Malware Analysis Report

2024-11-13 19:44

Sample ID 240517-fmznlaaf25
Target 499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb
SHA256 499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb

Threat Level: Known bad

The file 499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Manipulates WinMonFS driver.

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Program crash

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 05:00

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 05:00

Reported

2024-05-17 05:02

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3876 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3876 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3876 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4492 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4492 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4492 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4492 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe C:\Windows\system32\cmd.exe
PID 4492 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe C:\Windows\system32\cmd.exe
PID 4452 wrote to memory of 1720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4452 wrote to memory of 1720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4492 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4492 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4492 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4492 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4492 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4492 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4492 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe C:\Windows\rss\csrss.exe
PID 4492 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe C:\Windows\rss\csrss.exe
PID 4492 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe C:\Windows\rss\csrss.exe
PID 1012 wrote to memory of 4112 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1012 wrote to memory of 4112 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1012 wrote to memory of 4112 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1012 wrote to memory of 4284 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1012 wrote to memory of 4284 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1012 wrote to memory of 4284 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1012 wrote to memory of 1836 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1012 wrote to memory of 1836 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1012 wrote to memory of 1836 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1012 wrote to memory of 2964 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1012 wrote to memory of 2964 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1932 wrote to memory of 1600 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 1600 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 1600 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1600 wrote to memory of 1972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1600 wrote to memory of 1972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1600 wrote to memory of 1972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe

"C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe

"C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 13d40619-fcd2-4428-b311-32fcaf39c86c.uuid.statstraffic.org udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server8.statstraffic.org udp
US 162.159.135.233:443 cdn.discordapp.com tcp
N/A 127.0.0.1:3478 udp
BG 185.82.216.104:443 server8.statstraffic.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.104:443 server8.statstraffic.org tcp
N/A 127.0.0.1:3478 udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 stun1.l.google.com udp
US 74.125.250.129:19302 stun1.l.google.com udp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
BG 185.82.216.104:443 server8.statstraffic.org tcp

Files

memory/3876-1-0x00000000047F0000-0x0000000004BED000-memory.dmp

memory/3876-2-0x0000000004BF0000-0x00000000054DB000-memory.dmp

memory/3876-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/392-4-0x0000000074FBE000-0x0000000074FBF000-memory.dmp

memory/392-5-0x0000000004D60000-0x0000000004D96000-memory.dmp

memory/392-6-0x0000000074FB0000-0x0000000075760000-memory.dmp

memory/392-7-0x0000000005410000-0x0000000005A38000-memory.dmp

memory/392-8-0x0000000005390000-0x00000000053B2000-memory.dmp

memory/392-9-0x0000000005C70000-0x0000000005CD6000-memory.dmp

memory/392-10-0x0000000005CE0000-0x0000000005D46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2ld4p2h3.lou.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/392-20-0x0000000005D50000-0x00000000060A4000-memory.dmp

memory/392-21-0x0000000006340000-0x000000000635E000-memory.dmp

memory/392-22-0x0000000006380000-0x00000000063CC000-memory.dmp

memory/392-23-0x0000000007480000-0x00000000074C4000-memory.dmp

memory/392-24-0x0000000007650000-0x00000000076C6000-memory.dmp

memory/392-26-0x0000000007700000-0x000000000771A000-memory.dmp

memory/392-25-0x0000000007D50000-0x00000000083CA000-memory.dmp

memory/392-27-0x00000000078C0000-0x00000000078F2000-memory.dmp

memory/392-29-0x0000000070E50000-0x0000000070E9C000-memory.dmp

memory/392-28-0x0000000074FB0000-0x0000000075760000-memory.dmp

memory/392-30-0x0000000071590000-0x00000000718E4000-memory.dmp

memory/392-40-0x0000000007900000-0x000000000791E000-memory.dmp

memory/392-42-0x0000000074FB0000-0x0000000075760000-memory.dmp

memory/392-41-0x0000000007920000-0x00000000079C3000-memory.dmp

memory/392-43-0x0000000007A10000-0x0000000007A1A000-memory.dmp

memory/392-44-0x0000000007AD0000-0x0000000007B66000-memory.dmp

memory/392-45-0x0000000007A30000-0x0000000007A41000-memory.dmp

memory/392-46-0x0000000007A70000-0x0000000007A7E000-memory.dmp

memory/392-47-0x0000000007A80000-0x0000000007A94000-memory.dmp

memory/392-48-0x0000000007B70000-0x0000000007B8A000-memory.dmp

memory/392-49-0x0000000007AC0000-0x0000000007AC8000-memory.dmp

memory/392-52-0x0000000074FB0000-0x0000000075760000-memory.dmp

memory/3876-55-0x00000000047F0000-0x0000000004BED000-memory.dmp

memory/3876-54-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3876-56-0x0000000004BF0000-0x00000000054DB000-memory.dmp

memory/3876-57-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4464-63-0x00000000063A0000-0x00000000066F4000-memory.dmp

memory/4464-68-0x0000000070E50000-0x0000000070E9C000-memory.dmp

memory/4464-79-0x0000000007BD0000-0x0000000007C73000-memory.dmp

memory/4464-69-0x00000000715D0000-0x0000000071924000-memory.dmp

memory/4464-80-0x0000000007EC0000-0x0000000007ED1000-memory.dmp

memory/4464-81-0x0000000007F10000-0x0000000007F24000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 73319851b092c5845ee04795d38a18ef
SHA1 4ca8fa6b9b0157241f508f8987efd085cc5eeba9
SHA256 d885157fa3009a88ccf2d6073dfb170406db4735cabde771b42346c44def6269
SHA512 465f03f9446c1a0e14ab06307e95a169832793a690dbdc750be532b98e92a2c3c995656b82fcaf4396b7712d3d30b77ec4460150a09589f041fd6396048c215c

memory/2480-95-0x0000000070E50000-0x0000000070E9C000-memory.dmp

memory/2480-96-0x00000000715D0000-0x0000000071924000-memory.dmp

memory/5044-116-0x0000000005F20000-0x0000000006274000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 aaf1239b0ada7ae29008bf8236e12dde
SHA1 a7f648ccd1231804c47a9667193a18b402e4c0a4
SHA256 1db8884c8565253e45d0f56de142d166ce31d6643a8e5a4d5170d3e90f07766b
SHA512 1c9b2608005e4d359a05c38320ebd1d34a919c73c106586225f7db47b7d3e6ed07b06562d2ce35c26b6d76327dfa7585ba1596cd5c3a006bc6f33cfb3e184284

memory/5044-119-0x0000000070FD0000-0x0000000071324000-memory.dmp

memory/5044-118-0x0000000070E50000-0x0000000070E9C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 d61e63df5c6a07a673a7a2e2afd01bf1
SHA1 2d5a6a308c9c20f9913ad2f764e9d5947f69df40
SHA256 499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb
SHA512 66dafa805c4f7881beafdd08fc3885d97cc179c8d1ccb97784cec191c5ec566229c962ef326fdb214a5eae1f996c49b415abf65341565d359cfab54e06a0ff3a

memory/4492-134-0x0000000000400000-0x0000000002B0C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c7b9b96d8ed84da0cd6f32eee5234ef5
SHA1 a4e6089afff09ec6486add734a87e770ace20fc2
SHA256 015ab9f13c7fef58adf545061a946c72ab5decec3ea9a2cff67053abc792b571
SHA512 2db8266e0cdbcb69ced088fcedcc745de6ce39356e3f129c9d0a4ed0bb3b8d362fa64d9d3727ea0472eec46564d21a8f7228fe2d07852010b10c4d6a0f9db669

memory/4112-149-0x0000000070E50000-0x0000000070E9C000-memory.dmp

memory/4112-150-0x00000000715D0000-0x0000000071924000-memory.dmp

memory/4284-170-0x0000000006470000-0x00000000067C4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 90c7d43915f7205f84f7d86a92e68ce3
SHA1 02102b4e21091e0ffaef96b9f6babc7f950cf1fb
SHA256 988b0c789c4886066e114339bc5657b23822453e945d24727ba0037c892ff91a
SHA512 0619861958a4302e1a588d3177b6ddb09ac69cd86f37ddf9f66c63ff60b22b52e7471bfca9232412294bfc50381c3c3d615ee4ff28a57306755200d55b7b8088

memory/4284-172-0x0000000006E10000-0x0000000006E5C000-memory.dmp

memory/4284-173-0x0000000070D70000-0x0000000070DBC000-memory.dmp

memory/4284-174-0x0000000070EF0000-0x0000000071244000-memory.dmp

memory/4284-184-0x0000000007AF0000-0x0000000007B93000-memory.dmp

memory/4284-185-0x0000000007E30000-0x0000000007E41000-memory.dmp

memory/4284-186-0x0000000006220000-0x0000000006234000-memory.dmp

memory/1836-193-0x0000000006220000-0x0000000006574000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5ea6e612c70fa9cca0032498b66201d1
SHA1 3a3a72618a0dc6b4d062cae94ae74e3dabd57cd0
SHA256 e4213bbc7c45d061bf1ff905092120b16bf8344a112691021e9c232f94198034
SHA512 e58366a2bc0e871f1d0a15bfb3f3bd912d6b3f287c35a7826abc60d457c7cc9c331e06cef350a98d4e45b605c5c87a38905d6ea84e2e035d3cdeba0699308ef8

memory/1836-199-0x0000000070D70000-0x0000000070DBC000-memory.dmp

memory/1836-200-0x0000000071500000-0x0000000071854000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1012-217-0x0000000000400000-0x0000000002B0C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1932-222-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4328-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1932-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1012-225-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4328-231-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1012-230-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/1012-233-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4328-237-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1012-236-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/1012-239-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/1012-242-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/1012-245-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/1012-248-0x0000000000400000-0x0000000002B0C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 05:00

Reported

2024-05-17 05:02

Platform

win11-20240508-en

Max time kernel

149s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-162 = "Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2924 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2924 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2924 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1356 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1356 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1356 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1356 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe C:\Windows\system32\cmd.exe
PID 1356 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe C:\Windows\system32\cmd.exe
PID 1196 wrote to memory of 2120 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1196 wrote to memory of 2120 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1356 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1356 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1356 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1356 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1356 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1356 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1356 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe C:\Windows\rss\csrss.exe
PID 1356 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe C:\Windows\rss\csrss.exe
PID 1356 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe C:\Windows\rss\csrss.exe
PID 3060 wrote to memory of 3700 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 3700 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 3700 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 5040 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 5040 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 5040 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 3460 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 3460 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 3460 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 3540 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3060 wrote to memory of 3540 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2428 wrote to memory of 1736 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 1736 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 1736 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1736 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1736 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe

"C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4708 -ip 4708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 2596

C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe

"C:\Users\Admin\AppData\Local\Temp\499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 server12.statstraffic.org udp
US 74.125.250.129:19302 stun4.l.google.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.104:443 server12.statstraffic.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.104:443 server12.statstraffic.org tcp
BG 185.82.216.104:443 server12.statstraffic.org tcp

Files

memory/2924-1-0x0000000004860000-0x0000000004C68000-memory.dmp

memory/2924-2-0x0000000004C70000-0x000000000555B000-memory.dmp

memory/2924-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4708-4-0x0000000074DBE000-0x0000000074DBF000-memory.dmp

memory/4708-5-0x0000000002FE0000-0x0000000003016000-memory.dmp

memory/4708-6-0x0000000005670000-0x0000000005C9A000-memory.dmp

memory/4708-7-0x0000000074DB0000-0x0000000075561000-memory.dmp

memory/4708-8-0x0000000074DB0000-0x0000000075561000-memory.dmp

memory/4708-9-0x0000000005600000-0x0000000005622000-memory.dmp

memory/4708-10-0x0000000005E10000-0x0000000005E76000-memory.dmp

memory/4708-11-0x0000000005E80000-0x0000000005EE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hd2rvcgq.hkw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4708-20-0x0000000005FB0000-0x0000000006307000-memory.dmp

memory/4708-21-0x00000000064A0000-0x00000000064BE000-memory.dmp

memory/4708-22-0x0000000006560000-0x00000000065AC000-memory.dmp

memory/4708-23-0x0000000006910000-0x0000000006956000-memory.dmp

memory/4708-26-0x0000000071020000-0x000000007106C000-memory.dmp

memory/4708-25-0x00000000078D0000-0x0000000007904000-memory.dmp

memory/4708-27-0x00000000711A0000-0x00000000714F7000-memory.dmp

memory/4708-36-0x0000000007910000-0x000000000792E000-memory.dmp

memory/4708-37-0x0000000007930000-0x00000000079D4000-memory.dmp

memory/4708-38-0x0000000074DB0000-0x0000000075561000-memory.dmp

memory/4708-40-0x0000000007A60000-0x0000000007A7A000-memory.dmp

memory/4708-39-0x00000000080A0000-0x000000000871A000-memory.dmp

memory/2924-24-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4708-41-0x0000000007AA0000-0x0000000007AAA000-memory.dmp

memory/4708-42-0x0000000074DB0000-0x0000000075561000-memory.dmp

memory/2924-45-0x0000000004860000-0x0000000004C68000-memory.dmp

memory/2924-44-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/1436-54-0x0000000006130000-0x0000000006487000-memory.dmp

memory/2924-55-0x0000000004C70000-0x000000000555B000-memory.dmp

memory/1436-56-0x0000000071020000-0x000000007106C000-memory.dmp

memory/1436-57-0x0000000071230000-0x0000000071587000-memory.dmp

memory/1436-66-0x0000000007630000-0x00000000076D4000-memory.dmp

memory/1436-67-0x0000000007C40000-0x0000000007CD6000-memory.dmp

memory/1436-68-0x0000000007B70000-0x0000000007B81000-memory.dmp

memory/1436-69-0x0000000007BB0000-0x0000000007BBE000-memory.dmp

memory/1436-70-0x0000000007BC0000-0x0000000007BD5000-memory.dmp

memory/1436-71-0x0000000007C00000-0x0000000007C1A000-memory.dmp

memory/1356-72-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/1436-73-0x0000000007C20000-0x0000000007C28000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 78a961f7aee4f70189581624ac8d8e9d
SHA1 20640e0fdfe111afad09314535ab3940b4ebd901
SHA256 c371d4bf7c6b7000c9f402ce498721603c2a4615e191a1286641f103ddd3a28b
SHA512 c07ff2413aef1c390ce42417b9b69971899086fb7ffe7ad081af01c5d79ce8b1e91ac5b80556ade64ddb8ae396bbf70d59a28d1cbc4465c1c4b012333954ce37

memory/3352-86-0x0000000071020000-0x000000007106C000-memory.dmp

memory/3352-87-0x00000000711A0000-0x00000000714F7000-memory.dmp

memory/2924-96-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 426c33eceb96bc88aa16c3646695737c
SHA1 7ae88ddf44ab3ea822cd11d149b48e605f5cf978
SHA256 87bd30caf49cb38a30b4b60571f9847822f377507bb51f4e36b07197c2d87bcf
SHA512 b01c9944f334019bf687afe7f357262b945d31f67a1bb79955824c4449bb95bbe3f9d75b1ec0cd58122391cf2db416eea4b0834c41e56ee0deadc4cc98a40a46

memory/4800-107-0x0000000071020000-0x000000007106C000-memory.dmp

memory/4800-108-0x00000000711A0000-0x00000000714F7000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 d61e63df5c6a07a673a7a2e2afd01bf1
SHA1 2d5a6a308c9c20f9913ad2f764e9d5947f69df40
SHA256 499f6ad8a410eeaad598e650f82a61c1e86c5ce4ef1055cc1a3f968c882a6fbb
SHA512 66dafa805c4f7881beafdd08fc3885d97cc179c8d1ccb97784cec191c5ec566229c962ef326fdb214a5eae1f996c49b415abf65341565d359cfab54e06a0ff3a

memory/1356-122-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3700-126-0x0000000006030000-0x0000000006387000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cd0532fea00458290e4846c9eef342f1
SHA1 aea64490ea2b0b7138e01500fd77f8476c02ea6c
SHA256 9ba8e94bc4a4d8e5463e43d9202dfa1ba6988bcce5fdb389a5f024c3512d32fd
SHA512 cbe8172b2b541edcc760e141456d22d10f5b20e3ff18c84955abd5e27727df2e360330ad7eb8e98dee9b88d7f8df9807350363d8ad0fe7a446735ae42a89ebd8

memory/3700-137-0x0000000071270000-0x00000000715C7000-memory.dmp

memory/3700-136-0x0000000071020000-0x000000007106C000-memory.dmp

memory/3060-146-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/5040-156-0x0000000005E40000-0x0000000006197000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a43a6b4de27d79e453096008891a6965
SHA1 18962700a4515fae2371c4fb6d116ae70cf7f6d4
SHA256 9e6bf01ffe7324d7fdcc0ac23a38cb64a0894eae496ac6b40a5968375c6c7e24
SHA512 19158c257a143cb6f7cfbdc8195e10ef07e613590f86573deb0475114caaf146c4758cc422c4812c4408cb55296d56325473227e85058d963e07f61284174ec5

memory/5040-158-0x0000000006350000-0x000000000639C000-memory.dmp

memory/5040-159-0x0000000070F40000-0x0000000070F8C000-memory.dmp

memory/5040-160-0x00000000710C0000-0x0000000071417000-memory.dmp

memory/5040-169-0x00000000075B0000-0x0000000007654000-memory.dmp

memory/5040-170-0x0000000007A40000-0x0000000007A51000-memory.dmp

memory/5040-171-0x0000000005DF0000-0x0000000005E05000-memory.dmp

memory/3460-173-0x0000000005B20000-0x0000000005E77000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d4f3abdda2884e4305880305cab44a57
SHA1 593053d24070552e28e8f037b1c344b2a0254727
SHA256 d4511c668501e69fbff0c1dea4e8376837ab0929db4f573588c665ce09514149
SHA512 62b9111f6407bfd8747ea507846a08e2c30f730a7474f9f5368722cb92446fc22372a4439ba5d817491ec33c5fc9afeb98b60364b51dd9b691739e299d7aad57

memory/3460-184-0x0000000071190000-0x00000000714E7000-memory.dmp

memory/3460-183-0x0000000070F40000-0x0000000070F8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3060-200-0x0000000000400000-0x0000000002B0C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2428-205-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/8-208-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2428-210-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3060-211-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/8-214-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3060-213-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3060-216-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/8-220-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3060-219-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3060-223-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3060-225-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3060-228-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3060-231-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3060-235-0x0000000000400000-0x0000000002B0C000-memory.dmp