Malware Analysis Report

2024-11-13 19:42

Sample ID 240517-qm8avaad5z
Target cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c
SHA256 cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c

Threat Level: Known bad

The file cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Manipulates WinMonFS driver.

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Program crash

Command and Scripting Interpreter: PowerShell

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 13:23

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 13:23

Reported

2024-05-17 13:26

Platform

win11-20240426-en

Max time kernel

149s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3088 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3088 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3088 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1868 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1868 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1868 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1868 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe C:\Windows\system32\cmd.exe
PID 1868 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe C:\Windows\system32\cmd.exe
PID 1416 wrote to memory of 3916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1416 wrote to memory of 3916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1868 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1868 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1868 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1868 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1868 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1868 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1868 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe C:\Windows\rss\csrss.exe
PID 1868 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe C:\Windows\rss\csrss.exe
PID 1868 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe C:\Windows\rss\csrss.exe
PID 3268 wrote to memory of 2864 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3268 wrote to memory of 2864 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3268 wrote to memory of 2864 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3268 wrote to memory of 1384 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3268 wrote to memory of 1384 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3268 wrote to memory of 1384 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3268 wrote to memory of 3392 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3268 wrote to memory of 3392 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3268 wrote to memory of 3392 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3268 wrote to memory of 4788 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3268 wrote to memory of 4788 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3420 wrote to memory of 3380 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3420 wrote to memory of 3380 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3420 wrote to memory of 3380 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3380 wrote to memory of 5064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3380 wrote to memory of 5064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3380 wrote to memory of 5064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe

"C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe

"C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3088 -ip 3088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 814b6c2d-07df-48b7-8dc0-a680d9106126.uuid.theupdatetime.org udp
US 8.8.8.8:53 stun.sipgate.net udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 3.33.249.248:3478 stun.sipgate.net udp
BG 185.82.216.108:443 server4.theupdatetime.org tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 udp
IE 52.111.236.21:443 tcp
BG 185.82.216.108:443 server4.theupdatetime.org tcp
BG 185.82.216.108:443 server4.theupdatetime.org tcp

Files

memory/3088-1-0x00000000048C0000-0x0000000004CC1000-memory.dmp

memory/3088-2-0x0000000004CD0000-0x00000000055BB000-memory.dmp

memory/3088-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2792-4-0x000000007463E000-0x000000007463F000-memory.dmp

memory/2792-5-0x0000000004F70000-0x0000000004FA6000-memory.dmp

memory/2792-6-0x00000000055E0000-0x0000000005C0A000-memory.dmp

memory/2792-7-0x0000000074630000-0x0000000074DE1000-memory.dmp

memory/2792-8-0x0000000005C90000-0x0000000005CB2000-memory.dmp

memory/2792-9-0x0000000005E30000-0x0000000005E96000-memory.dmp

memory/2792-10-0x0000000005EA0000-0x0000000005F06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_twitsyg1.o3z.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2792-20-0x0000000005FD0000-0x0000000006327000-memory.dmp

memory/2792-19-0x0000000074630000-0x0000000074DE1000-memory.dmp

memory/2792-21-0x0000000006410000-0x000000000642E000-memory.dmp

memory/2792-22-0x0000000006460000-0x00000000064AC000-memory.dmp

memory/2792-23-0x0000000006860000-0x00000000068A6000-memory.dmp

memory/2792-25-0x0000000007840000-0x0000000007874000-memory.dmp

memory/2792-26-0x00000000708A0000-0x00000000708EC000-memory.dmp

memory/2792-36-0x0000000007880000-0x000000000789E000-memory.dmp

memory/2792-37-0x00000000078A0000-0x0000000007944000-memory.dmp

memory/2792-27-0x0000000070A20000-0x0000000070D77000-memory.dmp

memory/2792-38-0x0000000074630000-0x0000000074DE1000-memory.dmp

memory/2792-39-0x0000000074630000-0x0000000074DE1000-memory.dmp

memory/3088-24-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2792-41-0x00000000079C0000-0x00000000079DA000-memory.dmp

memory/2792-40-0x0000000008000000-0x000000000867A000-memory.dmp

memory/2792-42-0x0000000007A00000-0x0000000007A0A000-memory.dmp

memory/2792-43-0x0000000007AC0000-0x0000000007B56000-memory.dmp

memory/2792-44-0x0000000007A30000-0x0000000007A41000-memory.dmp

memory/2792-45-0x0000000007A70000-0x0000000007A7E000-memory.dmp

memory/2792-46-0x0000000007A80000-0x0000000007A95000-memory.dmp

memory/2792-47-0x0000000007B80000-0x0000000007B9A000-memory.dmp

memory/2792-48-0x0000000007B60000-0x0000000007B68000-memory.dmp

memory/2792-51-0x0000000074630000-0x0000000074DE1000-memory.dmp

memory/3088-55-0x0000000004CD0000-0x00000000055BB000-memory.dmp

memory/3088-54-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3088-53-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/956-61-0x00000000055C0000-0x0000000005917000-memory.dmp

memory/956-66-0x0000000005B90000-0x0000000005BDC000-memory.dmp

memory/1868-65-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/956-67-0x00000000709B0000-0x00000000709FC000-memory.dmp

memory/956-77-0x0000000006D00000-0x0000000006DA4000-memory.dmp

memory/956-68-0x0000000070C00000-0x0000000070F57000-memory.dmp

memory/956-78-0x0000000007050000-0x0000000007061000-memory.dmp

memory/956-79-0x00000000070A0000-0x00000000070B5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 223021b108f25e74a7a4c6eb883e44c4
SHA1 9cc5be9c05e249b6a38eb88c9385d46a411c1860
SHA256 2d0a5c249ff6a56c60717064c36572d441640b81d0efeb96bc8e5f3e03a059a1
SHA512 538306adc912357e527670644f1b77e97c4aad29b0bf8131a76b9d2e64059f9b576dc481d8793bda2e8126a7dc1d590b6f8feb4978402f381c100c54801ea58b

memory/4704-91-0x0000000006410000-0x0000000006767000-memory.dmp

memory/4704-94-0x0000000070B30000-0x0000000070E87000-memory.dmp

memory/4704-93-0x00000000709B0000-0x00000000709FC000-memory.dmp

memory/2032-110-0x0000000005670000-0x00000000059C7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 50fefec60541f728cedfdcc6c4da7798
SHA1 66f0cb96979b618aa5d8bb3da6bc583ef21b468b
SHA256 3bf19371e42acae945018d7991c823823d2a418ae9327ba9efaaa7abe3aeab3c
SHA512 006b37a871a338a10004a5fa75bb9f4af987abc2f0a6a92bb992a8e7c6f269f43d8b2baa046ddcfb6ee75296a44733f441400756d7c6b8614ad9627a7f87e8e7

memory/2032-114-0x00000000709B0000-0x00000000709FC000-memory.dmp

memory/2032-115-0x00000000712F0000-0x0000000071647000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 5b757bfa4853e2eee90b10dc0dfc8f59
SHA1 d9f6a1873809e88aeff21286534999cc05999944
SHA256 cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c
SHA512 f8a605741f0722bae4153f01c5f7f377e3a7b0126b445a3e80ee62c53389e329f6f777d053305debfd077f9c2e7e16f50a81cbe6608b64fe158bb40214cfe7dd

memory/1868-129-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2864-139-0x00000000064A0000-0x00000000067F7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 534a7513ce3185f0a430395da93ae834
SHA1 5383476929b29b654dc5d715b2f6f5e4cc21d1aa
SHA256 4ffce96c7eeab58fd97b2129d049ec68cdc15a2928cc1bf11f4e8626a71bed8c
SHA512 98235a9c1738dec0ee17b686c3652ad620c17513f950b2146f807529b86bc8bcfbbf3eb7addb123a7ffcff5dc6d7972b89f8489e715298bcd9b66105a5f60104

memory/2864-141-0x0000000006980000-0x00000000069CC000-memory.dmp

memory/2864-143-0x0000000070A90000-0x0000000070DE7000-memory.dmp

memory/2864-142-0x0000000070910000-0x000000007095C000-memory.dmp

memory/2864-152-0x0000000007BB0000-0x0000000007C54000-memory.dmp

memory/2864-153-0x0000000007F20000-0x0000000007F31000-memory.dmp

memory/2864-154-0x00000000063D0000-0x00000000063E5000-memory.dmp

memory/1384-164-0x0000000005DD0000-0x0000000006127000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4c1a94bacffcdf7668e7adbd0e819f72
SHA1 5777f89598b4a5948121e730106e262b488b0321
SHA256 3bcfe7b62d2fb63cac6a3008cc9973bb19bfc0616049c9594fb07d319c5eda83
SHA512 19ae67174f6dc0e44924e5f7fecc58e13c32455f613b9de9718376fe18297233db48e5c0b6037bef19e632e97e4d6e3aa51b41e112bfbf2baea18d499367776b

memory/1384-166-0x0000000006610000-0x000000000665C000-memory.dmp

memory/1384-167-0x0000000070830000-0x000000007087C000-memory.dmp

memory/1384-168-0x00000000709B0000-0x0000000070D07000-memory.dmp

memory/1384-177-0x0000000007530000-0x00000000075D4000-memory.dmp

memory/1384-178-0x0000000007870000-0x0000000007881000-memory.dmp

memory/1384-179-0x0000000005D50000-0x0000000005D65000-memory.dmp

memory/3392-189-0x0000000005CE0000-0x0000000006037000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 eff709e9a9acb7de6f21e5e0ee3dbda3
SHA1 f0364949b77a67bce45d0f88b4fbcb9bc262163a
SHA256 0fc73e888fef5945bc7f88e40e6927746d533266baf822dde4307f8c59e09d0d
SHA512 0b4d1c7fab17a791d8d77e689198e12e0ba05b59e3c4a6df996dc7e361a6e4f01349be784ffb9a2b9be2cc672be4960950fdd529a96b32eeb7912c49bf6c4120

memory/3268-190-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3392-192-0x0000000070830000-0x000000007087C000-memory.dmp

memory/3392-193-0x0000000070AA0000-0x0000000070DF7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3268-208-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3420-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3420-217-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/880-215-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3268-218-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/880-219-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3268-220-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3268-222-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/880-223-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3268-224-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3268-226-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3268-228-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3268-230-0x0000000000400000-0x0000000002B0D000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 13:23

Reported

2024-05-17 13:26

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-162 = "Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2392 = "Aleutian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4148 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4148 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4148 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe C:\Windows\system32\cmd.exe
PID 2124 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe C:\Windows\system32\cmd.exe
PID 5096 wrote to memory of 1056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5096 wrote to memory of 1056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2124 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe C:\Windows\rss\csrss.exe
PID 2124 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe C:\Windows\rss\csrss.exe
PID 2124 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe C:\Windows\rss\csrss.exe
PID 3216 wrote to memory of 1864 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3216 wrote to memory of 1864 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3216 wrote to memory of 1864 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3216 wrote to memory of 2640 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3216 wrote to memory of 2640 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3216 wrote to memory of 2640 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3216 wrote to memory of 2924 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3216 wrote to memory of 2924 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3216 wrote to memory of 2924 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3216 wrote to memory of 1740 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3216 wrote to memory of 1740 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1168 wrote to memory of 4436 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1168 wrote to memory of 4436 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1168 wrote to memory of 4436 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4436 wrote to memory of 3588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4436 wrote to memory of 3588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4436 wrote to memory of 3588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe

"C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe

"C:\Users\Admin\AppData\Local\Temp\cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2124 -ip 2124

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 796

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
NL 23.62.61.153:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.153:443 www.bing.com tcp
US 8.8.8.8:53 153.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 1f70067d-f5b8-42e7-b70e-65d4b94d04fd.uuid.theupdatetime.org udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 server2.theupdatetime.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server2.theupdatetime.org tcp
US 74.125.250.129:19302 stun1.l.google.com udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.108:443 server2.theupdatetime.org tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
BG 185.82.216.108:443 server2.theupdatetime.org tcp
US 8.8.8.8:53 77.239.69.13.in-addr.arpa udp

Files

memory/4148-1-0x00000000047C0000-0x0000000004BC6000-memory.dmp

memory/4148-2-0x0000000004BD0000-0x00000000054BB000-memory.dmp

memory/4148-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1128-4-0x000000007490E000-0x000000007490F000-memory.dmp

memory/1128-5-0x0000000004660000-0x0000000004696000-memory.dmp

memory/1128-7-0x0000000074900000-0x00000000750B0000-memory.dmp

memory/1128-6-0x0000000004DF0000-0x0000000005418000-memory.dmp

memory/1128-9-0x0000000074900000-0x00000000750B0000-memory.dmp

memory/1128-8-0x0000000004D90000-0x0000000004DB2000-memory.dmp

memory/1128-11-0x0000000005600000-0x0000000005666000-memory.dmp

memory/1128-10-0x0000000005590000-0x00000000055F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kw1gkdvz.b1y.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1128-21-0x0000000005670000-0x00000000059C4000-memory.dmp

memory/1128-22-0x0000000005C40000-0x0000000005C5E000-memory.dmp

memory/1128-23-0x0000000005C70000-0x0000000005CBC000-memory.dmp

memory/1128-24-0x0000000006120000-0x0000000006164000-memory.dmp

memory/1128-25-0x0000000006D40000-0x0000000006DB6000-memory.dmp

memory/1128-26-0x0000000007640000-0x0000000007CBA000-memory.dmp

memory/1128-27-0x0000000006D00000-0x0000000006D1A000-memory.dmp

memory/1128-28-0x0000000007140000-0x0000000007172000-memory.dmp

memory/1128-41-0x0000000007180000-0x000000000719E000-memory.dmp

memory/1128-42-0x00000000071A0000-0x0000000007243000-memory.dmp

memory/1128-31-0x0000000074900000-0x00000000750B0000-memory.dmp

memory/1128-43-0x0000000074900000-0x00000000750B0000-memory.dmp

memory/1128-30-0x0000000070F20000-0x0000000071274000-memory.dmp

memory/1128-29-0x00000000707A0000-0x00000000707EC000-memory.dmp

memory/1128-44-0x0000000007290000-0x000000000729A000-memory.dmp

memory/1128-46-0x0000000007420000-0x00000000074B6000-memory.dmp

memory/1128-47-0x0000000074900000-0x00000000750B0000-memory.dmp

memory/1128-48-0x0000000007320000-0x0000000007331000-memory.dmp

memory/4148-45-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1128-49-0x0000000007360000-0x000000000736E000-memory.dmp

memory/1128-50-0x0000000007380000-0x0000000007394000-memory.dmp

memory/1128-51-0x00000000073C0000-0x00000000073DA000-memory.dmp

memory/1128-52-0x00000000073B0000-0x00000000073B8000-memory.dmp

memory/1128-55-0x0000000074900000-0x00000000750B0000-memory.dmp

memory/4148-58-0x0000000004BD0000-0x00000000054BB000-memory.dmp

memory/4148-59-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4148-56-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4356-69-0x0000000005850000-0x0000000005BA4000-memory.dmp

memory/4356-70-0x0000000005D20000-0x0000000005D6C000-memory.dmp

memory/4356-71-0x00000000708A0000-0x00000000708EC000-memory.dmp

memory/4356-72-0x0000000070A20000-0x0000000070D74000-memory.dmp

memory/4356-82-0x0000000006ED0000-0x0000000006F73000-memory.dmp

memory/4356-83-0x00000000071E0000-0x00000000071F1000-memory.dmp

memory/4356-84-0x0000000007230000-0x0000000007244000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/3996-88-0x0000000005830000-0x0000000005B84000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 aad2b13988d09a614bd62f7b706028d1
SHA1 8d109705a6a682a9035bfc07628b600d76f0412d
SHA256 d864c36f70a57c07e81b22bbf64e9129d74a22de21af116cf672fdeff4182419
SHA512 4d2c777cb0bcfb39791992995dd85095524741da0c8e8d7b4e887eb9d9db16df07b93ac100742f45c9c1e519bd6d90bb12ea0bb36e05fdc7a770d164c2f13fcd

memory/3996-99-0x00000000708A0000-0x00000000708EC000-memory.dmp

memory/3996-100-0x0000000071040000-0x0000000071394000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cc4f50c0ab3627d6cfae11438462263a
SHA1 a96910250f756b340a7bb437d4673dff191c8023
SHA256 585e6c263b32f678186f5116aaeed6e682f5ab50d4dee543d27c25740e53494d
SHA512 70c9db816858f626638c70ebd0ea04ad203d648b66f5a9d906c5c151c8043c05a7844f6559f1f01a3f4a20509e45ef26cb1f8b78aa3e78ae7de3b24121d0d99c

memory/3044-122-0x0000000071040000-0x0000000071394000-memory.dmp

memory/3044-121-0x00000000708A0000-0x00000000708EC000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 5b757bfa4853e2eee90b10dc0dfc8f59
SHA1 d9f6a1873809e88aeff21286534999cc05999944
SHA256 cae05fd96fdee4b74ff7249eb61f8eaf4bced560ebd4a9092405fce0bde8a63c
SHA512 f8a605741f0722bae4153f01c5f7f377e3a7b0126b445a3e80ee62c53389e329f6f777d053305debfd077f9c2e7e16f50a81cbe6608b64fe158bb40214cfe7dd

memory/2124-138-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1864-149-0x0000000005A00000-0x0000000005D54000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d5d73e856f40a6735d78f9e00674ba27
SHA1 4745edf3fc02f2f8004716dfcca9b2106e7b9951
SHA256 38f400a85e5aeff37355b33fdb05b8f5c4688c4122967f0412c244668aadbdd3
SHA512 0b2f9e17866d40e292856b2a57378a36f843eab16e645e738fd6bd2e0f2f78b72b9c835eab1307c7ea852aace10982a5834409c50b4bfae1edd1c0060547bd41

memory/1864-151-0x0000000005EF0000-0x0000000005F3C000-memory.dmp

memory/1864-153-0x0000000070980000-0x0000000070CD4000-memory.dmp

memory/1864-152-0x0000000070800000-0x000000007084C000-memory.dmp

memory/1864-163-0x00000000070A0000-0x0000000007143000-memory.dmp

memory/1864-164-0x00000000073D0000-0x00000000073E1000-memory.dmp

memory/1864-165-0x00000000056D0000-0x00000000056E4000-memory.dmp

memory/2640-167-0x0000000005A00000-0x0000000005D54000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a023ac6127eb331867a76649d1544663
SHA1 40104ff6ff56e1d035eafe859669e4e03f4e5be0
SHA256 67ad3049ecf106f915461b27e30873df429e56bea8efd73b845e6256b02c7e0a
SHA512 698f8824aa7bc3a4b94d5295caa4cfb361f23f924d6e166575ea888b2787715c2f02d3ff8ec8cbbe5b4babaa0d17ad3bd92130348cd3b5144bf5319c9933dcf0

memory/2640-178-0x0000000006110000-0x000000000615C000-memory.dmp

memory/2640-179-0x0000000070720000-0x000000007076C000-memory.dmp

memory/2640-180-0x0000000070EB0000-0x0000000071204000-memory.dmp

memory/2640-190-0x0000000007310000-0x00000000073B3000-memory.dmp

memory/2640-191-0x0000000007600000-0x0000000007611000-memory.dmp

memory/2640-192-0x0000000005E90000-0x0000000005EA4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2ede95c0cad29fd8cbaf3e1a5a3570ba
SHA1 529320a38bb5170c989f75c808a14d80bb994728
SHA256 9936556972b7296d2cf346c81e212b86a6e12596cacb2b471c1a15f4e4ec9bd4
SHA512 296f6e72a7b3cd22d9f09d453b0eb50cfefef4410bae226293bdeb9b61cdefea1aa8c2ee0252f71bbde28ad5308fa51290ba8350ee31b3142c14ca83cfcbe67b

memory/2924-205-0x0000000070EB0000-0x0000000071204000-memory.dmp

memory/2924-204-0x0000000070720000-0x000000007076C000-memory.dmp

memory/3216-215-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1168-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3216-222-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1168-231-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4180-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4180-233-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3216-232-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3216-234-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4180-237-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3216-236-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3216-238-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3216-240-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3216-242-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3216-244-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3216-246-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3216-248-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3216-250-0x0000000000400000-0x0000000002B0D000-memory.dmp