Malware Analysis Report

2024-11-13 19:43

Sample ID 240517-lwchbach54
Target 8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9
SHA256 8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9

Threat Level: Known bad

The file 8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Manipulates WinMonFS driver.

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 09:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 09:52

Reported

2024-05-17 09:55

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2280 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1940 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1940 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1940 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1940 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe C:\Windows\windefender.exe
PID 1940 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe C:\Windows\windefender.exe
PID 3136 wrote to memory of 1044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3136 wrote to memory of 1044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1940 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1940 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1940 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1940 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1940 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1940 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1940 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe C:\Windows\rss\csrss.exe
PID 1940 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe C:\Windows\rss\csrss.exe
PID 1940 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe C:\Windows\rss\csrss.exe
PID 4236 wrote to memory of 3160 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4236 wrote to memory of 3160 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4236 wrote to memory of 3160 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4236 wrote to memory of 772 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4236 wrote to memory of 772 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4236 wrote to memory of 772 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4236 wrote to memory of 5108 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4236 wrote to memory of 5108 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4236 wrote to memory of 5108 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4236 wrote to memory of 2436 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4236 wrote to memory of 2436 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3624 wrote to memory of 2500 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3624 wrote to memory of 2500 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3624 wrote to memory of 2500 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2500 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2500 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe

"C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe

"C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.58:443 www.bing.com tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.61.62.23.in-addr.arpa udp
NL 23.62.61.168:443 www.bing.com tcp
US 8.8.8.8:53 168.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 313a3bcd-295c-4dbc-ad87-70c8dfeb7e1a.uuid.statsexplorer.org udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server2.statsexplorer.org udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun4.l.google.com udp
BG 185.82.216.108:443 server2.statsexplorer.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.108:443 server2.statsexplorer.org tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
BG 185.82.216.108:443 server2.statsexplorer.org tcp

Files

memory/2280-1-0x0000000004800000-0x0000000004C05000-memory.dmp

memory/2280-2-0x0000000004C10000-0x00000000054FB000-memory.dmp

memory/2280-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/816-4-0x0000000074DEE000-0x0000000074DEF000-memory.dmp

memory/816-5-0x00000000033B0000-0x00000000033E6000-memory.dmp

memory/816-7-0x0000000005C10000-0x0000000006238000-memory.dmp

memory/816-8-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/816-6-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/816-9-0x0000000005A00000-0x0000000005A22000-memory.dmp

memory/816-10-0x00000000062F0000-0x0000000006356000-memory.dmp

memory/816-11-0x0000000006360000-0x00000000063C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c5znzcbl.k0r.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/816-21-0x00000000063D0000-0x0000000006724000-memory.dmp

memory/816-22-0x00000000069B0000-0x00000000069CE000-memory.dmp

memory/816-23-0x0000000006A00000-0x0000000006A4C000-memory.dmp

memory/816-24-0x0000000007AD0000-0x0000000007B14000-memory.dmp

memory/816-25-0x0000000007CD0000-0x0000000007D46000-memory.dmp

memory/816-27-0x0000000007D70000-0x0000000007D8A000-memory.dmp

memory/816-26-0x00000000083D0000-0x0000000008A4A000-memory.dmp

memory/816-30-0x0000000070C80000-0x0000000070CCC000-memory.dmp

memory/816-29-0x0000000007F30000-0x0000000007F62000-memory.dmp

memory/816-31-0x0000000070E00000-0x0000000071154000-memory.dmp

memory/816-43-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/816-44-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/2280-28-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/816-42-0x0000000007F90000-0x0000000008033000-memory.dmp

memory/816-41-0x0000000007F70000-0x0000000007F8E000-memory.dmp

memory/816-45-0x0000000008080000-0x000000000808A000-memory.dmp

memory/816-46-0x0000000008140000-0x00000000081D6000-memory.dmp

memory/816-47-0x00000000080A0000-0x00000000080B1000-memory.dmp

memory/816-48-0x00000000080E0000-0x00000000080EE000-memory.dmp

memory/816-49-0x00000000080F0000-0x0000000008104000-memory.dmp

memory/816-51-0x0000000008130000-0x0000000008138000-memory.dmp

memory/816-50-0x00000000081E0000-0x00000000081FA000-memory.dmp

memory/816-54-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/2280-56-0x0000000004800000-0x0000000004C05000-memory.dmp

memory/2280-57-0x0000000004C10000-0x00000000054FB000-memory.dmp

memory/3704-68-0x0000000070E00000-0x0000000071154000-memory.dmp

memory/3704-78-0x0000000007B80000-0x0000000007C23000-memory.dmp

memory/3704-67-0x0000000070C80000-0x0000000070CCC000-memory.dmp

memory/3704-79-0x0000000007ED0000-0x0000000007EE1000-memory.dmp

memory/3704-80-0x0000000007F20000-0x0000000007F34000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/2280-83-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1504-94-0x00000000057C0000-0x0000000005B14000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 caa463cb5c28e8478ea6cdc675526fbb
SHA1 3aa28ab56ae949da5f3dda6b1f71ccfb3095ab73
SHA256 c46998fa3d6b3149609d7de285def51a7fb0de5efbe7d0fea5a47c4f65321c47
SHA512 8888c003f1f17e2c4e97cf49163049d082b7cc740af81842e9939753c27a4e60fc69c0da7ad582aedfbdea700e141cf85d0a1b038ee92f2e1337b7d110f03223

memory/1504-97-0x0000000071400000-0x0000000071754000-memory.dmp

memory/1504-96-0x0000000070C80000-0x0000000070CCC000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b264e1e76ddd830e2f867eb19b3168d7
SHA1 4c5d1c1929a362c5d4f081b83b9275f4317d2098
SHA256 a815454e26ae576326c79cda53fa338be26f705508b6b9dd0cf6f1154b92969f
SHA512 4c1bb1eca1f7ae724d4647e92e62dff861bb799dd2681e125a301ab582e5980a17000c4530dad483f3c44161645b6172ca491a415440c3581a128105bee86f4c

memory/4668-119-0x0000000070E00000-0x0000000071154000-memory.dmp

memory/4668-118-0x0000000070C80000-0x0000000070CCC000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 59990a5499023b306158797a9c82b604
SHA1 f6ad40ffc1e024e51feae1f5a0ef9dbe4b0054ef
SHA256 8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9
SHA512 ff4cf11d628d3308db0dc78ca89ca9d63323ae3ec52a83fda9241b7543e98d12905a797dabb59c6b9e8ee69dad7fbaf7326b9864775a22adba05a41873da2eba

memory/2280-135-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1940-131-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 14083c2067bc38a93e12f604c8d7749c
SHA1 dc2cce0aedd83e1cf53ee1c68bdc833da80305ab
SHA256 a05217f475fd83f291858b219ee2a345613fb69f00f5e4cd70013edfb7ba3ab3
SHA512 04d9dab87919d6eb6a6894d172a87bfefe0fb401dfc2fb100796782ed3d4d811483a3057c35ee17be5e5f7e46ab5c32959eadcae4a10ec2e19375e588394a17a

memory/3160-147-0x0000000070C80000-0x0000000070CCC000-memory.dmp

memory/3160-148-0x0000000071400000-0x0000000071754000-memory.dmp

memory/772-169-0x0000000005570000-0x00000000058C4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8caa7ca78ef9ab5990495f2801f776d7
SHA1 ea64ea1c13f5a7cab8c6dc76cfefa3de7bcf4549
SHA256 9f023bbdd9f564e0805794f75ea5163ae8e054e9cbb955afb66820cf76bb2757
SHA512 f271b3a68aab1758e85b4ee13083b7c1668ffa7c7b57fcc8f5406c9e4cb9c64ae46680c007b5ea5657ff1f85610bc2657af0aab6cbe6c01f85bf21daf1c1c5d0

memory/772-171-0x00000000061E0000-0x000000000622C000-memory.dmp

memory/772-172-0x0000000070BA0000-0x0000000070BEC000-memory.dmp

memory/772-173-0x0000000071330000-0x0000000071684000-memory.dmp

memory/772-183-0x0000000006EE0000-0x0000000006F83000-memory.dmp

memory/772-184-0x00000000071E0000-0x00000000071F1000-memory.dmp

memory/772-185-0x0000000005A70000-0x0000000005A84000-memory.dmp

memory/5108-196-0x0000000005FF0000-0x0000000006344000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 58781930ff0a573c0e86ac43ffa067c3
SHA1 01a141b30c58c34ad40ee0c62202ba365495a22f
SHA256 52891712f1de405b333fb07e05ccb82351fd33a4168f346907fe19afbf87a75c
SHA512 4475ee73b59c1db556669656bb139f322c678ed09f0e6c563d9a90ac852b084aab11da6c6f51d1bdfbf37c23e6b903882bed54d178bc87179b391d36c83d4736

memory/5108-198-0x0000000070BA0000-0x0000000070BEC000-memory.dmp

memory/5108-199-0x0000000071380000-0x00000000716D4000-memory.dmp

memory/1940-210-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4236-211-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3624-223-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3136-225-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3624-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4236-228-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3136-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4236-231-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4236-235-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3136-240-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4236-239-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4236-244-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4236-247-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4236-251-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4236-255-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4236-259-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4236-264-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4236-267-0x0000000000400000-0x0000000002B0D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 09:52

Reported

2024-05-17 09:55

Platform

win11-20240426-en

Max time kernel

150s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3652 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3652 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3652 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2052 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe C:\Windows\System32\Conhost.exe
PID 2052 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe C:\Windows\System32\Conhost.exe
PID 2052 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe C:\Windows\System32\Conhost.exe
PID 2052 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe C:\Windows\system32\cmd.exe
PID 2052 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe C:\Windows\system32\cmd.exe
PID 1092 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1092 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2052 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2052 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2052 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2052 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2052 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2052 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2052 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe C:\Windows\rss\csrss.exe
PID 2052 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe C:\Windows\rss\csrss.exe
PID 2052 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe C:\Windows\rss\csrss.exe
PID 4548 wrote to memory of 2876 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4548 wrote to memory of 2876 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4548 wrote to memory of 2876 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4548 wrote to memory of 1568 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4548 wrote to memory of 1568 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4548 wrote to memory of 1568 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4548 wrote to memory of 1892 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4548 wrote to memory of 1892 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4548 wrote to memory of 1892 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4548 wrote to memory of 1972 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4548 wrote to memory of 1972 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3648 wrote to memory of 4780 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3648 wrote to memory of 4780 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3648 wrote to memory of 4780 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4780 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4780 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4780 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe

"C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe

"C:\Users\Admin\AppData\Local\Temp\8287d4dd6a452e7cc9c6b16e1355d90414c92eb73162765c592d11b1060e9cc9.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 4aac72b9-845b-4487-b176-e76554246de0.uuid.statsexplorer.org udp
US 8.8.8.8:53 server9.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun2.l.google.com udp
BG 185.82.216.108:443 server9.statsexplorer.org tcp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.108:443 server9.statsexplorer.org tcp
BG 185.82.216.108:443 server9.statsexplorer.org tcp

Files

memory/3652-1-0x0000000004860000-0x0000000004C64000-memory.dmp

memory/3652-2-0x0000000004C70000-0x000000000555B000-memory.dmp

memory/3652-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1428-4-0x000000007488E000-0x000000007488F000-memory.dmp

memory/1428-5-0x0000000003270000-0x00000000032A6000-memory.dmp

memory/1428-7-0x0000000074880000-0x0000000075031000-memory.dmp

memory/1428-8-0x0000000074880000-0x0000000075031000-memory.dmp

memory/1428-11-0x0000000006200000-0x0000000006266000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ukhntzpb.0d4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1428-20-0x0000000006300000-0x0000000006657000-memory.dmp

memory/1428-10-0x0000000006190000-0x00000000061F6000-memory.dmp

memory/1428-9-0x00000000059A0000-0x00000000059C2000-memory.dmp

memory/1428-21-0x0000000006750000-0x000000000676E000-memory.dmp

memory/1428-22-0x0000000006790000-0x00000000067DC000-memory.dmp

memory/1428-6-0x0000000005AF0000-0x000000000611A000-memory.dmp

memory/1428-23-0x0000000006D00000-0x0000000006D46000-memory.dmp

memory/1428-24-0x0000000007B80000-0x0000000007BB4000-memory.dmp

memory/1428-36-0x0000000074880000-0x0000000075031000-memory.dmp

memory/1428-35-0x0000000007BC0000-0x0000000007BDE000-memory.dmp

memory/1428-37-0x0000000007BE0000-0x0000000007C84000-memory.dmp

memory/1428-26-0x0000000070C70000-0x0000000070FC7000-memory.dmp

memory/1428-25-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

memory/1428-38-0x0000000074880000-0x0000000075031000-memory.dmp

memory/1428-40-0x0000000007D10000-0x0000000007D2A000-memory.dmp

memory/1428-41-0x0000000007D50000-0x0000000007D5A000-memory.dmp

memory/1428-39-0x0000000008350000-0x00000000089CA000-memory.dmp

memory/1428-42-0x0000000007E60000-0x0000000007EF6000-memory.dmp

memory/1428-43-0x0000000007D70000-0x0000000007D81000-memory.dmp

memory/1428-44-0x0000000007DC0000-0x0000000007DCE000-memory.dmp

memory/1428-45-0x0000000007DD0000-0x0000000007DE5000-memory.dmp

memory/1428-46-0x0000000007E20000-0x0000000007E3A000-memory.dmp

memory/1428-47-0x0000000007E40000-0x0000000007E48000-memory.dmp

memory/1428-50-0x0000000074880000-0x0000000075031000-memory.dmp

memory/3652-52-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2968-61-0x0000000005940000-0x0000000005C97000-memory.dmp

memory/3652-62-0x0000000004860000-0x0000000004C64000-memory.dmp

memory/3652-63-0x0000000004C70000-0x000000000555B000-memory.dmp

memory/2968-74-0x00000000070E0000-0x0000000007184000-memory.dmp

memory/2968-65-0x0000000070D00000-0x0000000071057000-memory.dmp

memory/2968-64-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

memory/2968-75-0x0000000007410000-0x0000000007421000-memory.dmp

memory/2968-76-0x0000000007460000-0x0000000007475000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d8c89e796d5e9a9ec73b6eae1782eec4
SHA1 6ca424614b186c6d0ba489fd070a78dc14ec9fdd
SHA256 009860c0c1e74f3f40d35be87336bb2d17fd11c964721d1faa6277d38b0ef865
SHA512 9864c40b2c8c6326bf872b4103309178cc1b550d6a2d307732ae0a538727054c10b7ec9e119dff7725c93e00b56d4ff5f3b2bdbaa51d3db4ddbb15f4c5ba5c73

memory/1748-89-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

memory/1748-90-0x0000000070D00000-0x0000000071057000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e77a6c98573bf283f3325715362abc8c
SHA1 a7ec07e3a41c81232ddd1488e8f6c536d5cbcd76
SHA256 da34e8e9bcfd05c4aeab9f627da419268e9abab6c9db005d540725c1b1798eb7
SHA512 1b5fa85ee1b95761c82b7bb24e2150d39bd606c3c92bad224253ffd0cce18ecdafbca26a61e37f4628179d409ce3899b2901c38c47f0d47ee544ca8d07672dcd

memory/3456-110-0x0000000070C70000-0x0000000070FC7000-memory.dmp

memory/3456-109-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 1b451c23c714be51b4bdd1d27b1e8307
SHA1 9fab14ee69e21c2e979195aebb70e4a655ef6a38
SHA256 178d39455bb3ebbee38ee967eec9d7b037cf3800432fb7e9d50bdfb7d324ab9f
SHA512 ae00323d69c83a511c9c3c33bb78f0e69eba66f3a180b1055b337844786026da70ab77fbde0899207f179b5aa353d6cafa8d8bbf18820b2884b679cc26821e2f

memory/3652-127-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2052-126-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2876-136-0x00000000054B0000-0x0000000005807000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6bd8577bb720f280e2c3642f10d83792
SHA1 290540d76c5a721a3b6a556619775c5e0cfac6bf
SHA256 b6748b74ea85e6b8beb78407d954055b4d3ff4b97b95bea7744f1849a71cd946
SHA512 fd56097ec846082b8a76bd7fd6ca193c51367e1e8abf0ba9d162258b7b7c89dff42ff953da616bf6bff0fde4cbccbfe9cab2ea7dc097382467fd242597397688

memory/2876-139-0x0000000070D20000-0x0000000071077000-memory.dmp

memory/2876-138-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

memory/1568-157-0x0000000006220000-0x0000000006577000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6fcb9c85b5fa7eb4cde718ad9e4ad130
SHA1 91309a69ff38efc9f6ceda6938f4b8f0288a382e
SHA256 12095ba98ad3c182ee05fba209a41242a55ef1d9febe6438b82690584da073f4
SHA512 e1bf0f17f122eeb2ec6c7892a542cead8c967eb80ca4eb172ee072a9226bd31040573043a67934d00af77b9b541f7a07c881ce3ee12bd57fdab7273279f26ac0

memory/1568-159-0x0000000006D00000-0x0000000006D4C000-memory.dmp

memory/1568-161-0x0000000070C80000-0x0000000070FD7000-memory.dmp

memory/1568-170-0x0000000007A00000-0x0000000007AA4000-memory.dmp

memory/1568-160-0x0000000070A10000-0x0000000070A5C000-memory.dmp

memory/1568-171-0x0000000007D50000-0x0000000007D61000-memory.dmp

memory/1568-172-0x00000000065A0000-0x00000000065B5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 484af7734e829782554deb7cb8a191f2
SHA1 84c6ff093776af7138dc579538e16074b4e5db4a
SHA256 e5305aab1fd40ee389082d42584fc384aa440d870de3e77ed438e3a563f31418
SHA512 185b2fe75a08b18611337466d0f5e8a6de25a71734d889b3251e35ace7f5f6678754ad049dbdfdfa91932072fd5ba3a5ad03845c5da56be79fd2828d11abd11b

memory/1892-182-0x0000000005640000-0x0000000005997000-memory.dmp

memory/1892-184-0x0000000070A10000-0x0000000070A5C000-memory.dmp

memory/1892-185-0x0000000070B90000-0x0000000070EE7000-memory.dmp

memory/4548-197-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3648-208-0x0000000000400000-0x00000000008DF000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3648-212-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4212-210-0x0000000000400000-0x00000000008DF000-memory.dmp

C:\Windows\windefender.exe

MD5 e5c48e630471a2a8233eed664210e0bb
SHA1 1c87c02ccf2b03638968f9eea31a6c06a350fc73
SHA256 f2c7e0fa825c1fe91de816ee47185ce98c7769492cab8d72db6631ecfad64f7e
SHA512 0a330c2a352425d16567377f8495f1937e4786ec023bb971c6eee8a5ee5360b43ec3aab8b61d3c77386794976dbf6d3219400b307239350b4030433a5417499b

memory/4548-214-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4212-218-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4548-217-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4548-221-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4212-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4548-225-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4548-228-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4548-234-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4548-237-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4548-241-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4548-245-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4548-248-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4548-254-0x0000000000400000-0x0000000002B0D000-memory.dmp