Malware Analysis Report

2024-12-08 02:20

Sample ID 240516-wfeylsgf27
Target 42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf
SHA256 42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf

Threat Level: Known bad

The file 42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Checks installed software on the system

Manipulates WinMonFS driver.

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 17:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 17:51

Reported

2024-05-16 17:54

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 400 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 400 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 400 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe C:\Windows\system32\cmd.exe
PID 1776 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe C:\Windows\system32\cmd.exe
PID 2476 wrote to memory of 4520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2476 wrote to memory of 4520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1776 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe C:\Windows\rss\csrss.exe
PID 1776 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe C:\Windows\rss\csrss.exe
PID 1776 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe C:\Windows\rss\csrss.exe
PID 932 wrote to memory of 2460 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 932 wrote to memory of 2460 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 932 wrote to memory of 2460 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 932 wrote to memory of 4684 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 932 wrote to memory of 4684 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 932 wrote to memory of 4684 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 932 wrote to memory of 4248 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 932 wrote to memory of 4248 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 932 wrote to memory of 4248 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 932 wrote to memory of 4908 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 932 wrote to memory of 4908 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3260 wrote to memory of 4616 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3260 wrote to memory of 4616 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3260 wrote to memory of 4616 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4616 wrote to memory of 4124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4616 wrote to memory of 4124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4616 wrote to memory of 4124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe

"C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe

"C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 6ccc43e4-0abd-466f-bf3b-60da436f3486.uuid.createupdate.org udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 server5.createupdate.org udp
US 8.8.8.8:53 stun.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.104:443 server5.createupdate.org tcp
US 74.125.250.129:19302 stun.l.google.com udp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.104:443 server5.createupdate.org tcp
US 8.8.8.8:53 96.90.14.23.in-addr.arpa udp
BG 185.82.216.104:443 server5.createupdate.org tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
BG 185.82.216.104:443 server5.createupdate.org tcp

Files

memory/400-1-0x0000000002A50000-0x0000000002E4B000-memory.dmp

memory/400-2-0x0000000002E50000-0x000000000373B000-memory.dmp

memory/400-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/412-4-0x00000000749CE000-0x00000000749CF000-memory.dmp

memory/412-5-0x0000000004570000-0x00000000045A6000-memory.dmp

memory/412-6-0x0000000004BE0000-0x0000000005208000-memory.dmp

memory/412-7-0x00000000749C0000-0x0000000075170000-memory.dmp

memory/412-8-0x00000000749C0000-0x0000000075170000-memory.dmp

memory/412-9-0x0000000004B60000-0x0000000004B82000-memory.dmp

memory/412-10-0x0000000005280000-0x00000000052E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_levljr2y.tg5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/412-11-0x00000000054E0000-0x0000000005546000-memory.dmp

memory/412-21-0x0000000005550000-0x00000000058A4000-memory.dmp

memory/412-22-0x0000000005B10000-0x0000000005B2E000-memory.dmp

memory/412-23-0x0000000005B50000-0x0000000005B9C000-memory.dmp

memory/412-24-0x0000000006C80000-0x0000000006CC4000-memory.dmp

memory/412-25-0x0000000006E30000-0x0000000006EA6000-memory.dmp

memory/412-26-0x0000000007530000-0x0000000007BAA000-memory.dmp

memory/412-27-0x0000000006ED0000-0x0000000006EEA000-memory.dmp

memory/412-28-0x00000000749C0000-0x0000000075170000-memory.dmp

memory/412-30-0x0000000070860000-0x00000000708AC000-memory.dmp

memory/412-29-0x0000000007090000-0x00000000070C2000-memory.dmp

memory/412-31-0x0000000070F60000-0x00000000712B4000-memory.dmp

memory/412-41-0x00000000070D0000-0x00000000070EE000-memory.dmp

memory/412-42-0x00000000070F0000-0x0000000007193000-memory.dmp

memory/412-43-0x00000000071E0000-0x00000000071EA000-memory.dmp

memory/412-44-0x00000000749C0000-0x0000000075170000-memory.dmp

memory/412-45-0x00000000072F0000-0x0000000007386000-memory.dmp

memory/412-46-0x00000000071F0000-0x0000000007201000-memory.dmp

memory/412-47-0x0000000007230000-0x000000000723E000-memory.dmp

memory/412-48-0x0000000007250000-0x0000000007264000-memory.dmp

memory/412-49-0x00000000072A0000-0x00000000072BA000-memory.dmp

memory/412-50-0x0000000007290000-0x0000000007298000-memory.dmp

memory/412-53-0x00000000749C0000-0x0000000075170000-memory.dmp

memory/400-55-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/400-56-0x0000000002E50000-0x000000000373B000-memory.dmp

memory/1776-58-0x00000000029A0000-0x0000000002D9F000-memory.dmp

memory/2884-65-0x00000000060C0000-0x0000000006414000-memory.dmp

memory/2884-69-0x0000000006C60000-0x0000000006CAC000-memory.dmp

memory/2884-70-0x0000000070960000-0x00000000709AC000-memory.dmp

memory/2884-71-0x0000000071100000-0x0000000071454000-memory.dmp

memory/2884-81-0x0000000007930000-0x00000000079D3000-memory.dmp

memory/2884-82-0x0000000007C20000-0x0000000007C31000-memory.dmp

memory/2884-83-0x0000000007C70000-0x0000000007C84000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0a5247d4861f8791dcddd89990e08aac
SHA1 f2d211d4733a9dcc7977b23cb2552ecefe880538
SHA256 75c7801bfde5ff300d6776918af9c03abd48242c0b0dfd0a6371dcd11a47934f
SHA512 05808d6d148103d501f77a89a3472964b8a12c3349d651ddfc0dabb2a52fb9cbc78cf3cc500597425c81e45c2c15a1d814017f70e3cbce9ae5071ef4a3134083

memory/1940-97-0x0000000070960000-0x00000000709AC000-memory.dmp

memory/1940-98-0x0000000071100000-0x0000000071454000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c4de9446960e62d35189505119198d53
SHA1 da7f692f889cc720ed0403d1d65ef81ac0a7c94d
SHA256 cf0631d476309b47e5c04ff12b8065d4c23db5dc00d9c10e4d043e1e9426cc41
SHA512 56e8522c8fffaa3f0476de299330bf1a96a3ad1946df732787d204b4f116568f03c372d2cc8585fb34a1f697ee2052b6e14f087d8eff744acc0e8ea99410614a

memory/4632-119-0x0000000070960000-0x00000000709AC000-memory.dmp

memory/4632-120-0x0000000071100000-0x0000000071454000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 3caed13386d194f7837b5e4bf8222929
SHA1 b0f695c91a66457eef3cd9e650a35778ade4c3d1
SHA256 42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf
SHA512 db716b30a9192585ab075ae85250725f9da7df2b1cea22bf7873cf796ba0247f631fa78e2dc66cf43bd5d48a9081aad35b792d8802abba3aea4e5d4e1314a508

memory/1776-133-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2460-137-0x00000000055B0000-0x0000000005904000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 42f41dcaf88018b8c3b78213ebfd1164
SHA1 93a64c9246adaabb98b8cee13ae9b7cc93558f4a
SHA256 ce9e774783bb45e87e2d6931c6c4cb31c25d2eb4cf610f760cd2cad45e84e221
SHA512 66c4f92db60ad5d5e8e61873e532f6c28b8f2080bed1f5a54aa3105c07cf6ecb9ddf07bc7325d6729612be7783da61f72948e8f2e5e2c63c7fe2a668bfc2cd71

memory/2460-148-0x0000000005CB0000-0x0000000005CFC000-memory.dmp

memory/2460-149-0x00000000708C0000-0x000000007090C000-memory.dmp

memory/2460-150-0x0000000071060000-0x00000000713B4000-memory.dmp

memory/2460-160-0x0000000006E60000-0x0000000006F03000-memory.dmp

memory/2460-161-0x00000000071E0000-0x00000000071F1000-memory.dmp

memory/2460-162-0x0000000005A30000-0x0000000005A44000-memory.dmp

memory/4684-173-0x00000000058F0000-0x0000000005C44000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e37e31ab1fed6dd13f5aa63f7304389e
SHA1 5bc694fffbbf151261372b692c861864cdc45d41
SHA256 31605c0098e81ce0f3562d8b653f691ad922f1585db986a4cb6f76bea2610f7c
SHA512 d95c31b3e3e93ce24aebbf1d48e2161689d878a428870bdb648179adfdee22fb01ce3414cd9a1e690350bbc1eae07be74fd2d8071735a367d799b3af32db11cf

memory/4684-175-0x0000000006330000-0x000000000637C000-memory.dmp

memory/4684-176-0x00000000707E0000-0x000000007082C000-memory.dmp

memory/4684-177-0x0000000070980000-0x0000000070CD4000-memory.dmp

memory/4684-187-0x0000000007030000-0x00000000070D3000-memory.dmp

memory/4684-188-0x0000000007330000-0x0000000007341000-memory.dmp

memory/4684-189-0x00000000050E0000-0x00000000050F4000-memory.dmp

memory/4248-200-0x0000000005570000-0x00000000058C4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 164b6f963485737848ded4c75c5da5c5
SHA1 2ee95905240524a417126a1d34427624943afc5d
SHA256 66d71ea60518da13247359d9af9c8f1d2cd171f93725951cf06b31407ebfedd5
SHA512 2dd06f7e7100b51d8f731205996c018b7006db209c8af46b08707377e3da11fad17b6645c3b600ad429193d45b30b0b345c8123182139a0053fefd136b698123

memory/4248-202-0x00000000707E0000-0x000000007082C000-memory.dmp

memory/4248-203-0x0000000070960000-0x0000000070CB4000-memory.dmp

memory/932-214-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3260-223-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1508-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3260-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/932-228-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1508-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/932-229-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/932-231-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1508-234-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/932-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/932-235-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/932-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1508-240-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/932-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/932-241-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/932-243-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/932-245-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/932-247-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/932-249-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 17:51

Reported

2024-05-16 17:54

Platform

win11-20240426-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-262 = "GMT Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3308 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3308 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3308 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2848 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2848 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2848 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2848 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe C:\Windows\system32\cmd.exe
PID 2848 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe C:\Windows\system32\cmd.exe
PID 2196 wrote to memory of 3616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2196 wrote to memory of 3616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2848 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2848 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2848 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2848 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2848 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2848 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2848 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe C:\Windows\rss\csrss.exe
PID 2848 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe C:\Windows\rss\csrss.exe
PID 2848 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe C:\Windows\rss\csrss.exe
PID 4364 wrote to memory of 4084 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 4084 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 4084 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 3060 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 3060 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 3060 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 1640 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 1640 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 1640 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 2460 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4364 wrote to memory of 2460 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2840 wrote to memory of 2820 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2840 wrote to memory of 2820 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2840 wrote to memory of 2820 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2820 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2820 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe

"C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe

"C:\Users\Admin\AppData\Local\Temp\42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ec904cce-1d2b-4a59-87cf-193381c57e97.uuid.createupdate.org udp
US 8.8.8.8:53 server1.createupdate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.104:443 server1.createupdate.org tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.104:443 server1.createupdate.org tcp
BG 185.82.216.104:443 server1.createupdate.org tcp
N/A 127.0.0.1:31465 tcp
BG 185.82.216.104:443 server1.createupdate.org tcp

Files

memory/3308-1-0x0000000002A60000-0x0000000002E61000-memory.dmp

memory/3308-2-0x0000000002E70000-0x000000000375B000-memory.dmp

memory/3308-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2732-4-0x00000000747BE000-0x00000000747BF000-memory.dmp

memory/2732-5-0x0000000002540000-0x0000000002576000-memory.dmp

memory/2732-6-0x00000000747B0000-0x0000000074F61000-memory.dmp

memory/2732-8-0x00000000747B0000-0x0000000074F61000-memory.dmp

memory/2732-7-0x0000000004D10000-0x000000000533A000-memory.dmp

memory/2732-9-0x0000000004C50000-0x0000000004C72000-memory.dmp

memory/2732-11-0x00000000054A0000-0x0000000005506000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_220jhnuv.m0j.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2732-10-0x0000000005430000-0x0000000005496000-memory.dmp

memory/2732-20-0x0000000005510000-0x0000000005867000-memory.dmp

memory/2732-21-0x00000000059E0000-0x00000000059FE000-memory.dmp

memory/2732-22-0x0000000005A20000-0x0000000005A6C000-memory.dmp

memory/2732-23-0x0000000005F50000-0x0000000005F96000-memory.dmp

memory/2732-37-0x0000000006E70000-0x0000000006F14000-memory.dmp

memory/2732-38-0x00000000747B0000-0x0000000074F61000-memory.dmp

memory/2732-40-0x0000000006F90000-0x0000000006FAA000-memory.dmp

memory/2732-39-0x00000000075E0000-0x0000000007C5A000-memory.dmp

memory/2732-41-0x0000000006FD0000-0x0000000006FDA000-memory.dmp

memory/2732-36-0x0000000006E50000-0x0000000006E6E000-memory.dmp

memory/2732-42-0x0000000007090000-0x0000000007126000-memory.dmp

memory/2732-43-0x0000000007000000-0x0000000007011000-memory.dmp

memory/2732-27-0x0000000070BA0000-0x0000000070EF7000-memory.dmp

memory/2732-26-0x00000000747B0000-0x0000000074F61000-memory.dmp

memory/2732-25-0x0000000070A20000-0x0000000070A6C000-memory.dmp

memory/2732-24-0x0000000006E10000-0x0000000006E44000-memory.dmp

memory/2732-45-0x0000000007050000-0x0000000007065000-memory.dmp

memory/2732-46-0x0000000007150000-0x000000000716A000-memory.dmp

memory/2732-44-0x0000000007040000-0x000000000704E000-memory.dmp

memory/2732-47-0x0000000007130000-0x0000000007138000-memory.dmp

memory/2732-50-0x00000000747B0000-0x0000000074F61000-memory.dmp

memory/2848-52-0x0000000002A60000-0x0000000002E60000-memory.dmp

memory/3496-61-0x0000000006220000-0x0000000006577000-memory.dmp

memory/3496-63-0x0000000070C70000-0x0000000070FC7000-memory.dmp

memory/3496-72-0x0000000007930000-0x00000000079D4000-memory.dmp

memory/3496-62-0x0000000070A20000-0x0000000070A6C000-memory.dmp

memory/3496-73-0x0000000007C50000-0x0000000007C61000-memory.dmp

memory/3496-74-0x0000000007CA0000-0x0000000007CB5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 81e1738d59e9ab26e8137b0e9a02cda6
SHA1 4e920deecba2de41eb8c96d3d48e1d39cb3e3295
SHA256 3c4c37000819d4e71b8859d7825586b91fc57c94380e442e98048bb7e1923401
SHA512 1bfafd999d77321e2c98fd380e3ef8a20b72fe89b832855fd06f96d751a8295f114a06a8b6c3e535687b26aebcdd8a6003261e825e25a42ea2fd348d33ea5f2f

memory/3796-87-0x0000000070A20000-0x0000000070A6C000-memory.dmp

memory/3796-88-0x0000000070C70000-0x0000000070FC7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c2ac908f66d542dd23ce5ae39b331b83
SHA1 2da065bcfc126c555df3f36dc303b5bd1947a2c9
SHA256 910a3cf51b3b072f00dfe7336531c6124c3082b811a5b5cece8fe05813ea0333
SHA512 91744cd025a4e88fb5deb95200ac392e203206680c13d68bec9308bfdeb699d075adb6c66d88111860cf08063170cc9f7e604b2f4b443e07c04514f531599884

memory/2700-108-0x0000000070BA0000-0x0000000070EF7000-memory.dmp

memory/2700-107-0x0000000070A20000-0x0000000070A6C000-memory.dmp

memory/3308-117-0x0000000002A60000-0x0000000002E61000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 3caed13386d194f7837b5e4bf8222929
SHA1 b0f695c91a66457eef3cd9e650a35778ade4c3d1
SHA256 42d0796fe4b578ce895a6c275177d751454534ca6fffe5756a646a6a345beabf
SHA512 db716b30a9192585ab075ae85250725f9da7df2b1cea22bf7873cf796ba0247f631fa78e2dc66cf43bd5d48a9081aad35b792d8802abba3aea4e5d4e1314a508

memory/2848-122-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 23b95821b1aed1e9d229b569957e6b66
SHA1 909327d8379eb4fbab1daf335e46853cd5ad6288
SHA256 c69082fd5f4439e573d81f6e2831fefecb771d8db131a2529924776fad0c0f6a
SHA512 fb8b0b42a30b70fbf688ac3149bd568c72f4cfbb67c2ca3a624db3b07ab34b0d596b341b9a92830f8d2afdc57cc3402dff84f86be0bf550a8af79bed703691d8

memory/4084-133-0x00000000056F0000-0x0000000005A47000-memory.dmp

memory/4084-136-0x0000000070BC0000-0x0000000070F17000-memory.dmp

memory/4084-135-0x0000000070A20000-0x0000000070A6C000-memory.dmp

memory/3060-154-0x0000000005810000-0x0000000005B67000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1b3ca11b52cfe47a4e4d8fe0c92a088c
SHA1 da7237f95e8ccb4554a261151ad002693f811645
SHA256 3f55626994ed6d5500fe4e6f291a8e3eba5ab6d96d047e9a0c521d749c451f8c
SHA512 f5ff375b15df681f8ce989876d782cce35ab45827d3830f38943d0c188e8e343658d19c0498a921486258f71a1d365275e5d3797b68af75e5186167b9933325a

memory/3060-158-0x0000000005EA0000-0x0000000005EEC000-memory.dmp

memory/3308-157-0x0000000002E70000-0x000000000375B000-memory.dmp

memory/3308-156-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3060-160-0x0000000070AC0000-0x0000000070E17000-memory.dmp

memory/3060-169-0x0000000006F40000-0x0000000006FE4000-memory.dmp

memory/3060-159-0x0000000070940000-0x000000007098C000-memory.dmp

memory/3060-170-0x00000000072B0000-0x00000000072C1000-memory.dmp

memory/3060-171-0x0000000005700000-0x0000000005715000-memory.dmp

memory/1640-181-0x0000000005EB0000-0x0000000006207000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 283425ebd9f1a9eabe389302ea55d46c
SHA1 3f41c1fadd29141661257662784156310e76f7ec
SHA256 c603e838ac6c44c52ae47d126402553b11741cbd8d701307172a2d666f39d02a
SHA512 951104587a7cbdbc9a7cd4cf836c4a4ec9778a607940ff36ec85593677894d4a2410eceab7d23e16bda9ba25eef27b195e6b1fa6d3874923f4398141c70114ca

memory/1640-184-0x0000000070AE0000-0x0000000070E37000-memory.dmp

memory/1640-183-0x0000000070940000-0x000000007098C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4364-200-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2840-205-0x0000000000400000-0x00000000008DF000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2840-208-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3352-207-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4364-210-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3352-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4364-213-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4364-216-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3352-217-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4364-219-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4364-222-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4364-225-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4364-228-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4364-231-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4364-234-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4364-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4364-240-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4364-243-0x0000000000400000-0x0000000000D1C000-memory.dmp