Malware Analysis Report

2024-11-13 19:40

Sample ID 240517-qnn9csaf69
Target c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018
SHA256 c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018

Threat Level: Known bad

The file c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Checks installed software on the system

Manipulates WinMonFS driver.

Adds Run key to start application

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Program crash

Command and Scripting Interpreter: PowerShell

Creates scheduled task(s)

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 13:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 13:24

Reported

2024-05-17 13:27

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-162 = "Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-571 = "China Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-572 = "China Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 624 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 624 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 624 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3368 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3368 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3368 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3368 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe C:\Windows\system32\cmd.exe
PID 3368 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe C:\Windows\system32\cmd.exe
PID 1484 wrote to memory of 1944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1484 wrote to memory of 1944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3368 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3368 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3368 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3368 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3368 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3368 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3368 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe C:\Windows\rss\csrss.exe
PID 3368 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe C:\Windows\rss\csrss.exe
PID 3368 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe C:\Windows\rss\csrss.exe
PID 3720 wrote to memory of 624 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3720 wrote to memory of 624 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3720 wrote to memory of 624 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3720 wrote to memory of 4936 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3720 wrote to memory of 4936 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3720 wrote to memory of 4936 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3720 wrote to memory of 4920 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3720 wrote to memory of 4920 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3720 wrote to memory of 4920 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3720 wrote to memory of 2400 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3720 wrote to memory of 2400 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1056 wrote to memory of 620 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1056 wrote to memory of 620 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1056 wrote to memory of 620 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 620 wrote to memory of 1380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 620 wrote to memory of 1380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 620 wrote to memory of 1380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe

"C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe

"C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.138:443 www.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 138.61.62.23.in-addr.arpa udp
NL 23.62.61.138:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 6c866ccd-b342-4b9a-81a4-0f1810322df7.uuid.statscreate.org udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 8.8.8.8:53 server1.statscreate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
N/A 127.0.0.1:3478 udp
BG 185.82.216.96:443 server1.statscreate.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
BG 185.82.216.96:443 server1.statscreate.org tcp
US 8.8.8.8:53 stun.sipgate.net udp
US 3.33.249.248:3478 stun.sipgate.net udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 248.249.33.3.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
BG 185.82.216.96:443 server1.statscreate.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/624-1-0x0000000004850000-0x0000000004C4A000-memory.dmp

memory/624-2-0x0000000004C50000-0x000000000553B000-memory.dmp

memory/624-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3324-5-0x0000000002BA0000-0x0000000002BD6000-memory.dmp

memory/3324-6-0x00000000747FE000-0x00000000747FF000-memory.dmp

memory/624-4-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3324-8-0x00000000747F0000-0x0000000074FA0000-memory.dmp

memory/3324-7-0x0000000005460000-0x0000000005A88000-memory.dmp

memory/3324-9-0x0000000005280000-0x00000000052A2000-memory.dmp

memory/3324-12-0x0000000005B00000-0x0000000005B66000-memory.dmp

memory/3324-11-0x00000000747F0000-0x0000000074FA0000-memory.dmp

memory/3324-10-0x0000000005320000-0x0000000005386000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1hvlites.frc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3324-18-0x0000000005B70000-0x0000000005EC4000-memory.dmp

memory/3324-23-0x0000000006140000-0x000000000615E000-memory.dmp

memory/3324-24-0x0000000006170000-0x00000000061BC000-memory.dmp

memory/3324-25-0x0000000006580000-0x00000000065C4000-memory.dmp

memory/3324-26-0x00000000074D0000-0x0000000007546000-memory.dmp

memory/3324-27-0x0000000007BD0000-0x000000000824A000-memory.dmp

memory/3324-28-0x0000000007490000-0x00000000074AA000-memory.dmp

memory/3324-30-0x00000000747F0000-0x0000000074FA0000-memory.dmp

memory/3324-29-0x00000000076D0000-0x0000000007702000-memory.dmp

memory/3324-31-0x0000000070690000-0x00000000706DC000-memory.dmp

memory/3324-32-0x0000000070E10000-0x0000000071164000-memory.dmp

memory/3324-44-0x00000000747F0000-0x0000000074FA0000-memory.dmp

memory/3324-43-0x0000000007730000-0x00000000077D3000-memory.dmp

memory/3324-42-0x0000000007710000-0x000000000772E000-memory.dmp

memory/3324-45-0x0000000007820000-0x000000000782A000-memory.dmp

memory/3324-46-0x0000000007930000-0x00000000079C6000-memory.dmp

memory/3324-47-0x0000000007830000-0x0000000007841000-memory.dmp

memory/3324-48-0x0000000007870000-0x000000000787E000-memory.dmp

memory/3324-49-0x0000000007890000-0x00000000078A4000-memory.dmp

memory/3324-50-0x00000000078D0000-0x00000000078EA000-memory.dmp

memory/3324-51-0x00000000078C0000-0x00000000078C8000-memory.dmp

memory/3324-54-0x00000000747F0000-0x0000000074FA0000-memory.dmp

memory/624-57-0x0000000004C50000-0x000000000553B000-memory.dmp

memory/624-58-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/624-55-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4720-68-0x0000000005670000-0x00000000059C4000-memory.dmp

memory/4720-69-0x0000000006190000-0x00000000061DC000-memory.dmp

memory/4720-70-0x0000000070790000-0x00000000707DC000-memory.dmp

memory/4720-71-0x0000000070F30000-0x0000000071284000-memory.dmp

memory/4720-81-0x0000000006EE0000-0x0000000006F83000-memory.dmp

memory/4720-82-0x00000000071C0000-0x00000000071D1000-memory.dmp

memory/4720-83-0x0000000007210000-0x0000000007224000-memory.dmp

memory/3368-84-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/2400-93-0x0000000005480000-0x00000000057D4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 74a5a5c2c1d4b21077f2bf1cc0d9cb22
SHA1 c8b797911f479d3c97083ea0f5d4269334fcb742
SHA256 1c4e5df1588012dd2e008809690b0b17de2a835cccda5979ef0bfd0b92265902
SHA512 2cbfeb075698d631d87a4b1609bf0f280165d77538015a3c975686a6e8dc10c4bd03ae65f86e7a353a3189ada2c7cdbb9ea24bd92a2c65a1b236b97b8c07fd80

memory/2400-99-0x0000000070790000-0x00000000707DC000-memory.dmp

memory/2400-100-0x0000000070EF0000-0x0000000071244000-memory.dmp

memory/3628-120-0x00000000064D0000-0x0000000006824000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b4fc2884a194b008349d6f27f5e044fc
SHA1 8bd82b3f9e563e18b59820c576846d7c838e5de8
SHA256 b219121b7fa480c9ec7263b67055778a94935af4c8b801b7e2a395d738724b74
SHA512 88d8a071c34f83d04f6154330332ad606068375d53819a1f6e33eec3778e91da4070a8bd697bae8d77c13e0712c099f969263840593f6e86f7741b87b49ba6d9

memory/3628-122-0x0000000070790000-0x00000000707DC000-memory.dmp

memory/3628-123-0x0000000070930000-0x0000000070C84000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 52d69906fb9fedeccf7954d25b3d468c
SHA1 4d3b05ff2be98f0ccc15f3c222f0e0c08124e27d
SHA256 c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018
SHA512 9c9ffc709779fa123cd93bc78b5cc0c51f21759f2244df2a296908185182ec005fc25de582818eb70290701fd77df75187c8f849070e8a483c10c44803e1e55f

memory/3368-137-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/624-149-0x0000000005FA0000-0x00000000062F4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ee1c0bf47685335e860b8a74ed380185
SHA1 8fa1f905fcb3e9ad9930b4fd4fd3672dd0275609
SHA256 8bf8ef5c83fca533435d9309dbe38840b240ece06b44df2b16f6ffe7ed7ad936
SHA512 454c7d2b8c997d47b8906a791df21f2c2bdea2e2f8d87ba388484891ef5a95fab22b06e1e8ed671ea982e83ff56af6fdfa83bbc488c469b275d4eb0496598d9d

memory/624-151-0x00000000067E0000-0x000000000682C000-memory.dmp

memory/624-152-0x00000000706F0000-0x000000007073C000-memory.dmp

memory/624-153-0x0000000070870000-0x0000000070BC4000-memory.dmp

memory/624-163-0x00000000076D0000-0x0000000007773000-memory.dmp

memory/624-164-0x0000000005EF0000-0x0000000005F01000-memory.dmp

memory/3720-165-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/624-166-0x0000000006300000-0x0000000006314000-memory.dmp

memory/4936-177-0x0000000005640000-0x0000000005994000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bac6286fe139b6a894d58046f9b0461a
SHA1 c8ce297a8279b6d4a4df14bdf392486b8f70f977
SHA256 d5fcc15a82959460c944ae1fda297a9f96e0a7d4fa751b8df773ed4da779d0d0
SHA512 1b0420723ce58580b2c633339600d4f4801b019039bc26ed1a6a709861d02ad0e86ecd61c4c80de5bd45a52db8a020a9ae161126117eb837573bf7adee0e6df4

memory/4936-179-0x0000000005F60000-0x0000000005FAC000-memory.dmp

memory/4936-180-0x0000000070610000-0x000000007065C000-memory.dmp

memory/4936-181-0x0000000070790000-0x0000000070AE4000-memory.dmp

memory/4936-191-0x0000000006DD0000-0x0000000006E73000-memory.dmp

memory/4936-192-0x0000000007120000-0x0000000007131000-memory.dmp

memory/4936-193-0x0000000005480000-0x0000000005494000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 86df66b0d8992ed52074cbb15f7a35f1
SHA1 c6e00e1be01f63b050a8d83fe7de4c43f262bbdf
SHA256 1da5827c0d59830c3aa5b9d8ffed9c950d16037188f00b00c84c7b4284a2b780
SHA512 d10507e687d15533ab31509a66082d93fc5e942a7f21fb17f077b9526ed1d61df92f14e2f0bce31e2322e120779a5a6c6a5a24f729216124e43e61dd9cc06996

memory/4920-205-0x0000000070610000-0x000000007065C000-memory.dmp

memory/4920-206-0x0000000070790000-0x0000000070AE4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3720-222-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1056-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4912-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1056-231-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3720-232-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4912-234-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3720-233-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3720-235-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4912-237-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3720-238-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3720-240-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3720-241-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3720-243-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3720-246-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3720-248-0x0000000000400000-0x0000000002B0D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 13:24

Reported

2024-05-17 13:27

Platform

win11-20240508-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1000 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1000 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1000 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 416 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 416 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 416 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 416 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe C:\Windows\system32\cmd.exe
PID 416 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe C:\Windows\system32\cmd.exe
PID 4004 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4004 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 416 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 416 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 416 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 416 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 416 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 416 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 416 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe C:\Windows\rss\csrss.exe
PID 416 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe C:\Windows\rss\csrss.exe
PID 416 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe C:\Windows\rss\csrss.exe
PID 2152 wrote to memory of 3132 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2152 wrote to memory of 3132 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2152 wrote to memory of 3132 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2152 wrote to memory of 2788 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2152 wrote to memory of 2788 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2152 wrote to memory of 2788 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2152 wrote to memory of 2776 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2152 wrote to memory of 2776 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2152 wrote to memory of 2776 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2152 wrote to memory of 2536 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2152 wrote to memory of 2536 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2528 wrote to memory of 2448 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2448 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2448 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2448 wrote to memory of 4952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2448 wrote to memory of 4952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2448 wrote to memory of 4952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe

"C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe

"C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1000 -ip 1000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 984

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 1e971977-291b-4456-80c5-7cb8ed8692de.uuid.statscreate.org udp
US 8.8.8.8:53 server2.statscreate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server2.statscreate.org tcp
US 74.125.250.129:19302 stun4.l.google.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.96:443 server2.statscreate.org tcp
BG 185.82.216.96:443 server2.statscreate.org tcp

Files

memory/1000-1-0x00000000048F0000-0x0000000004CEF000-memory.dmp

memory/1000-2-0x0000000004CF0000-0x00000000055DB000-memory.dmp

memory/1000-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2396-4-0x0000000074E5E000-0x0000000074E5F000-memory.dmp

memory/2396-5-0x00000000052E0000-0x0000000005316000-memory.dmp

memory/2396-7-0x0000000074E50000-0x0000000075601000-memory.dmp

memory/2396-6-0x0000000005950000-0x0000000005F7A000-memory.dmp

memory/2396-8-0x0000000074E50000-0x0000000075601000-memory.dmp

memory/2396-9-0x00000000058B0000-0x00000000058D2000-memory.dmp

memory/2396-11-0x0000000006220000-0x0000000006286000-memory.dmp

memory/2396-10-0x00000000061B0000-0x0000000006216000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uocts0v2.rt3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2396-20-0x0000000006290000-0x00000000065E7000-memory.dmp

memory/2396-21-0x0000000006760000-0x000000000677E000-memory.dmp

memory/2396-22-0x0000000006810000-0x000000000685C000-memory.dmp

memory/2396-23-0x0000000006D10000-0x0000000006D56000-memory.dmp

memory/2396-25-0x0000000007B90000-0x0000000007BC4000-memory.dmp

memory/2396-26-0x00000000710C0000-0x000000007110C000-memory.dmp

memory/2396-37-0x0000000007BF0000-0x0000000007C94000-memory.dmp

memory/2396-36-0x0000000007BD0000-0x0000000007BEE000-memory.dmp

memory/2396-27-0x0000000071250000-0x00000000715A7000-memory.dmp

memory/2396-38-0x0000000074E50000-0x0000000075601000-memory.dmp

memory/1000-24-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2396-39-0x0000000074E50000-0x0000000075601000-memory.dmp

memory/2396-41-0x0000000007D10000-0x0000000007D2A000-memory.dmp

memory/2396-40-0x0000000008360000-0x00000000089DA000-memory.dmp

memory/2396-42-0x0000000007D50000-0x0000000007D5A000-memory.dmp

memory/2396-43-0x0000000007E60000-0x0000000007EF6000-memory.dmp

memory/2396-44-0x0000000007D80000-0x0000000007D91000-memory.dmp

memory/2396-45-0x0000000007DC0000-0x0000000007DCE000-memory.dmp

memory/2396-46-0x0000000007DD0000-0x0000000007DE5000-memory.dmp

memory/2396-47-0x0000000007E20000-0x0000000007E3A000-memory.dmp

memory/2396-48-0x0000000007E00000-0x0000000007E08000-memory.dmp

memory/2396-51-0x0000000074E50000-0x0000000075601000-memory.dmp

memory/1000-54-0x0000000004CF0000-0x00000000055DB000-memory.dmp

memory/1000-55-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1000-53-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3000-64-0x0000000005D90000-0x00000000060E7000-memory.dmp

memory/3000-65-0x0000000006280000-0x00000000062CC000-memory.dmp

memory/416-66-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3000-67-0x00000000711D0000-0x000000007121C000-memory.dmp

memory/3000-68-0x0000000071350000-0x00000000716A7000-memory.dmp

memory/3000-77-0x00000000074B0000-0x0000000007554000-memory.dmp

memory/3000-78-0x00000000077D0000-0x00000000077E1000-memory.dmp

memory/3000-79-0x0000000007820000-0x0000000007835000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0b4852ffb0ef136a77905a016bc9d6dd
SHA1 720563e057722a59dbb49b342108cae9cd443042
SHA256 ebb8314758de99dc0a418f03579e96b73bc20764201e4d211d7bc7141d09e499
SHA512 67a35f1bc79878fc3d96e64b18a30f12d399b4496752a88120159ee61415c1b6b6c99d66d1b5345e96dec0f61888e2b81406754ae6cc1581d014f258dc6d806a

memory/2472-92-0x00000000711D0000-0x000000007121C000-memory.dmp

memory/2472-93-0x0000000071350000-0x00000000716A7000-memory.dmp

memory/2144-111-0x0000000005D20000-0x0000000006077000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1b3b9741331ec1cb29a929fc1a18edb2
SHA1 8dabd5d11bf06cc6e76fdceb71e82b680c9c3db6
SHA256 8f7f656b9c09cc70b5c26cacb90f042fde0e2131f5f121f7690d6db55394eeff
SHA512 53bf8d4d28206892eada7b941a9b85a9faa1d2e1ebbaa90abb29b0c04beaeec539a499630de9ae85eb3feeab894ba44d02aaf7b99bfedfc84d21db959ef6faba

memory/2144-113-0x00000000711D0000-0x000000007121C000-memory.dmp

memory/2144-114-0x00000000713E0000-0x0000000071737000-memory.dmp

memory/416-123-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 52d69906fb9fedeccf7954d25b3d468c
SHA1 4d3b05ff2be98f0ccc15f3c222f0e0c08124e27d
SHA256 c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018
SHA512 9c9ffc709779fa123cd93bc78b5cc0c51f21759f2244df2a296908185182ec005fc25de582818eb70290701fd77df75187c8f849070e8a483c10c44803e1e55f

memory/416-129-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3132-139-0x0000000005A30000-0x0000000005D87000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e99a61f26e20ab9846cc7ff248d4116d
SHA1 83d64e223237907ef49542868389fd4975270cb2
SHA256 0632347c6b8d23bcfe457dbd605ecf7cd925a8a70597307de5016cfe08730940
SHA512 e0d652cb8b374471a712492949e8d3223e41dca7040fefb800126f7de065faa39647287955c376a84e384c978242f7a66f1b3e697ef1f123279b72e2d5482c25

memory/3132-141-0x0000000006000000-0x000000000604C000-memory.dmp

memory/3132-143-0x0000000071130000-0x000000007117C000-memory.dmp

memory/3132-153-0x00000000071D0000-0x0000000007274000-memory.dmp

memory/2152-142-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3132-144-0x00000000712B0000-0x0000000071607000-memory.dmp

memory/3132-154-0x00000000073C0000-0x00000000073D1000-memory.dmp

memory/3132-155-0x00000000051E0000-0x00000000051F5000-memory.dmp

memory/2788-165-0x0000000005800000-0x0000000005B57000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7c4d9f68456645ec810e2c892a18f3ab
SHA1 edde16a57b0c9ae02e21a57ab2985a048e36d48c
SHA256 482c016da930e4d4e7c6ccd68f3e957c6b7c1f89b9119115c627598b41f2533f
SHA512 34f68c29f544ff506c93a015179bbae0145f672babf66fddcb21d3e66e28461775871841134d2ede9e0122ca21216d8c5fff51551da2d61318593c35aaf792b9

memory/2788-167-0x0000000005DE0000-0x0000000005E2C000-memory.dmp

memory/2788-169-0x00000000712A0000-0x00000000715F7000-memory.dmp

memory/2788-168-0x0000000071050000-0x000000007109C000-memory.dmp

memory/2788-178-0x0000000007010000-0x00000000070B4000-memory.dmp

memory/2788-179-0x0000000007350000-0x0000000007361000-memory.dmp

memory/2788-180-0x0000000005BA0000-0x0000000005BB5000-memory.dmp

memory/2776-187-0x0000000005900000-0x0000000005C57000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4fffad4e9362ca33b5a305d3c66ca875
SHA1 f6b33851c5071be851df923dc186e3bf8510244c
SHA256 a3ab9352370be7aba7c837971a3a3a941e44d318cfbcbf86e2bae41528cf2422
SHA512 898fdbb171ce658511bcac9840d866cec2bc7ede3dc48a3fb02518467c7955961f659d94c7441a5ab32e7022dc5595ee0f707694eeb8a997c28c7d8d9dadd175

memory/2776-192-0x0000000071050000-0x000000007109C000-memory.dmp

memory/2776-193-0x0000000071280000-0x00000000715D7000-memory.dmp

memory/2152-202-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2528-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2152-212-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2528-218-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4116-216-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4116-220-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2152-219-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2152-221-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2152-223-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4116-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2152-225-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2152-227-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2152-229-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2152-231-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2152-233-0x0000000000400000-0x0000000002B0D000-memory.dmp