Malware Analysis Report

2024-12-08 02:04

Sample ID 240516-wgb84sgd7y
Target 2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824
SHA256 2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824

Threat Level: Known bad

The file 2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Checks installed software on the system

Adds Run key to start application

Manipulates WinMonFS driver.

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 17:53

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 17:53

Reported

2024-05-16 17:55

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-492 = "India Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2708 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2708 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2708 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4712 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4712 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4712 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4712 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe C:\Windows\system32\cmd.exe
PID 4712 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe C:\Windows\system32\cmd.exe
PID 4984 wrote to memory of 1172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4984 wrote to memory of 1172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4712 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4712 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4712 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4712 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4712 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4712 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4712 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe C:\Windows\rss\csrss.exe
PID 4712 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe C:\Windows\rss\csrss.exe
PID 4712 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe C:\Windows\rss\csrss.exe
PID 2352 wrote to memory of 2936 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2936 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2936 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 4876 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 4876 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 4876 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 1128 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 1128 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 1128 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 1216 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2352 wrote to memory of 1216 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4492 wrote to memory of 3396 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4492 wrote to memory of 3396 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4492 wrote to memory of 3396 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3396 wrote to memory of 3884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3396 wrote to memory of 3884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3396 wrote to memory of 3884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe

"C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe

"C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 6670248d-3b14-4073-af5f-9c19dae74bde.uuid.localstats.org udp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 server6.localstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server6.localstats.org tcp
US 74.125.250.129:19302 stun1.l.google.com udp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
BG 185.82.216.111:443 server6.localstats.org tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 52.111.227.14:443 tcp
BG 185.82.216.111:443 server6.localstats.org tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BG 185.82.216.111:443 server6.localstats.org tcp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp
N/A 127.0.0.1:31465 tcp

Files

memory/2708-2-0x0000000002DB0000-0x000000000369B000-memory.dmp

memory/2708-1-0x00000000029A0000-0x0000000002DA2000-memory.dmp

memory/2708-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2784-4-0x00000000740DE000-0x00000000740DF000-memory.dmp

memory/2784-5-0x00000000029D0000-0x0000000002A06000-memory.dmp

memory/2784-7-0x00000000740D0000-0x0000000074880000-memory.dmp

memory/2784-6-0x00000000057E0000-0x0000000005E08000-memory.dmp

memory/2784-8-0x00000000740D0000-0x0000000074880000-memory.dmp

memory/2784-9-0x0000000005430000-0x0000000005452000-memory.dmp

memory/2784-10-0x00000000054D0000-0x0000000005536000-memory.dmp

memory/2784-11-0x0000000005670000-0x00000000056D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n3ge4hye.vqw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2784-21-0x0000000005E50000-0x00000000061A4000-memory.dmp

memory/2784-22-0x00000000062E0000-0x00000000062FE000-memory.dmp

memory/2784-23-0x0000000006320000-0x000000000636C000-memory.dmp

memory/2784-24-0x0000000006860000-0x00000000068A4000-memory.dmp

memory/2784-25-0x0000000007410000-0x0000000007486000-memory.dmp

memory/2784-27-0x00000000076B0000-0x00000000076CA000-memory.dmp

memory/2784-26-0x0000000007D10000-0x000000000838A000-memory.dmp

memory/2784-29-0x000000006FF70000-0x000000006FFBC000-memory.dmp

memory/2784-28-0x0000000007860000-0x0000000007892000-memory.dmp

memory/2784-30-0x00000000740D0000-0x0000000074880000-memory.dmp

memory/2784-41-0x00000000078A0000-0x00000000078BE000-memory.dmp

memory/2784-31-0x00000000700F0000-0x0000000070444000-memory.dmp

memory/2784-42-0x00000000078C0000-0x0000000007963000-memory.dmp

memory/2784-44-0x00000000740D0000-0x0000000074880000-memory.dmp

memory/2784-43-0x00000000079B0000-0x00000000079BA000-memory.dmp

memory/2784-45-0x0000000007A70000-0x0000000007B06000-memory.dmp

memory/2784-46-0x00000000079D0000-0x00000000079E1000-memory.dmp

memory/2784-47-0x0000000007A10000-0x0000000007A1E000-memory.dmp

memory/2784-49-0x0000000007B10000-0x0000000007B2A000-memory.dmp

memory/2784-48-0x0000000007A20000-0x0000000007A34000-memory.dmp

memory/2784-50-0x0000000007A60000-0x0000000007A68000-memory.dmp

memory/2784-53-0x00000000740D0000-0x0000000074880000-memory.dmp

memory/4712-57-0x0000000002DA0000-0x000000000368B000-memory.dmp

memory/2708-56-0x00000000029A0000-0x0000000002DA2000-memory.dmp

memory/4712-55-0x0000000002990000-0x0000000002D91000-memory.dmp

memory/1120-63-0x00000000059B0000-0x0000000005D04000-memory.dmp

memory/1120-68-0x000000006FF70000-0x000000006FFBC000-memory.dmp

memory/1120-79-0x0000000007250000-0x00000000072F3000-memory.dmp

memory/1120-69-0x0000000070970000-0x0000000070CC4000-memory.dmp

memory/1120-80-0x0000000007580000-0x0000000007591000-memory.dmp

memory/1120-81-0x00000000075D0000-0x00000000075E4000-memory.dmp

memory/2708-84-0x0000000002DB0000-0x000000000369B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/4408-95-0x0000000005610000-0x0000000005964000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 99d36cb1b28e0c854b628502e8fd76dc
SHA1 d5b930f0b4f09f03c8cb6d205c47bd2d504c0b87
SHA256 995b512dcdba969205e9edc561010919ba4d0617e7e7f8c193c92b45e906937d
SHA512 4f33c02efb45759cd1a958e97cbc2468c08d00b83f9f3866ae3083e0cf5c6d6065b61aa910c71d96bca05f1620fff8636ee8a7107f26fd4d6c4ef80040b3632e

memory/4408-98-0x0000000070690000-0x00000000709E4000-memory.dmp

memory/4408-97-0x000000006FF70000-0x000000006FFBC000-memory.dmp

memory/3108-109-0x0000000005A30000-0x0000000005D84000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e15109af0030a49cdb240cbd2cb16e2b
SHA1 526c58d4ebd08d30945d33bc3acd9533cc2b02fe
SHA256 11354bab6e36790aa6d819819bfe05782aa7e4f5ef2d3e74e2e006153c3b087a
SHA512 2e7278fb5556b9a09b8656ebb1d17439e7aa2cdff8621ecff6c80c073a4bc412fba4ef412a7e5318309a6e2ea006e74f62f5d9b03ea6aac11c8a217ae10856eb

memory/3108-120-0x000000006FF70000-0x000000006FFBC000-memory.dmp

memory/3108-121-0x0000000070710000-0x0000000070A64000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 23ca5e94a0046867908d3d9b7d9defb4
SHA1 c37b3a24f03c12177f69f8186a8b5f093cedf4c7
SHA256 2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824
SHA512 24860eed33b9db62d0367db9ca29de810717f37dd308ab6cb8a99b59fc9e35193e7fd6b5ea8d0d959ffcca31bf46b2835a2adeb8a8550dd611288d21cf6db0ec

memory/2708-132-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ca6bd5dcd1e5bd430c7e8c5fad03cd73
SHA1 029627723031f21cc16b205e0ccd75a71b6ec01f
SHA256 14feff707d68ef9dccf2efc0664f1c40c1339578b6bd0357e9cd2e462cc57776
SHA512 9d7c254981a9ab5366d65c51b36176017b56011273f3a83d36005deecfd26e05d21f2a9379e6e9471e49a3b295e98a74eb940a368bfa11c96a568564d9e4989a

memory/2936-149-0x00000000700F0000-0x0000000070444000-memory.dmp

memory/2936-148-0x000000006FF70000-0x000000006FFBC000-memory.dmp

memory/4876-162-0x0000000006120000-0x0000000006474000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 857d40071e70bc56915e71176cec8a41
SHA1 cbf1bdf9215d0f40516ff334db7afd84f7aafe16
SHA256 c23e4023239f1b673ddb530d545dcdf4b81a4c2207bc7f0de70112f7a4232a31
SHA512 d743621cc84fa688e1255695f4f054f4e63acc21f0cc14007d5d008bc083cf5903a5cc5c3cbd9d41d96ca331e6eea3c0cf564c1f18deedca66df7987a426732d

memory/4876-171-0x0000000006D10000-0x0000000006D5C000-memory.dmp

memory/4876-183-0x0000000007A10000-0x0000000007AB3000-memory.dmp

memory/4876-173-0x0000000070620000-0x0000000070974000-memory.dmp

memory/4876-172-0x000000006FE90000-0x000000006FEDC000-memory.dmp

memory/4876-184-0x0000000007D00000-0x0000000007D11000-memory.dmp

memory/4876-185-0x00000000065A0000-0x00000000065B4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 31a8dd4993d1b2ca3ef1b7b5912146ce
SHA1 3f83fa08b1f8abfc2a9b94194f8fc1782e226f81
SHA256 3b919ebeadc7835d1f99a2742bdc45cf7e4ef6cc0d13d7c0617ffdb6115dae99
SHA512 2292ed6150483b25f6e30450cf185ac5b4882432fd56c613b45a29d2a85fcba72770d5d840e222c24c11ef36c2cf8ac1ad1fce809707297e9e9e781304d2b8c9

memory/1128-198-0x0000000070620000-0x0000000070974000-memory.dmp

memory/1128-197-0x000000006FE90000-0x000000006FEDC000-memory.dmp

memory/4712-208-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2352-216-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4712-218-0x0000000002990000-0x0000000002D91000-memory.dmp

memory/4492-223-0x0000000000400000-0x00000000008DF000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4492-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3984-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2352-229-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3984-231-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2352-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2352-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3984-239-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2352-241-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2352-245-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2352-249-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2352-253-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2352-257-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2352-261-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2352-265-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2352-269-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2352-273-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 17:53

Reported

2024-05-16 17:55

Platform

win11-20240426-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-262 = "GMT Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4864 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4864 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4864 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe C:\Windows\system32\cmd.exe
PID 4616 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe C:\Windows\system32\cmd.exe
PID 4880 wrote to memory of 4600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4880 wrote to memory of 4600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4616 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe C:\Windows\rss\csrss.exe
PID 4616 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe C:\Windows\rss\csrss.exe
PID 4616 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe C:\Windows\rss\csrss.exe
PID 776 wrote to memory of 1720 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 776 wrote to memory of 1720 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 776 wrote to memory of 1720 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 776 wrote to memory of 996 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 776 wrote to memory of 996 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 776 wrote to memory of 996 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 776 wrote to memory of 3164 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 776 wrote to memory of 3164 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 776 wrote to memory of 3164 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 776 wrote to memory of 3096 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 776 wrote to memory of 3096 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4872 wrote to memory of 3204 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4872 wrote to memory of 3204 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4872 wrote to memory of 3204 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3204 wrote to memory of 4108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3204 wrote to memory of 4108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3204 wrote to memory of 4108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe

"C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe

"C:\Users\Admin\AppData\Local\Temp\2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 006a0168-97e8-4bf0-9998-d7cbd8415bda.uuid.localstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server3.localstats.org udp
BG 185.82.216.111:443 server3.localstats.org tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 104.21.94.82:443 carsalessystem.com tcp
US 74.125.250.129:19302 stun4.l.google.com udp
N/A 127.0.0.1:3478 udp
US 52.111.229.48:443 tcp
BG 185.82.216.111:443 server3.localstats.org tcp
N/A 127.0.0.1:31465 tcp
BG 185.82.216.111:443 server3.localstats.org tcp

Files

memory/4864-1-0x0000000002A40000-0x0000000002E45000-memory.dmp

memory/4864-2-0x0000000002E50000-0x000000000373B000-memory.dmp

memory/4864-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4464-4-0x0000000074CBE000-0x0000000074CBF000-memory.dmp

memory/4464-5-0x0000000002BA0000-0x0000000002BD6000-memory.dmp

memory/4464-6-0x0000000005220000-0x000000000584A000-memory.dmp

memory/4464-7-0x0000000074CB0000-0x0000000075461000-memory.dmp

memory/4464-8-0x0000000074CB0000-0x0000000075461000-memory.dmp

memory/4464-9-0x0000000005190000-0x00000000051B2000-memory.dmp

memory/4464-11-0x0000000005B20000-0x0000000005B86000-memory.dmp

memory/4464-10-0x00000000058C0000-0x0000000005926000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tufderr4.xl4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4464-20-0x0000000005B90000-0x0000000005EE7000-memory.dmp

memory/4464-21-0x0000000006030000-0x000000000604E000-memory.dmp

memory/4464-22-0x0000000006090000-0x00000000060DC000-memory.dmp

memory/4464-23-0x0000000006470000-0x00000000064B6000-memory.dmp

memory/4464-25-0x0000000070F20000-0x0000000070F6C000-memory.dmp

memory/4464-24-0x0000000007470000-0x00000000074A4000-memory.dmp

memory/4464-37-0x00000000074D0000-0x0000000007574000-memory.dmp

memory/4464-36-0x00000000074B0000-0x00000000074CE000-memory.dmp

memory/4464-38-0x0000000074CB0000-0x0000000075461000-memory.dmp

memory/4464-27-0x0000000074CB0000-0x0000000075461000-memory.dmp

memory/4464-26-0x00000000710A0000-0x00000000713F7000-memory.dmp

memory/4464-40-0x00000000075F0000-0x000000000760A000-memory.dmp

memory/4464-39-0x0000000007C30000-0x00000000082AA000-memory.dmp

memory/4464-41-0x0000000007630000-0x000000000763A000-memory.dmp

memory/4464-42-0x00000000076F0000-0x0000000007786000-memory.dmp

memory/4464-43-0x0000000007660000-0x0000000007671000-memory.dmp

memory/4464-44-0x00000000076A0000-0x00000000076AE000-memory.dmp

memory/4464-45-0x00000000076B0000-0x00000000076C5000-memory.dmp

memory/4464-46-0x00000000077B0000-0x00000000077CA000-memory.dmp

memory/4464-47-0x0000000007790000-0x0000000007798000-memory.dmp

memory/4464-50-0x0000000074CB0000-0x0000000075461000-memory.dmp

memory/4864-53-0x0000000002E50000-0x000000000373B000-memory.dmp

memory/4864-52-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4616-55-0x0000000002A20000-0x0000000002E20000-memory.dmp

memory/5044-64-0x00000000057E0000-0x0000000005B37000-memory.dmp

memory/5044-65-0x0000000005BD0000-0x0000000005C1C000-memory.dmp

memory/5044-67-0x00000000711B0000-0x0000000071507000-memory.dmp

memory/5044-76-0x0000000006DF0000-0x0000000006E94000-memory.dmp

memory/5044-66-0x0000000071030000-0x000000007107C000-memory.dmp

memory/5044-77-0x0000000007130000-0x0000000007141000-memory.dmp

memory/5044-78-0x0000000007180000-0x0000000007195000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/2052-90-0x0000000006140000-0x0000000006497000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bdf5c803cbfac744bfa9ca0261d69556
SHA1 240ab5419e815b1125b0ec8f340b7b0a420ccb29
SHA256 c46c51d490c9de4e9f0ff99a8ab34f0a333e1b934741c602bc0a98690b6056be
SHA512 775593a3a7cb264b5407a776299fadf4bff3c70cb1f9fede98aae4253f7d399262257e6f6797d0826f61cae54200c86202d4f7467c42483df9bfccdb2d934c1e

memory/2052-93-0x0000000071280000-0x00000000715D7000-memory.dmp

memory/2052-92-0x0000000071030000-0x000000007107C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e3d01227b46d21744c3f6c88c92fd5aa
SHA1 7b211e389c61a5017326ecd8314e9f74b5b9ccab
SHA256 386f0430cf5b641f90a3fd6615cfecdcb228ad04d027f319b50448438ef90898
SHA512 4b15c66bcf6bf96f86fd9d39d03c290990ec7c8cb5a56266a5be233c0473c7d66c792752dd41abc5a7a69a8ae2526274bfceb1f7fad1bc9021d2f98ad7deb8c5

memory/1200-111-0x00000000060D0000-0x0000000006427000-memory.dmp

memory/1200-113-0x0000000071030000-0x000000007107C000-memory.dmp

memory/1200-114-0x00000000711D0000-0x0000000071527000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 23ca5e94a0046867908d3d9b7d9defb4
SHA1 c37b3a24f03c12177f69f8186a8b5f093cedf4c7
SHA256 2ab6ef0589fa2b09ec55c93e95524baf771bc5bc55088bb6ac623f26b8827824
SHA512 24860eed33b9db62d0367db9ca29de810717f37dd308ab6cb8a99b59fc9e35193e7fd6b5ea8d0d959ffcca31bf46b2835a2adeb8a8550dd611288d21cf6db0ec

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0db8fc0e96cf6ba68c020e32d5b24cee
SHA1 5f95b89b67fd10de1910b4cb058f4f146ca50006
SHA256 684124a27f52e7ec8566ebf8e547dd4a50492e3f77e6db77e339805c13c3ee9b
SHA512 fd7feac167b04af17af5d1b291dcafb1587968ecc0c412bf9fda6d7ef5fbe466d5b586a114f03b5cc8efdd4d4501a6373eb4fa5654ab66f081ce626e08945fa2

memory/1720-137-0x00000000060C0000-0x0000000006417000-memory.dmp

memory/1720-139-0x0000000006870000-0x00000000068BC000-memory.dmp

memory/1720-140-0x0000000070F90000-0x0000000070FDC000-memory.dmp

memory/1720-150-0x0000000007830000-0x00000000078D4000-memory.dmp

memory/1720-141-0x0000000071110000-0x0000000071467000-memory.dmp

memory/1720-151-0x0000000007B80000-0x0000000007B91000-memory.dmp

memory/1720-152-0x0000000006060000-0x0000000006075000-memory.dmp

memory/996-162-0x0000000005F20000-0x0000000006277000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 fd8251b134b1a011313179a740412143
SHA1 beeb9ace866f0393b1edaba76e8095215a2557cd
SHA256 ba6899041681ea8eecea00c61bfd1a39a7cf6183f2a5c37a06115d0b9f920a79
SHA512 4fc558c86b0bf46efef287402d96684a767d606a01f6ba75f80187e55bfee7d570aff228361366479b7bb17173957e958d10789a0262f9f0e460cad7cd6cc076

memory/996-164-0x0000000006A30000-0x0000000006A7C000-memory.dmp

memory/996-175-0x0000000007740000-0x00000000077E4000-memory.dmp

memory/996-166-0x00000000717F0000-0x0000000071B47000-memory.dmp

memory/996-165-0x0000000070EB0000-0x0000000070EFC000-memory.dmp

memory/996-176-0x0000000007A90000-0x0000000007AA1000-memory.dmp

memory/996-177-0x00000000062D0000-0x00000000062E5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2b312c9a12e0f25f119ab2c3d4d1e40a
SHA1 9c09404c16ae7294dbd4022a0e97ab0e199a2262
SHA256 ec69f9dd53de34d0114e4bc81a6fbb625d41158d95150fcb406d2adb24578678
SHA512 36b69fac73ec3295169228eba6490318c30180d24aea923b984bb75ff314b991ac83fa3c97524b3fcb40c55d8bd0efe02320960107e5e4e7518516525e75aa7b

memory/3164-187-0x0000000006130000-0x0000000006487000-memory.dmp

memory/3164-190-0x0000000071030000-0x0000000071387000-memory.dmp

memory/3164-189-0x0000000070EB0000-0x0000000070EFC000-memory.dmp

memory/4616-199-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/776-206-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4616-208-0x0000000002A20000-0x0000000002E20000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4872-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4872-217-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3684-216-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/776-218-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3684-221-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/776-220-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/776-223-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3684-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/776-226-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/776-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/776-232-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/776-235-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/776-238-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/776-242-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/776-244-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/776-247-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/776-250-0x0000000000400000-0x0000000000D1C000-memory.dmp