Malware Analysis Report

2024-12-08 02:19

Sample ID 240516-wh5l2sge81
Target df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b
SHA256 df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b

Threat Level: Known bad

The file df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Adds Run key to start application

Manipulates WinMonFS driver.

Checks installed software on the system

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Program crash

Command and Scripting Interpreter: PowerShell

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 17:56

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 17:56

Reported

2024-05-16 17:58

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-492 = "India Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3232 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3232 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3232 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe C:\Windows\system32\cmd.exe
PID 2484 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe C:\Windows\system32\cmd.exe
PID 1128 wrote to memory of 1508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1128 wrote to memory of 1508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2484 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe C:\Windows\rss\csrss.exe
PID 2484 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe C:\Windows\rss\csrss.exe
PID 2484 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe C:\Windows\rss\csrss.exe
PID 1096 wrote to memory of 3120 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1096 wrote to memory of 3120 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1096 wrote to memory of 3120 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1096 wrote to memory of 532 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1096 wrote to memory of 532 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1096 wrote to memory of 532 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1096 wrote to memory of 1040 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1096 wrote to memory of 1040 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1096 wrote to memory of 1040 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1096 wrote to memory of 864 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1096 wrote to memory of 864 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 5056 wrote to memory of 4676 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 5056 wrote to memory of 4676 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 5056 wrote to memory of 4676 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4676 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4676 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4676 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe

"C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe

"C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 202.131.50.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.162:443 www.bing.com tcp
US 8.8.8.8:53 162.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.162:443 www.bing.com tcp
US 8.8.8.8:53 5401b0a2-db03-48f7-8660-e9ab2e0051c6.uuid.createupdate.org udp
US 8.8.8.8:53 stun3.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server9.createupdate.org udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun3.l.google.com udp
BG 185.82.216.104:443 server9.createupdate.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
BG 185.82.216.104:443 server9.createupdate.org tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
BG 185.82.216.104:443 server9.createupdate.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
N/A 127.0.0.1:31465 tcp

Files

memory/3232-1-0x00000000029B0000-0x0000000002DAD000-memory.dmp

memory/3232-2-0x0000000002DB0000-0x000000000369B000-memory.dmp

memory/3232-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2888-4-0x0000000074A5E000-0x0000000074A5F000-memory.dmp

memory/2888-5-0x0000000002700000-0x0000000002736000-memory.dmp

memory/2888-7-0x0000000004F00000-0x0000000005528000-memory.dmp

memory/2888-6-0x0000000074A50000-0x0000000075200000-memory.dmp

memory/2888-8-0x0000000074A50000-0x0000000075200000-memory.dmp

memory/2888-10-0x0000000005600000-0x0000000005666000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sknwcop3.u3b.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2888-11-0x0000000005670000-0x00000000056D6000-memory.dmp

memory/2888-9-0x0000000005560000-0x0000000005582000-memory.dmp

memory/2888-21-0x0000000005910000-0x0000000005C64000-memory.dmp

memory/2888-22-0x0000000005CF0000-0x0000000005D0E000-memory.dmp

memory/2888-23-0x0000000005D30000-0x0000000005D7C000-memory.dmp

memory/2888-24-0x0000000006270000-0x00000000062B4000-memory.dmp

memory/2888-25-0x0000000007010000-0x0000000007086000-memory.dmp

memory/2888-27-0x00000000070B0000-0x00000000070CA000-memory.dmp

memory/2888-26-0x0000000007710000-0x0000000007D8A000-memory.dmp

memory/2888-30-0x0000000074A50000-0x0000000075200000-memory.dmp

memory/2888-41-0x00000000072B0000-0x00000000072CE000-memory.dmp

memory/2888-42-0x00000000072D0000-0x0000000007373000-memory.dmp

memory/2888-44-0x0000000074A50000-0x0000000075200000-memory.dmp

memory/2888-43-0x00000000073C0000-0x00000000073CA000-memory.dmp

memory/2888-45-0x0000000007480000-0x0000000007516000-memory.dmp

memory/2888-46-0x00000000073E0000-0x00000000073F1000-memory.dmp

memory/2888-31-0x0000000070A70000-0x0000000070DC4000-memory.dmp

memory/2888-29-0x00000000708F0000-0x000000007093C000-memory.dmp

memory/2888-28-0x0000000007270000-0x00000000072A2000-memory.dmp

memory/2888-47-0x0000000007420000-0x000000000742E000-memory.dmp

memory/2888-48-0x0000000007430000-0x0000000007444000-memory.dmp

memory/2888-50-0x0000000007470000-0x0000000007478000-memory.dmp

memory/2888-49-0x0000000007520000-0x000000000753A000-memory.dmp

memory/2888-53-0x0000000074A50000-0x0000000075200000-memory.dmp

memory/2484-55-0x0000000002930000-0x0000000002D33000-memory.dmp

memory/1584-65-0x0000000005C60000-0x0000000005FB4000-memory.dmp

memory/1584-77-0x00000000074D0000-0x0000000007573000-memory.dmp

memory/1584-67-0x0000000070D10000-0x0000000071064000-memory.dmp

memory/1584-66-0x00000000708F0000-0x000000007093C000-memory.dmp

memory/1584-78-0x00000000077E0000-0x00000000077F1000-memory.dmp

memory/1584-79-0x0000000007830000-0x0000000007844000-memory.dmp

memory/3232-82-0x00000000029B0000-0x0000000002DAD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/3232-83-0x0000000002DB0000-0x000000000369B000-memory.dmp

memory/3520-94-0x0000000005D60000-0x00000000060B4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a58457203d3c3274945a0b1966e5277c
SHA1 32c5bf05aa2f4f2dd9f5e2ffbd0e219c21d7be3d
SHA256 6117123d2e36b89daba395c21a4c392eac7d6a92016e8d37bd4427893205f684
SHA512 4b12094afb5b7aefcea050b6b89dff80880c95ff89e262d6418517ba0de864c481fef9ef112c2bbac70d32c953d373b48d315b225ccaca1c693ecb832e28ce63

memory/3520-97-0x0000000071620000-0x0000000071974000-memory.dmp

memory/3520-96-0x00000000708F0000-0x000000007093C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 97c0f2f9ca4d90be7c9c9d7d903903bd
SHA1 ee9b695e8fb37986ca5e5e6b5ade56e93d1d6562
SHA256 e79cbb1b07944460a8e394ad096dab8782fe28e90e6d6ce4a27ee10d94d17d8f
SHA512 21e987f35eb1e2daff1fbcbcb7abeff64da87f50e6d536ff1b419fffecd0718e6527514119b945306814ef74529c6356731f9440dc66135ee569ad440a7c49d6

memory/4316-117-0x0000000005420000-0x0000000005774000-memory.dmp

memory/4316-120-0x0000000071070000-0x00000000713C4000-memory.dmp

memory/4316-119-0x00000000708F0000-0x000000007093C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 f73714999499c2d514ed9f0159e961aa
SHA1 f8c7a5b68c5db0dd6305bc4faad7b44eea83af7e
SHA256 df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b
SHA512 c9942f6f32bd9579458d48c248820aade41dcd70d78be384f205c3df1983163899f9a8248bb94c734817d95d4e2b85e91698b56acd1f9d8b7e10e4fad8099621

memory/3232-135-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6374e9adffbbc82ab4d7e24d066be230
SHA1 a0858df3b3dd94eae8394acf048dda1c14cf2181
SHA256 71f37d8545ac06480a3eb1315060dced5c138dcdd66dfce39c7fca3bca1c2c64
SHA512 fe51f3fef358a154ba4604256a1d626dae1399171ed98bd0c08b5cd455f8c2c6158a17f1e0bb0274bb9e56f864b03bf360d05e694de89c03111014cb1624a479

memory/3120-148-0x0000000071070000-0x00000000713C4000-memory.dmp

memory/3120-147-0x00000000708F0000-0x000000007093C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5d048192b85251974db2ca690f461312
SHA1 d3f434cfb0d06be24991112d3023fdad9644afd3
SHA256 74f8380f5868f5af53d66c0eb9b5274a3d2ca9073b380178912035d98cb994c0
SHA512 0d117a01ed62faea4850348388595ef87ca94e0e6e9fdd805c2f6169e766126436c916188ff0ede2e515c997126477e67ec52d1ba4fe259ebfe75d1b205fc710

memory/532-168-0x0000000005D10000-0x0000000006064000-memory.dmp

memory/532-170-0x00000000061E0000-0x000000000622C000-memory.dmp

memory/532-182-0x0000000007410000-0x00000000074B3000-memory.dmp

memory/532-172-0x0000000070990000-0x0000000070CE4000-memory.dmp

memory/532-171-0x0000000070810000-0x000000007085C000-memory.dmp

memory/532-183-0x0000000007750000-0x0000000007761000-memory.dmp

memory/532-184-0x0000000005C60000-0x0000000005C74000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ab2b70c452d38b8b0a7890f1ac854ad2
SHA1 0e73199b34f2061b71c3e2a798419b4fde808ad9
SHA256 b0dc3de60492269350bb66ac62ab140c2f69117e15f98835d457d29a9882194a
SHA512 d283a4ea55fec0c737db560a792a12d1464b8d06ea6277261ccbd0b18e5ba2133fed2adcc4e7cefa0a0fb530e8b724d51c60dd9aa159beb1d1ce8dda37f5cce1

memory/1040-197-0x0000000070990000-0x0000000070CE4000-memory.dmp

memory/1040-196-0x0000000070810000-0x000000007085C000-memory.dmp

memory/2484-208-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1096-215-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/5056-221-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5056-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/904-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2484-223-0x0000000002930000-0x0000000002D33000-memory.dmp

memory/1096-228-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/904-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1096-232-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1096-236-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/904-238-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1096-240-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1096-244-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1096-248-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1096-252-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1096-256-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1096-260-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1096-264-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1096-268-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1096-272-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 17:56

Reported

2024-05-16 17:58

Platform

win11-20240426-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3528 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3528 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3528 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2812 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2812 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2812 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2812 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe C:\Windows\system32\cmd.exe
PID 2812 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe C:\Windows\system32\cmd.exe
PID 984 wrote to memory of 3684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 984 wrote to memory of 3684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2812 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2812 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2812 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2812 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2812 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2812 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2812 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe C:\Windows\rss\csrss.exe
PID 2812 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe C:\Windows\rss\csrss.exe
PID 2812 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe C:\Windows\rss\csrss.exe
PID 4580 wrote to memory of 1576 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4580 wrote to memory of 1576 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4580 wrote to memory of 1576 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4580 wrote to memory of 3140 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4580 wrote to memory of 3140 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4580 wrote to memory of 3140 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4580 wrote to memory of 556 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4580 wrote to memory of 556 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4580 wrote to memory of 556 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4580 wrote to memory of 2068 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4580 wrote to memory of 2068 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1448 wrote to memory of 1240 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1448 wrote to memory of 1240 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1448 wrote to memory of 1240 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 4512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1240 wrote to memory of 4512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1240 wrote to memory of 4512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe

"C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3164 -ip 3164

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 2164

C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe

"C:\Users\Admin\AppData\Local\Temp\df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 30f07499-34e6-4816-970d-e5bca63bf3cd.uuid.createupdate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server9.createupdate.org udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.104:443 server9.createupdate.org tcp
US 15.197.250.192:3478 stun.sipgate.net udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.104:443 server9.createupdate.org tcp
BG 185.82.216.104:443 server9.createupdate.org tcp
N/A 127.0.0.1:31465 tcp

Files

memory/3528-1-0x0000000002A20000-0x0000000002E1F000-memory.dmp

memory/3528-2-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/3528-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3164-4-0x00000000741BE000-0x00000000741BF000-memory.dmp

memory/3164-5-0x0000000002820000-0x0000000002856000-memory.dmp

memory/3164-6-0x00000000741B0000-0x0000000074961000-memory.dmp

memory/3164-7-0x0000000005010000-0x000000000563A000-memory.dmp

memory/3164-9-0x00000000741B0000-0x0000000074961000-memory.dmp

memory/3164-11-0x00000000057B0000-0x0000000005816000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gym040wm.jud.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3164-10-0x0000000005740000-0x00000000057A6000-memory.dmp

memory/3164-20-0x0000000005900000-0x0000000005C57000-memory.dmp

memory/3164-8-0x0000000004E50000-0x0000000004E72000-memory.dmp

memory/3164-21-0x0000000005D00000-0x0000000005D1E000-memory.dmp

memory/3164-22-0x0000000005D30000-0x0000000005D7C000-memory.dmp

memory/3164-23-0x0000000006270000-0x00000000062B6000-memory.dmp

memory/3164-25-0x0000000070420000-0x000000007046C000-memory.dmp

memory/3164-26-0x00000000705A0000-0x00000000708F7000-memory.dmp

memory/3164-37-0x00000000741B0000-0x0000000074961000-memory.dmp

memory/3164-36-0x0000000007170000-0x0000000007214000-memory.dmp

memory/3164-39-0x00000000072A0000-0x00000000072BA000-memory.dmp

memory/3164-38-0x00000000078E0000-0x0000000007F5A000-memory.dmp

memory/3164-40-0x00000000072E0000-0x00000000072EA000-memory.dmp

memory/3164-35-0x0000000007150000-0x000000000716E000-memory.dmp

memory/3164-24-0x00000000070F0000-0x0000000007124000-memory.dmp

memory/3164-41-0x00000000741B0000-0x0000000074961000-memory.dmp

memory/2812-43-0x0000000002A20000-0x0000000002E25000-memory.dmp

memory/1164-53-0x00000000705A0000-0x00000000708F7000-memory.dmp

memory/1164-62-0x0000000007750000-0x00000000077F4000-memory.dmp

memory/1164-52-0x0000000070420000-0x000000007046C000-memory.dmp

memory/1164-63-0x0000000007B60000-0x0000000007BF6000-memory.dmp

memory/1164-64-0x0000000007A90000-0x0000000007AA1000-memory.dmp

memory/1164-65-0x0000000007AD0000-0x0000000007ADE000-memory.dmp

memory/1164-66-0x0000000007AE0000-0x0000000007AF5000-memory.dmp

memory/1164-67-0x0000000007B20000-0x0000000007B3A000-memory.dmp

memory/1164-68-0x0000000007B40000-0x0000000007B48000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/5116-80-0x00000000058D0000-0x0000000005C27000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c9a0b8581de1d62fb7273cbbbe928474
SHA1 295dda13fc311888c07a020c757b993c8a8a6d99
SHA256 a42d957953c027b1cb3a2e11158fcdd5ea8cf98f5d900251ee44875c82e50b93
SHA512 41372a2561eec9d889a5f676e92bb5ac3797259979113475d8cd758ceea63c717fe3ddde7ca56289e2aa2be62f92dbc374b90d527d1de4e0a86fe74d09ec8c6f

memory/5116-82-0x0000000070420000-0x000000007046C000-memory.dmp

memory/5116-83-0x0000000070D60000-0x00000000710B7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 21ed920d92530fe66573d66a1339dea8
SHA1 f2690b7a7a051e09ab3649c74265e7332b7dfc6f
SHA256 247710f82fe69b28894410b26a86a846e27d2a5ae2dbe933d316dd71221281a6
SHA512 d4e66f3bcbb57c3c729f945767f75f615c2af58e98cb984b115d84acbe1aa44113d49df1ea418f78d9787e2d1576e8e2c2ff581b8a0b7be1a1c9560e22118e36

memory/3032-103-0x0000000070420000-0x000000007046C000-memory.dmp

memory/3528-102-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3032-104-0x00000000705A0000-0x00000000708F7000-memory.dmp

memory/2812-117-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 f73714999499c2d514ed9f0159e961aa
SHA1 f8c7a5b68c5db0dd6305bc4faad7b44eea83af7e
SHA256 df563e3152007b15f66deef6622c6b11d8d153246975fa80f159715fd7eca16b
SHA512 c9942f6f32bd9579458d48c248820aade41dcd70d78be384f205c3df1983163899f9a8248bb94c734817d95d4e2b85e91698b56acd1f9d8b7e10e4fad8099621

memory/1576-128-0x0000000005EC0000-0x0000000006217000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bf69e4a3482b96aa20ef210aaf4a4917
SHA1 c956eae2660c6576f1e43474f5358b91450548d7
SHA256 3bbb808021902be56c1b756741919113bbbc4cf4cf007c4f806d2af21a0d9377
SHA512 dea94f18837536808a35d62cec5c30091e97278928a87e89e6d0b33e49705bb28d38e1b377e83194b0f9566d32ca44a3e45e7aabb01af9328662e87a9b8e7e9a

memory/1576-131-0x0000000070670000-0x00000000709C7000-memory.dmp

memory/1576-130-0x0000000070420000-0x000000007046C000-memory.dmp

memory/3528-140-0x0000000002A20000-0x0000000002E1F000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b2f4d8011c397f0ccc8705d9fd6ead3f
SHA1 c79110206083695d34e98364a0415782f78e7590
SHA256 9f00ebf444ad2ccfaa036d463e11608dd6c176c355069d151be2bb3d8713619c
SHA512 5ca2497ad840299dfdd83e854e1029c1c9ca76880578b5449fb68c73bba3a3c2f34633355da42b3204d68621ac7f5d4f4113408fba4718a190d3a256642dc0ac

memory/3140-150-0x0000000005B70000-0x0000000005EC7000-memory.dmp

memory/3140-152-0x00000000068E0000-0x000000000692C000-memory.dmp

memory/3140-154-0x00000000704E0000-0x0000000070837000-memory.dmp

memory/3140-163-0x00000000073F0000-0x0000000007494000-memory.dmp

memory/3140-153-0x0000000070340000-0x000000007038C000-memory.dmp

memory/3140-164-0x00000000075A0000-0x00000000075B1000-memory.dmp

memory/3140-165-0x0000000005F40000-0x0000000005F55000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 36aa2942fa2c8dfa9b688a3a30b026ca
SHA1 29d2e2d8c9e28c8f7c6ebf61d2202f87af7808be
SHA256 d8dfb22fea4644fc799b75028f3dbc8b57446edac1b9eb6ae2f1730597531b4b
SHA512 8bbcee2cca5039c34b2bdbda0e3b6bdd7b0d6f7dc595cd7aeb4c68e60687104772e05d7fd5ca865742df711f8c192a25fa357f3b84ee6ef0f7a79a21a0e7855b

memory/556-175-0x0000000005470000-0x00000000057C7000-memory.dmp

memory/3528-177-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/556-178-0x0000000070340000-0x000000007038C000-memory.dmp

memory/556-179-0x0000000070C80000-0x0000000070FD7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4580-195-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1448-200-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1448-204-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3764-203-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4580-206-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3764-207-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4580-209-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4580-212-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3764-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4580-215-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4580-218-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4580-221-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4580-224-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4580-227-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4580-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4580-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4580-236-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4580-239-0x0000000000400000-0x0000000000D1C000-memory.dmp