Malware Analysis Report

2024-12-08 02:04

Sample ID 240516-tb34jacd23
Target 63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b
SHA256 63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b

Threat Level: Known bad

The file 63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Manipulates WinMonFS driver.

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 15:53

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 15:53

Reported

2024-05-16 15:56

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1900 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1900 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1900 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe C:\Windows\system32\cmd.exe
PID 4920 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe C:\Windows\system32\cmd.exe
PID 2304 wrote to memory of 3324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2304 wrote to memory of 3324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4920 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe C:\Windows\rss\csrss.exe
PID 4920 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe C:\Windows\rss\csrss.exe
PID 4920 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe C:\Windows\rss\csrss.exe
PID 2592 wrote to memory of 2316 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 2316 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 2316 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 3908 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 3908 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 3908 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 3696 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 3696 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 3696 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 2948 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2592 wrote to memory of 2948 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2408 wrote to memory of 2104 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 2104 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 2104 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2104 wrote to memory of 408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2104 wrote to memory of 408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe

"C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe

"C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 c7c4ddf4-f2ce-4965-a6af-9d84ebc8360d.uuid.createupdate.org udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 stun.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server2.createupdate.org udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun.l.google.com udp
BG 185.82.216.104:443 server2.createupdate.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.104:443 server2.createupdate.org tcp
BG 185.82.216.104:443 server2.createupdate.org tcp
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
BG 185.82.216.104:443 server2.createupdate.org tcp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

memory/1900-1-0x00000000029C0000-0x0000000002DBD000-memory.dmp

memory/1900-2-0x0000000002DC0000-0x00000000036AB000-memory.dmp

memory/1900-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4448-4-0x0000000074B4E000-0x0000000074B4F000-memory.dmp

memory/4448-5-0x0000000004730000-0x0000000004766000-memory.dmp

memory/4448-6-0x0000000004E80000-0x00000000054A8000-memory.dmp

memory/4448-7-0x0000000074B40000-0x00000000752F0000-memory.dmp

memory/4448-8-0x0000000074B40000-0x00000000752F0000-memory.dmp

memory/4448-9-0x0000000004C50000-0x0000000004C72000-memory.dmp

memory/4448-10-0x0000000005620000-0x0000000005686000-memory.dmp

memory/4448-11-0x0000000005690000-0x00000000056F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dm3zro35.nvn.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4448-21-0x0000000005700000-0x0000000005A54000-memory.dmp

memory/4448-22-0x0000000005D10000-0x0000000005D2E000-memory.dmp

memory/4448-23-0x0000000005D30000-0x0000000005D7C000-memory.dmp

memory/4448-24-0x0000000006280000-0x00000000062C4000-memory.dmp

memory/4448-25-0x0000000007030000-0x00000000070A6000-memory.dmp

memory/4448-26-0x0000000007730000-0x0000000007DAA000-memory.dmp

memory/4448-27-0x00000000070D0000-0x00000000070EA000-memory.dmp

memory/4448-28-0x0000000007290000-0x00000000072C2000-memory.dmp

memory/4448-30-0x0000000074B40000-0x00000000752F0000-memory.dmp

memory/4448-29-0x00000000709E0000-0x0000000070A2C000-memory.dmp

memory/4448-31-0x0000000070BD0000-0x0000000070F24000-memory.dmp

memory/4448-41-0x00000000072D0000-0x00000000072EE000-memory.dmp

memory/4448-42-0x0000000074B40000-0x00000000752F0000-memory.dmp

memory/4448-43-0x00000000072F0000-0x0000000007393000-memory.dmp

memory/4448-44-0x00000000073E0000-0x00000000073EA000-memory.dmp

memory/4448-45-0x00000000074F0000-0x0000000007586000-memory.dmp

memory/4448-46-0x00000000073F0000-0x0000000007401000-memory.dmp

memory/4448-47-0x0000000007430000-0x000000000743E000-memory.dmp

memory/4448-48-0x0000000007450000-0x0000000007464000-memory.dmp

memory/4448-49-0x0000000007490000-0x00000000074AA000-memory.dmp

memory/4448-50-0x0000000007480000-0x0000000007488000-memory.dmp

memory/4448-53-0x0000000074B40000-0x00000000752F0000-memory.dmp

memory/1900-55-0x0000000002DC0000-0x00000000036AB000-memory.dmp

memory/1900-54-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4920-57-0x0000000002960000-0x0000000002D67000-memory.dmp

memory/1268-67-0x0000000005F70000-0x00000000062C4000-memory.dmp

memory/1268-68-0x0000000006350000-0x000000000639C000-memory.dmp

memory/1268-69-0x0000000070AE0000-0x0000000070B2C000-memory.dmp

memory/1268-70-0x0000000070C60000-0x0000000070FB4000-memory.dmp

memory/1268-80-0x0000000007550000-0x00000000075F3000-memory.dmp

memory/1268-81-0x0000000007880000-0x0000000007891000-memory.dmp

memory/1268-82-0x00000000078D0000-0x00000000078E4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/3968-92-0x0000000006240000-0x0000000006594000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5f8741d3f0b81bf55a37131ecc0bac7f
SHA1 b65fb9825c90a55301415a0b4b9a1f68d5a2df6f
SHA256 aed82cb50129c5fe9862d510439c0318a4b7db9e5d1cf3aa71110132389a3ae1
SHA512 b37455bd6e62070d7efab222dfe5f17fdf12b44fd5cf9a5cb963088dcd810efec55066353cb761f80148275beb599eedd47d96ea1135ba4101b669b4572d4f10

memory/3968-97-0x0000000070AE0000-0x0000000070B2C000-memory.dmp

memory/3968-98-0x0000000071280000-0x00000000715D4000-memory.dmp

memory/4940-118-0x0000000005DB0000-0x0000000006104000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0dc552f5f7e94c5cc373bfc35ec507ad
SHA1 510c47eb3869f104e2c12af42c8242383b52a286
SHA256 e9ac26c6465086deb2f94cf12c41847f5d09e55452df77337d0ac539610a40f3
SHA512 2cfecc8915c060c9dd48683665a118cce7d730c0d1ff6891d10f35c20333dcae52e155007af230c2f77be0f8392dd91e799dfb7157c573571b6df0e9dd156a21

memory/4940-121-0x00000000712A0000-0x00000000715F4000-memory.dmp

memory/4940-120-0x0000000070AE0000-0x0000000070B2C000-memory.dmp

memory/4920-132-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 6dbb990ca269475bf07203047beb9ee4
SHA1 79e6540fed974eb27c8c7127442ddfb6df70b7a5
SHA256 63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b
SHA512 9fcc063bc70dfddbcd27be2911e38212e05d73a6e3181729e11b2946469963fddf6bd3507e3270da22f9930e35c8e65e06e86fb634841f0c2de01a049cff4032

memory/2316-147-0x0000000005E00000-0x0000000006154000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4e1bda3456618e4d9164ac24c3a2887b
SHA1 d5c88e2029b8c0f951c7ce1c52f6231b98d32842
SHA256 37232be55054d8ce7043385165e8b4e6a9e286c1beff74f777870e8fe1b0b057
SHA512 0deb263bb81859056caa86a2bdc5e479527b6ec5893aad8f1184ba6238aa0c306ad92496579cceeb1cfc32f6ecea1fdb737c65f5bab6845e5bce35932bb46aa9

memory/2316-149-0x00000000064E0000-0x000000000652C000-memory.dmp

memory/2316-150-0x0000000070A40000-0x0000000070A8C000-memory.dmp

memory/2316-151-0x00000000711E0000-0x0000000071534000-memory.dmp

memory/2316-161-0x00000000076B0000-0x0000000007753000-memory.dmp

memory/2316-162-0x00000000079B0000-0x00000000079C1000-memory.dmp

memory/2316-163-0x0000000005D40000-0x0000000005D54000-memory.dmp

memory/3908-174-0x0000000005740000-0x0000000005A94000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6a413bad4a523c75f4d6c40104feb1b3
SHA1 7218c2fefb81f881e409a31fe7df45d1c11bbc34
SHA256 c0471a4af758590cacb49975274afeddf1a86e6f5aa5228dfc9d5226cbf8c7a8
SHA512 bcf5f4fea76a51a01c8f65258f17309d5d83ed58761a0b45214f860a67e9777dd30827b796a7cf7c684f683b45d220a97e395ee242458c8f248f6c7d7fcd9980

memory/3908-176-0x0000000005C30000-0x0000000005C7C000-memory.dmp

memory/3908-177-0x0000000070960000-0x00000000709AC000-memory.dmp

memory/3908-178-0x0000000070AE0000-0x0000000070E34000-memory.dmp

memory/3908-188-0x0000000006E20000-0x0000000006EC3000-memory.dmp

memory/3908-189-0x0000000005450000-0x0000000005461000-memory.dmp

memory/3908-190-0x0000000005670000-0x0000000005684000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 68ceb89da7e4443817867f5a31bb445e
SHA1 fcb85afde3ad2b3b15413f3e92b9450d1a766276
SHA256 715d5c3e4804077365c096d80d58f85e57386242024becdc31f49fb183593a3d
SHA512 fdb6a560c588a39c4b221f10c14bbbc06059e8de221ef1ab8f3de9c5744a234fde17a36070f9498c6b93f6a090353c117ccf6482227fbcc2b33840d3c98b5ff1

memory/3696-202-0x0000000070960000-0x00000000709AC000-memory.dmp

memory/3696-203-0x0000000070AE0000-0x0000000070E34000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4920-219-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2592-220-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4920-221-0x0000000002960000-0x0000000002D67000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2408-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2408-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2592-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2592-232-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3688-233-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2592-235-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2592-238-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3688-239-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2592-242-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2592-244-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2592-247-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2592-250-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2592-253-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2592-257-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2592-259-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2592-262-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 15:53

Reported

2024-05-16 15:56

Platform

win11-20240508-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4280 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4280 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4280 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2612 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2612 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2612 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2612 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe C:\Windows\system32\cmd.exe
PID 1796 wrote to memory of 2408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1796 wrote to memory of 2408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2612 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2612 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2612 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2612 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2612 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2612 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2612 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe C:\Windows\rss\csrss.exe
PID 2612 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe C:\Windows\rss\csrss.exe
PID 2612 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe C:\Windows\rss\csrss.exe
PID 436 wrote to memory of 2104 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 436 wrote to memory of 2104 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 436 wrote to memory of 2104 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 436 wrote to memory of 1252 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 436 wrote to memory of 1252 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 436 wrote to memory of 1252 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 436 wrote to memory of 3624 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 436 wrote to memory of 3624 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 436 wrote to memory of 3624 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 436 wrote to memory of 3052 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 436 wrote to memory of 3052 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3536 wrote to memory of 2080 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3536 wrote to memory of 2080 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3536 wrote to memory of 2080 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 3332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2080 wrote to memory of 3332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2080 wrote to memory of 3332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe

"C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe

"C:\Users\Admin\AppData\Local\Temp\63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.104:443 server4.createupdate.org tcp
US 74.125.250.129:19302 stun2.l.google.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
BG 185.82.216.104:443 server4.createupdate.org tcp
BG 185.82.216.104:443 server4.createupdate.org tcp
BG 185.82.216.104:443 server4.createupdate.org tcp

Files

memory/4280-1-0x0000000002A60000-0x0000000002E5E000-memory.dmp

memory/4280-2-0x0000000002E60000-0x000000000374B000-memory.dmp

memory/4280-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4684-4-0x000000007470E000-0x000000007470F000-memory.dmp

memory/4684-5-0x0000000004F90000-0x0000000004FC6000-memory.dmp

memory/4684-6-0x0000000005760000-0x0000000005D8A000-memory.dmp

memory/4684-7-0x0000000074700000-0x0000000074EB1000-memory.dmp

memory/4684-9-0x0000000005E40000-0x0000000005EA6000-memory.dmp

memory/4684-10-0x0000000005EB0000-0x0000000005F16000-memory.dmp

memory/4684-11-0x0000000074700000-0x0000000074EB1000-memory.dmp

memory/4684-8-0x0000000005680000-0x00000000056A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zzfhcydc.4jo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4684-20-0x0000000005F20000-0x0000000006277000-memory.dmp

memory/4684-21-0x0000000006420000-0x000000000643E000-memory.dmp

memory/4684-22-0x00000000064D0000-0x000000000651C000-memory.dmp

memory/4684-23-0x00000000069E0000-0x0000000006A26000-memory.dmp

memory/4684-24-0x0000000007850000-0x0000000007884000-memory.dmp

memory/4684-25-0x0000000070970000-0x00000000709BC000-memory.dmp

memory/4684-36-0x0000000074700000-0x0000000074EB1000-memory.dmp

memory/4684-37-0x00000000078B0000-0x0000000007954000-memory.dmp

memory/4684-35-0x0000000007890000-0x00000000078AE000-memory.dmp

memory/4684-26-0x0000000070BE0000-0x0000000070F37000-memory.dmp

memory/4684-38-0x0000000074700000-0x0000000074EB1000-memory.dmp

memory/4684-40-0x00000000079E0000-0x00000000079FA000-memory.dmp

memory/4684-39-0x0000000008020000-0x000000000869A000-memory.dmp

memory/4684-41-0x0000000007A20000-0x0000000007A2A000-memory.dmp

memory/4684-42-0x0000000007AE0000-0x0000000007B76000-memory.dmp

memory/4684-43-0x0000000007A50000-0x0000000007A61000-memory.dmp

memory/4684-44-0x0000000007A90000-0x0000000007A9E000-memory.dmp

memory/4684-45-0x0000000007AA0000-0x0000000007AB5000-memory.dmp

memory/4684-46-0x0000000007BA0000-0x0000000007BBA000-memory.dmp

memory/4684-47-0x0000000007B90000-0x0000000007B98000-memory.dmp

memory/4684-50-0x0000000074700000-0x0000000074EB1000-memory.dmp

memory/4280-52-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4280-53-0x0000000002E60000-0x000000000374B000-memory.dmp

memory/2612-55-0x0000000002A20000-0x0000000002E27000-memory.dmp

memory/2356-64-0x0000000006360000-0x00000000066B7000-memory.dmp

memory/2356-65-0x0000000006930000-0x000000000697C000-memory.dmp

memory/2356-67-0x0000000070C00000-0x0000000070F57000-memory.dmp

memory/2356-66-0x0000000070A80000-0x0000000070ACC000-memory.dmp

memory/2356-76-0x0000000007A00000-0x0000000007AA4000-memory.dmp

memory/2356-77-0x0000000007D30000-0x0000000007D41000-memory.dmp

memory/2356-78-0x0000000007D80000-0x0000000007D95000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/2832-90-0x0000000005E20000-0x0000000006177000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 60dcff6232b45e77cdc71ca2dd7d0cef
SHA1 909989a25aaa9f539f66b748fc8d8b9e4f591be0
SHA256 6cfaa72d5dd173fda3035334c1bb3491ac0da32c9e5149597cb2d017c6e1c856
SHA512 3668aa13d0d34db63315719db2548f2edfab4b536ccf6a1cd707f3cdac9eac8487788996cbac016f73905c54db80a3fd7a948a9ab3b68755ec86143d08286913

memory/2832-92-0x0000000070A80000-0x0000000070ACC000-memory.dmp

memory/2832-93-0x0000000070C90000-0x0000000070FE7000-memory.dmp

memory/1384-103-0x0000000005E80000-0x00000000061D7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a2fbfba7d2247153b3e1a1f3be357a4e
SHA1 a1293979fe577377bcef8ade68105059666ac2ec
SHA256 d10c86c7e90f7ebc5e91028627f8a34052359f44335bf1bbebdfeae2f1002a38
SHA512 afcd21fb13b6bf997dc53365b3184b977fd68d57efc66822bc7f8678aeaa3ffb3781fbaf331106fe2a54e6348df301311221c6a290788c05b26b24c5db171958

memory/1384-113-0x0000000070A80000-0x0000000070ACC000-memory.dmp

memory/1384-114-0x0000000070CD0000-0x0000000071027000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 6dbb990ca269475bf07203047beb9ee4
SHA1 79e6540fed974eb27c8c7127442ddfb6df70b7a5
SHA256 63e581028daa1d13b8dd365c7864c84b655f9f886713a3f7772901d70583f64b
SHA512 9fcc063bc70dfddbcd27be2911e38212e05d73a6e3181729e11b2946469963fddf6bd3507e3270da22f9930e35c8e65e06e86fb634841f0c2de01a049cff4032

memory/2104-137-0x0000000006200000-0x0000000006557000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d5b40abb899750179bd7c7460878267f
SHA1 fce704b4213966ccfc53bb3bc8c601424c5224dc
SHA256 c30a0b511528e6f838bf8b78952451c1c6e3ac23375adcea3b2d8193760ea926
SHA512 ac134c2c16ceae8c2436d647f2904d120e30f5c9606d4c2314ea44d1e67585046a4ced462db91d748b2af5157be8461b93621f3246ead4a745ac1ecc070fa8d9

memory/2104-139-0x0000000006780000-0x00000000067CC000-memory.dmp

memory/2612-140-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2104-142-0x0000000070B60000-0x0000000070EB7000-memory.dmp

memory/2104-141-0x00000000709E0000-0x0000000070A2C000-memory.dmp

memory/2104-151-0x00000000079C0000-0x0000000007A64000-memory.dmp

memory/2104-152-0x0000000007B90000-0x0000000007BA1000-memory.dmp

memory/2104-153-0x0000000006580000-0x0000000006595000-memory.dmp

memory/1252-162-0x0000000005B10000-0x0000000005E67000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 94acdaac0921cf0cf97ff88bafcdcfd4
SHA1 82af5310c8f2c8010f0683f6431396999495878e
SHA256 556de26602f3e42ff7b524c77973957e4b8609e8bb3994d4147f9a26e7ee39d3
SHA512 a992be8f051a6d92b420edf9fd191ba18d0d95d5387fc576c2e0699a5b37b038d4530dddee5264de663102be6edfd096bba936aae0927205641aa962ab5e1b73

memory/1252-165-0x0000000006610000-0x000000000665C000-memory.dmp

memory/1252-166-0x0000000070900000-0x000000007094C000-memory.dmp

memory/1252-167-0x0000000070B50000-0x0000000070EA7000-memory.dmp

memory/1252-176-0x00000000072F0000-0x0000000007394000-memory.dmp

memory/1252-177-0x0000000007660000-0x0000000007671000-memory.dmp

memory/1252-178-0x0000000005E90000-0x0000000005EA5000-memory.dmp

memory/3624-188-0x0000000005950000-0x0000000005CA7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a85f8926686cf8b53f3ae358f67e0962
SHA1 39ace1523ee162494eff91be22193b155919f4d3
SHA256 5216df99a63c6c6b8ab73b767703c69bf24cc15fc495dae5d898e0d98abe2b3a
SHA512 9b849814c1a000002dad70d70e239d2c69b36ea5ed55dc7c358a00a782e2bb15a639e4b7e5fc7e1b88147ae1c3f34e618ee488fd019d9aef3002aa360ff63710

memory/3624-190-0x0000000070900000-0x000000007094C000-memory.dmp

memory/3624-191-0x0000000070B10000-0x0000000070E67000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/436-207-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2612-208-0x0000000002A20000-0x0000000002E27000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3536-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2540-215-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3536-217-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/436-219-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2540-222-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/436-221-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/436-225-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2540-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/436-228-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/436-231-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/436-234-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/436-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/436-240-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/436-243-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/436-246-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/436-249-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/436-252-0x0000000000400000-0x0000000000D1C000-memory.dmp