27b1d399d22988719020163e7bc31fe4514521fe2616c6188d2cae76d4fa138d90a4b23388d4d2670051c40a32c6a487c830f96bd9356ad64c4ca57c59b

memory/3884-119-0x0000000070D30000-0x0000000071084000-memory.dmp

memory/3884-118-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

memory/2984-129-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 1d4a38c5fc3b5fc187e8e96b13f4159d
SHA1 5211d1fc734606b3061f5f4b3cd687436bb477a3
SHA256 9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245
SHA512 8919203a3c8f7bc161a80fc6897aab90026fa95f0734467939c026edbc16b246067de7e3dc00df7c42af6064940da67f70fdfac19f153a7e28e45b753377321e

memory/2984-135-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 22456bc661d815e9be48817192c2f02c
SHA1 657e8ecc87ac7160125d60af59c664d193be69af
SHA256 ab7db52efdf60c49a0487e98970e2d242fe14d62a29e36adb240e19dd58ddc1b
SHA512 2db187e4665b6f5b0e6cdeb4698b92e8c0538bbe310242efa13e3ef7de07f923482dd194c7443ba1ba7b0252067927672659e1eb90240953dea343f433ce57d4

memory/2028-147-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

memory/2028-148-0x0000000071330000-0x0000000071684000-memory.dmp

memory/1764-165-0x0000000005A20000-0x0000000005D74000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 37723f4c525c3c9c72e201a0c0e81874
SHA1 3e80fec0e7034c34a5abb1f7243cff585e6722ba
SHA256 94582cfd957624cd20493fe31bd9a23c61d7bb430bdf11ca07c1eda045b71f3f
SHA512 15ca0a6aa5aa4c77664b70682ca29ac165b775e6c544217c987efe3890dbb8d36d2647fac2ab34461614a6fad89c40d6ff4e03cbd7f0f58ac7771fb9b8c53160

memory/1764-171-0x0000000006580000-0x00000000065CC000-memory.dmp

memory/1764-173-0x0000000071260000-0x00000000715B4000-memory.dmp

memory/1764-172-0x0000000070AD0000-0x0000000070B1C000-memory.dmp

memory/1764-183-0x00000000072E0000-0x0000000007383000-memory.dmp

memory/1764-184-0x0000000005E80000-0x0000000005E91000-memory.dmp

memory/1764-185-0x0000000005EC0000-0x0000000005ED4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 98b478865ca3179a93b2b260d5c5f038
SHA1 7656f069007d479325114c5c318e2caaa5294aac
SHA256 825ec7cac6a60be62372eaefa6bc6d18b98c531b3fd73444f86b772916d54f48
SHA512 47d69c7a9266971770a7c3c6d0e5dde135a8da033e8b13952faa690e9275b8a9b58137d96bb4e5844cc828d05b7b4c5eb042eb40be331f0402b57761f9f002e0

memory/2468-197-0x0000000070AD0000-0x0000000070B1C000-memory.dmp

memory/2468-198-0x0000000071260000-0x00000000715B4000-memory.dmp

memory/2752-210-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3756-219-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2752-222-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3756-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2752-227-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4324-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2752-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2752-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4324-234-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2752-235-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2752-238-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2752-242-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2752-245-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2752-247-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2752-250-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2752-254-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 15:23

Reported

2024-05-16 15:25

Platform

win11-20240426-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1728 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1344 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1344 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1344 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1344 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe C:\Windows\system32\cmd.exe
PID 1344 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe C:\Windows\system32\cmd.exe
PID 2152 wrote to memory of 3932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2152 wrote to memory of 3932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1344 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1344 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1344 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1344 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1344 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1344 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1344 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe C:\Windows\rss\csrss.exe
PID 1344 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe C:\Windows\rss\csrss.exe
PID 1344 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe C:\Windows\rss\csrss.exe
PID 4824 wrote to memory of 2404 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 2404 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 2404 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 4084 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 4084 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 4084 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 5028 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 5028 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 5028 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 5088 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4824 wrote to memory of 5088 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 776 wrote to memory of 3296 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 776 wrote to memory of 3296 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 776 wrote to memory of 3296 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3296 wrote to memory of 3148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3296 wrote to memory of 3148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3296 wrote to memory of 3148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe

"C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe

"C:\Users\Admin\AppData\Local\Temp\9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 5383bcaa-3dd2-49f0-ae1d-ebb68b5bf79c.uuid.localstats.org udp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun2.l.google.com udp
BG 185.82.216.111:443 server3.localstats.org tcp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.111:443 server3.localstats.org tcp
BG 185.82.216.111:443 server3.localstats.org tcp
BG 185.82.216.111:443 server3.localstats.org tcp
N/A 127.0.0.1:31465 tcp

Files

memory/1728-1-0x0000000002A20000-0x0000000002E26000-memory.dmp

memory/1728-2-0x0000000002E30000-0x000000000371B000-memory.dmp

memory/1728-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1388-4-0x000000007401E000-0x000000007401F000-memory.dmp

memory/1388-5-0x0000000002CA0000-0x0000000002CD6000-memory.dmp

memory/1388-6-0x00000000057E0000-0x0000000005E0A000-memory.dmp

memory/1388-7-0x0000000074010000-0x00000000747C1000-memory.dmp

memory/1388-8-0x0000000074010000-0x00000000747C1000-memory.dmp

memory/1388-9-0x0000000005700000-0x0000000005722000-memory.dmp

memory/1388-10-0x0000000005EC0000-0x0000000005F26000-memory.dmp

memory/1388-11-0x0000000005F30000-0x0000000005F96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hodfwndw.5l1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1388-20-0x0000000005FA0000-0x00000000062F7000-memory.dmp

memory/1388-21-0x0000000006480000-0x000000000649E000-memory.dmp

memory/1388-22-0x00000000064E0000-0x000000000652C000-memory.dmp

memory/1388-23-0x0000000006A10000-0x0000000006A56000-memory.dmp

memory/1388-27-0x0000000070470000-0x00000000707C7000-memory.dmp

memory/1388-37-0x0000000007920000-0x00000000079C4000-memory.dmp

memory/1388-38-0x0000000074010000-0x00000000747C1000-memory.dmp

memory/1388-36-0x0000000007900000-0x000000000791E000-memory.dmp

memory/1388-26-0x0000000074010000-0x00000000747C1000-memory.dmp

memory/1388-25-0x0000000070280000-0x00000000702CC000-memory.dmp

memory/1388-24-0x00000000078A0000-0x00000000078D4000-memory.dmp

memory/1388-40-0x0000000007A50000-0x0000000007A6A000-memory.dmp

memory/1388-39-0x0000000008090000-0x000000000870A000-memory.dmp

memory/1388-41-0x0000000007A90000-0x0000000007A9A000-memory.dmp

memory/1388-42-0x0000000007BA0000-0x0000000007C36000-memory.dmp

memory/1388-43-0x0000000007AB0000-0x0000000007AC1000-memory.dmp

memory/1388-44-0x0000000007B00000-0x0000000007B0E000-memory.dmp

memory/1388-45-0x0000000007B10000-0x0000000007B25000-memory.dmp

memory/1388-46-0x0000000007B60000-0x0000000007B7A000-memory.dmp

memory/1388-47-0x0000000007B80000-0x0000000007B88000-memory.dmp

memory/1388-50-0x0000000074010000-0x00000000747C1000-memory.dmp

memory/1728-52-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1728-53-0x0000000002E30000-0x000000000371B000-memory.dmp

memory/1344-55-0x0000000002A60000-0x0000000002E66000-memory.dmp

memory/4116-61-0x00000000057F0000-0x0000000005B47000-memory.dmp

memory/4116-65-0x0000000006200000-0x000000000624C000-memory.dmp

memory/4116-67-0x00000000705A0000-0x00000000708F7000-memory.dmp

memory/4116-76-0x0000000006EC0000-0x0000000006F64000-memory.dmp

memory/4116-66-0x0000000070390000-0x00000000703DC000-memory.dmp

memory/4116-77-0x0000000007200000-0x0000000007211000-memory.dmp

memory/4116-78-0x0000000007250000-0x0000000007265000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/1984-82-0x00000000056C0000-0x0000000005A17000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 18d4cf957613b6fe53e8b1f712bfa3b8
SHA1 1ef1d3ae2e310f98ed26c94482a93f18b07ece04
SHA256 b219d952108bd1fed8f09866b9cdf2c29c0e89062a9d23857b78d63db0b84448
SHA512 f28520b8288fea5c87a4628c2f9ab6629d2bd18236fec3511d53d5403c948a2dba8113aaebd6a9f8767e569c3ba4ac1a663f25b579421ec2b333cfc9f38132ce

memory/1984-93-0x00000000705E0000-0x0000000070937000-memory.dmp

memory/1984-92-0x0000000070390000-0x00000000703DC000-memory.dmp

memory/1536-111-0x0000000005FD0000-0x0000000006327000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 510fd3d0037f9251739505c8e67e70af
SHA1 2843f487fd347318e54103769ee1fa800a0a90d6
SHA256 ac0d5548581d2563c83ec951173a49ce912ab2f537fc752f58435646a34685bf
SHA512 90231f0bc1828bd5ea88aaa00cc312e07ec3268c83b7dd195cfc4e047eba861f5d05383b0416ba75ccd256b9409d7e1cc3e26e43ed04f17e97064d44f5922150

memory/1536-114-0x0000000070540000-0x0000000070897000-memory.dmp

memory/1536-113-0x0000000070390000-0x00000000703DC000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 1d4a38c5fc3b5fc187e8e96b13f4159d
SHA1 5211d1fc734606b3061f5f4b3cd687436bb477a3
SHA256 9558655449759ce8fdda6b972b0c1480d4ef33f80aef24194c4f8ce79e53f245
SHA512 8919203a3c8f7bc161a80fc6897aab90026fa95f0734467939c026edbc16b246067de7e3dc00df7c42af6064940da67f70fdfac19f153a7e28e45b753377321e

memory/2404-137-0x00000000061F0000-0x0000000006547000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7c1f3fcd7e6161225d748b81bd0ee814
SHA1 a2883ba24f37def333ec104a8bcd8c68dcdc1dff
SHA256 0d0d952017abbe167b9ec70d7c4ce7b4cfe94066c0cc9e6bd21e3d0b838f341e
SHA512 3f4bba58d8a1b0897d5a790fc0ab4864e25c8b26981c1a8665cea2142e87786795abced0c3b7cbc823ea3949e996effa3f037ddd8f8bf3090d0e6615947ab2d9

memory/2404-139-0x0000000006D20000-0x0000000006D6C000-memory.dmp

memory/2404-150-0x0000000007A30000-0x0000000007AD4000-memory.dmp

memory/2404-141-0x0000000070490000-0x00000000707E7000-memory.dmp

memory/2404-140-0x00000000702F0000-0x000000007033C000-memory.dmp

memory/2404-151-0x0000000007D60000-0x0000000007D71000-memory.dmp

memory/2404-152-0x00000000065D0000-0x00000000065E5000-memory.dmp

memory/4084-162-0x0000000006260000-0x00000000065B7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d9baa1fbba50cd62ceab1699eed2ba97
SHA1 ca65e6b68cae8008a97c6132ad09ece2a3d678a6
SHA256 798b5846617d8e610a605ede062456e73c876df109413c4348e4bbc0f7f168b9
SHA512 4c08f37e7fe64d3e029354ea8e738567488c01b94e7a899cc7b36350e17775ca8daad57cfff691b33bdb8010cc7c9a400e3a4304d86108fe89df233fd6d2bc15

memory/4084-164-0x0000000006750000-0x000000000679C000-memory.dmp

memory/4084-166-0x0000000070390000-0x00000000706E7000-memory.dmp

memory/4084-175-0x00000000079A0000-0x0000000007A44000-memory.dmp

memory/4084-165-0x0000000070210000-0x000000007025C000-memory.dmp

memory/4084-176-0x0000000007B70000-0x0000000007B81000-memory.dmp

memory/4084-177-0x0000000006150000-0x0000000006165000-memory.dmp

memory/5028-181-0x00000000060E0000-0x0000000006437000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d2fc6644ea658d25235f1f2b643fefa0
SHA1 0a3cbd5a9d88d275f6a9582740e4cb22a7edbcee
SHA256 d43972d86433192897aa7844077569588205f3cfa624848b74f712a92c3cfd45
SHA512 8a2379dc1ff9b3ae85f7cd1ef56d053317cb66c30399faab4c5cb9909b13cb079d5516e5c57d572d6620ec5479cff3e09695eb772f0b056e12ae32b62d4e2b27

memory/1344-189-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5028-190-0x0000000070210000-0x000000007025C000-memory.dmp

memory/5028-191-0x0000000070460000-0x00000000707B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4824-206-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/776-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1344-214-0x0000000002A60000-0x0000000002E66000-memory.dmp

memory/2532-215-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/776-217-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4824-218-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2532-220-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4824-221-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4824-224-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2532-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4824-227-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4824-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4824-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4824-236-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4824-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4824-242-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4824-245-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4824-248-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4824-251-0x0000000000400000-0x0000000000D1C000-memory.dmp