Malware Analysis Report

2024-11-13 19:43

Sample ID 240517-ltjhvacd3z
Target 5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2
SHA256 5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2

Threat Level: Known bad

The file 5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Checks installed software on the system

Manipulates WinMonFS driver.

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 09:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 09:49

Reported

2024-05-17 09:52

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-491 = "India Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1920 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1920 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1920 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4432 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4432 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4432 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4432 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4432 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1400 wrote to memory of 3604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1400 wrote to memory of 3604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4432 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4432 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4432 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4432 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4432 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4432 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4432 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe C:\Windows\rss\csrss.exe
PID 4432 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe C:\Windows\rss\csrss.exe
PID 4432 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe C:\Windows\rss\csrss.exe
PID 4588 wrote to memory of 3592 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\sc.exe
PID 4588 wrote to memory of 3592 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\sc.exe
PID 4588 wrote to memory of 3592 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\sc.exe
PID 4588 wrote to memory of 1704 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4588 wrote to memory of 1704 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4588 wrote to memory of 1704 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4588 wrote to memory of 4936 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4588 wrote to memory of 4936 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4588 wrote to memory of 4936 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4588 wrote to memory of 3600 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4588 wrote to memory of 3600 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3788 wrote to memory of 4344 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3788 wrote to memory of 4344 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3788 wrote to memory of 4344 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4344 wrote to memory of 3592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4344 wrote to memory of 3592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4344 wrote to memory of 3592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe

"C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe

"C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 6c8df6ff-92a3-4d04-87d5-918bbafd8c3d.uuid.createupdate.org udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server15.createupdate.org udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.104:443 server15.createupdate.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
BG 185.82.216.104:443 server15.createupdate.org tcp
US 8.8.8.8:53 stun4.l.google.com udp
US 74.125.250.129:19302 stun4.l.google.com udp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
N/A 127.0.0.1:3478 udp
BG 185.82.216.104:443 server15.createupdate.org tcp

Files

memory/1920-1-0x0000000004940000-0x0000000004D40000-memory.dmp

memory/1920-2-0x0000000004D40000-0x000000000562B000-memory.dmp

memory/1920-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1084-4-0x0000000074F9E000-0x0000000074F9F000-memory.dmp

memory/1084-5-0x00000000032C0000-0x00000000032F6000-memory.dmp

memory/1084-7-0x00000000059E0000-0x0000000006008000-memory.dmp

memory/1084-6-0x0000000074F90000-0x0000000075740000-memory.dmp

memory/1084-8-0x0000000074F90000-0x0000000075740000-memory.dmp

memory/1084-9-0x0000000006010000-0x0000000006032000-memory.dmp

memory/1084-11-0x0000000006250000-0x00000000062B6000-memory.dmp

memory/1084-10-0x0000000006130000-0x0000000006196000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_soxb1aec.iya.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1084-21-0x00000000062C0000-0x0000000006614000-memory.dmp

memory/1084-22-0x00000000068A0000-0x00000000068BE000-memory.dmp

memory/1084-23-0x00000000068F0000-0x000000000693C000-memory.dmp

memory/1084-24-0x0000000006E20000-0x0000000006E64000-memory.dmp

memory/1084-25-0x00000000079C0000-0x0000000007A36000-memory.dmp

memory/1084-26-0x00000000082C0000-0x000000000893A000-memory.dmp

memory/1084-27-0x0000000007C60000-0x0000000007C7A000-memory.dmp

memory/1084-29-0x0000000007E20000-0x0000000007E52000-memory.dmp

memory/1084-31-0x0000000070FB0000-0x0000000071304000-memory.dmp

memory/1084-42-0x0000000007E80000-0x0000000007F23000-memory.dmp

memory/1084-43-0x0000000074F90000-0x0000000075740000-memory.dmp

memory/1084-41-0x0000000007E60000-0x0000000007E7E000-memory.dmp

memory/1920-28-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1084-45-0x0000000007F70000-0x0000000007F7A000-memory.dmp

memory/1084-44-0x0000000074F90000-0x0000000075740000-memory.dmp

memory/1084-46-0x0000000008030000-0x00000000080C6000-memory.dmp

memory/1084-47-0x0000000007F90000-0x0000000007FA1000-memory.dmp

memory/1084-30-0x0000000070E30000-0x0000000070E7C000-memory.dmp

memory/1084-48-0x0000000007FD0000-0x0000000007FDE000-memory.dmp

memory/1084-50-0x00000000080D0000-0x00000000080EA000-memory.dmp

memory/1084-49-0x0000000007FE0000-0x0000000007FF4000-memory.dmp

memory/1084-51-0x0000000008020000-0x0000000008028000-memory.dmp

memory/1084-54-0x0000000074F90000-0x0000000075740000-memory.dmp

memory/1920-56-0x0000000004940000-0x0000000004D40000-memory.dmp

memory/3272-66-0x00000000063B0000-0x0000000006704000-memory.dmp

memory/3272-67-0x0000000070E30000-0x0000000070E7C000-memory.dmp

memory/3272-78-0x0000000007BB0000-0x0000000007C53000-memory.dmp

memory/3272-68-0x00000000715B0000-0x0000000071904000-memory.dmp

memory/3272-79-0x0000000007EC0000-0x0000000007ED1000-memory.dmp

memory/3272-80-0x0000000007F10000-0x0000000007F24000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c1ecad74b5a3547b58bad8020a89942b
SHA1 64bb56a73ebf453503c29f0f1aea18ce0d6c3a82
SHA256 219cdc5b2ff440f549ce9d61cd280edc31eaaf0a1fefa0cd52a9b59d449d2ba6
SHA512 481cf24ce7c6405d9604d8e5455112b3425b78a8f10dc5dca669eba840c26b319ad8deb6c07a86217e0c3ebb917d79b752431e95cf92294e35dbf6c498e73d81

memory/1920-95-0x0000000004D40000-0x000000000562B000-memory.dmp

memory/4700-97-0x0000000070FB0000-0x0000000071304000-memory.dmp

memory/4700-96-0x0000000070E30000-0x0000000070E7C000-memory.dmp

memory/1920-94-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 98d89459c82085105ea202a59b4226d1
SHA1 5edec790fe483b4a26e4b916a4731eeeeca0f556
SHA256 a498045e311a0a93613cd60ca75cae205850e4ecdd50d42fdbab1591667a07e0
SHA512 782f473f27bea726e2dd3e3af5c696b382cf7faaace009219b6169ac044148b77a840165cb0cd4fdbd96c7587f918bb55affdfd8153f69bd5c087bc6395b148a

memory/2460-118-0x0000000070E30000-0x0000000070E7C000-memory.dmp

memory/2460-119-0x00000000715B0000-0x0000000071904000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 dcac5135874f0b248b110e2c504d42d4
SHA1 83ae7d534d9d4f9d3dbf73995bd78e10b0f16463
SHA256 5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2
SHA512 970cf1f87faa12b08d612a1a98ca021331f337e2151f055c2b47ffeb2b3b83362f7240196c65de1c85e667ab688006eb8e85b7e45bd0562516b54c8e9d930625

memory/1920-136-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4432-135-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3592-146-0x00000000053D0000-0x0000000005724000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3b6cb7897fe965ae61ea66a7f9eb6617
SHA1 dafabdab52071af4da4ac385989f6eec998b9d4e
SHA256 6412ddca369982a0525e41152bd5bc763507b64a9194bdb6adf2e7dace2a82e0
SHA512 1a727d7abc3d8128fb7e612364b323b0392f953ff1113931c9247abfa704ad333ce3b1b8caae6820a7d9bcd98d935b2a260666bcc04317dd1487f452d3112a59

memory/3592-148-0x0000000070E30000-0x0000000070E7C000-memory.dmp

memory/3592-149-0x0000000071250000-0x00000000715A4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d9e99e7720a73ab4959e99d3a1ffa2a0
SHA1 316afd9c3f534d4730dcc560480331a300c2cb1e
SHA256 2c2f619088fb2c80f04e3cc874dc7d905e4b81e1aad3307fef7e17125ad7701d
SHA512 09fa302bb2252290a908dbc2147d23cab7d6e0fe25e944fccbe41fd8a3f4b89b48182e4efd79ff2eb0430fb0e3a1047290b5de6f7db90b1ba355bd93d42ab1f7

memory/1704-169-0x0000000005CB0000-0x0000000006004000-memory.dmp

memory/1704-171-0x0000000006910000-0x000000000695C000-memory.dmp

memory/1704-173-0x0000000070D50000-0x0000000070D9C000-memory.dmp

memory/1704-184-0x0000000007610000-0x00000000076B3000-memory.dmp

memory/1704-174-0x0000000070F20000-0x0000000071274000-memory.dmp

memory/1704-185-0x0000000007920000-0x0000000007931000-memory.dmp

memory/1704-186-0x0000000006130000-0x0000000006144000-memory.dmp

memory/4936-197-0x0000000006120000-0x0000000006474000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3671d3cef0f78ac9d4b347a8ef874c50
SHA1 9a1bee8a8923944d1b23453c09ed6ebcd0eb1b3f
SHA256 b1ab3ad9328069bb6944817d77ca964cb07f055f2e16b177317236b5306faec5
SHA512 2e5d9bc4f74b2a2217dfbfa6988dd50d5f88223d43f47054c6ec2d7e215f4f70f86dab1b34d52f418597161aeec1da84e559ac0c03e32fa2fcba862aa6b3028e

memory/4936-199-0x0000000070D50000-0x0000000070D9C000-memory.dmp

memory/4936-200-0x00000000714A0000-0x00000000717F4000-memory.dmp

memory/4588-212-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4588-220-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3788-225-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2984-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3788-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4588-231-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2984-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4588-235-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4588-239-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2984-240-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4588-243-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4588-247-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4588-251-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4588-255-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4588-259-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4588-263-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4588-267-0x0000000000400000-0x0000000002B0D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 09:49

Reported

2024-05-17 09:52

Platform

win11-20240426-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-491 = "India Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4160 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4160 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4160 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe C:\Windows\system32\cmd.exe
PID 2436 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe C:\Windows\system32\cmd.exe
PID 4452 wrote to memory of 4476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4452 wrote to memory of 4476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2436 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe C:\Windows\rss\csrss.exe
PID 2436 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe C:\Windows\rss\csrss.exe
PID 2436 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe C:\Windows\rss\csrss.exe
PID 4084 wrote to memory of 4596 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 4596 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 4596 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 2324 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 2324 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 2324 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 3672 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 3672 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 3672 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 4768 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4084 wrote to memory of 4768 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3120 wrote to memory of 1248 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3120 wrote to memory of 1248 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3120 wrote to memory of 1248 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 3076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1248 wrote to memory of 3076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1248 wrote to memory of 3076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe

"C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe

"C:\Users\Admin\AppData\Local\Temp\5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 0d866f25-6adc-44d6-8f6d-f2769db1336d.uuid.createupdate.org udp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server11.createupdate.org udp
US 74.125.250.129:19302 stun1.l.google.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.104:443 server11.createupdate.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.104:443 server11.createupdate.org tcp
US 52.111.229.48:443 tcp
BG 185.82.216.104:443 server11.createupdate.org tcp

Files

memory/4160-1-0x0000000004850000-0x0000000004C53000-memory.dmp

memory/4160-2-0x0000000004C60000-0x000000000554B000-memory.dmp

memory/4160-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3800-4-0x0000000073F1E000-0x0000000073F1F000-memory.dmp

memory/3800-5-0x0000000004840000-0x0000000004876000-memory.dmp

memory/3800-6-0x0000000073F10000-0x00000000746C1000-memory.dmp

memory/3800-8-0x0000000073F10000-0x00000000746C1000-memory.dmp

memory/3800-7-0x0000000004FB0000-0x00000000055DA000-memory.dmp

memory/3800-9-0x0000000004E70000-0x0000000004E92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kkafekdf.wyi.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3800-11-0x0000000005830000-0x0000000005896000-memory.dmp

memory/3800-20-0x0000000005920000-0x0000000005C77000-memory.dmp

memory/3800-10-0x0000000005750000-0x00000000057B6000-memory.dmp

memory/3800-21-0x0000000005CF0000-0x0000000005D0E000-memory.dmp

memory/3800-22-0x0000000005DA0000-0x0000000005DEC000-memory.dmp

memory/3800-23-0x0000000006260000-0x00000000062A6000-memory.dmp

memory/3800-24-0x0000000007110000-0x0000000007144000-memory.dmp

memory/3800-25-0x0000000070180000-0x00000000701CC000-memory.dmp

memory/3800-26-0x0000000070300000-0x0000000070657000-memory.dmp

memory/3800-27-0x0000000073F10000-0x00000000746C1000-memory.dmp

memory/3800-37-0x0000000007190000-0x0000000007234000-memory.dmp

memory/3800-36-0x0000000007170000-0x000000000718E000-memory.dmp

memory/3800-38-0x0000000073F10000-0x00000000746C1000-memory.dmp

memory/3800-40-0x00000000072B0000-0x00000000072CA000-memory.dmp

memory/3800-39-0x0000000007900000-0x0000000007F7A000-memory.dmp

memory/3800-41-0x00000000072F0000-0x00000000072FA000-memory.dmp

memory/3800-42-0x0000000007400000-0x0000000007496000-memory.dmp

memory/3800-43-0x0000000007320000-0x0000000007331000-memory.dmp

memory/3800-44-0x0000000007360000-0x000000000736E000-memory.dmp

memory/3800-45-0x0000000007370000-0x0000000007385000-memory.dmp

memory/3800-46-0x00000000073C0000-0x00000000073DA000-memory.dmp

memory/3800-47-0x00000000073E0000-0x00000000073E8000-memory.dmp

memory/3800-50-0x0000000073F10000-0x00000000746C1000-memory.dmp

memory/4160-52-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4160-53-0x0000000004850000-0x0000000004C53000-memory.dmp

memory/4160-54-0x0000000004C60000-0x000000000554B000-memory.dmp

memory/3960-63-0x0000000005980000-0x0000000005CD7000-memory.dmp

memory/3960-65-0x0000000070390000-0x00000000706E7000-memory.dmp

memory/3960-74-0x0000000007110000-0x00000000071B4000-memory.dmp

memory/3960-64-0x0000000070180000-0x00000000701CC000-memory.dmp

memory/3960-75-0x0000000007420000-0x0000000007431000-memory.dmp

memory/3960-76-0x0000000007470000-0x0000000007485000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/564-80-0x0000000005A70000-0x0000000005DC7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 08b6893f73f0beca50430f8dcf9c7c60
SHA1 70cdb66dc4a550c4e9370f65f030de128499f34b
SHA256 9670cdf3390b4effc4d521bf67aeebb39d14192acd1ebf69885bd7820fb09260
SHA512 c934640b4e7417d641b4547b585e65cc663b34be7238679bc4fcec92c6327933c633c8879f4d8f252abd36da0e11bb6859c2771a087d97b5fe1e91cfa1adf699

memory/564-90-0x0000000070180000-0x00000000701CC000-memory.dmp

memory/564-91-0x00000000703D0000-0x0000000070727000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a9f8a448ec54a0d62368a9056c04b083
SHA1 367107e1a4a221f393cba3e753b1fcc8e8f5b2e5
SHA256 f12988cef93220e80d7a7860a0e177354d7ff55a4883c68319cbb8dd3cbf8b10
SHA512 a39fe7bffe66173f327576e06483e89700e178ed1225902926f820b1a806c716cd63794eec55357eabcb98f72af5e68a2b667f27b2add0cdc0e8e740eaf7a93e

memory/3828-109-0x00000000056E0000-0x0000000005A37000-memory.dmp

memory/4160-113-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2436-112-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3828-115-0x00000000703F0000-0x0000000070747000-memory.dmp

memory/3828-114-0x0000000070180000-0x00000000701CC000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 dcac5135874f0b248b110e2c504d42d4
SHA1 83ae7d534d9d4f9d3dbf73995bd78e10b0f16463
SHA256 5ccb6c4de0bd5bec2db56928399d568fff479931250c1de39edcc268564194e2
SHA512 970cf1f87faa12b08d612a1a98ca021331f337e2151f055c2b47ffeb2b3b83362f7240196c65de1c85e667ab688006eb8e85b7e45bd0562516b54c8e9d930625

memory/2436-128-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4596-139-0x0000000005F70000-0x00000000062C7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0daf18d489b58bbe072cf2d6a83cf7bc
SHA1 b431695e3c2f7ef71e9669a52d07d5e280ca6ea8
SHA256 1c9d9dc608991169c8fd2302748252b5b969b9474a32b1bdec211200083c6832
SHA512 4bb0a96bb4279fed3676f803e401f6829a5fa02fda72331e8d2f760735752e66b43ec8f5f603070c9eb6f7cda5b11f2b3169d481f32d9f2513a2c16b744ea08d

memory/4596-141-0x0000000070180000-0x00000000701CC000-memory.dmp

memory/4596-142-0x0000000070320000-0x0000000070677000-memory.dmp

memory/2324-161-0x0000000005AD0000-0x0000000005E27000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2fab12219c6319847da75c58a68fcbcb
SHA1 bb59fb909d3fbf454857f3813285ee02b0f9ccdc
SHA256 8a79411618126c0e9ac7d800653709bc60b4aedb15c8c923ac72721532c3970e
SHA512 eb94a6d8ea8b1e5f20d3923ccc77f307df532fea68886d60ced3d6e5a6889a89e3dcd01cd8dd2717b00d557d38a12e7097e6fcfcfc820533139b72d962c2bfd5

memory/2324-163-0x0000000006230000-0x000000000627C000-memory.dmp

memory/2324-165-0x0000000070240000-0x0000000070597000-memory.dmp

memory/2324-174-0x00000000072E0000-0x0000000007384000-memory.dmp

memory/2324-164-0x00000000700A0000-0x00000000700EC000-memory.dmp

memory/2324-175-0x0000000007610000-0x0000000007621000-memory.dmp

memory/2324-176-0x0000000005E90000-0x0000000005EA5000-memory.dmp

memory/3672-186-0x00000000060B0000-0x0000000006407000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 efc72cebd24fdc21c060cf73feaa66b1
SHA1 6340db8e18b3ba3e6e773a896850c4242e30af87
SHA256 052760098bde50c824a6d0547658ab07b7619d197f831a59445466eee9143eab
SHA512 35a5917cd92b3fade8879d095df044ca37c0090c8ce327fc367bb4aa866fb10f4f586fa12fd64800be0ed49cfff4d98c7efa7629858345cdf712f8c7d5ba81f9

memory/3672-189-0x0000000070220000-0x0000000070577000-memory.dmp

memory/3672-188-0x00000000700A0000-0x00000000700EC000-memory.dmp

memory/4084-198-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4084-206-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4084-208-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3120-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3504-216-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3120-215-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4084-218-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3504-219-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4084-221-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3504-225-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4084-224-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4084-227-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4084-230-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4084-233-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4084-236-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4084-239-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4084-242-0x0000000000400000-0x0000000002B0D000-memory.dmp