Malware Analysis Report

2025-03-14 22:52

Sample ID 240406-1f5aqacd49
Target 1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db
SHA256 1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db
Tags
glupteba discovery dropper evasion loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db

Threat Level: Known bad

The file 1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Checks installed software on the system

Adds Run key to start application

Manipulates WinMonFS driver.

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Program crash

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:36

Reported

2024-04-06 21:39

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-491 = "India Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3624 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3624 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3624 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe C:\Windows\system32\cmd.exe
PID 3028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe C:\Windows\system32\cmd.exe
PID 1348 wrote to memory of 1272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1348 wrote to memory of 1272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3028 wrote to memory of 5968 N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 5968 N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 5968 N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 5380 N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 5380 N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 5380 N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe C:\Windows\rss\csrss.exe
PID 3028 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe C:\Windows\rss\csrss.exe
PID 3028 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe C:\Windows\rss\csrss.exe
PID 2968 wrote to memory of 1216 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2968 wrote to memory of 1216 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2968 wrote to memory of 1216 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2968 wrote to memory of 1300 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2968 wrote to memory of 1300 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2968 wrote to memory of 1300 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2968 wrote to memory of 404 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2968 wrote to memory of 404 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2968 wrote to memory of 404 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2968 wrote to memory of 4520 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2968 wrote to memory of 4520 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1944 wrote to memory of 2972 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1944 wrote to memory of 2972 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1944 wrote to memory of 2972 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 6100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2972 wrote to memory of 6100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2972 wrote to memory of 6100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe

"C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe

"C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 159.113.220.23.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 f90715a1-c1f8-4592-abab-db8832eae2cf.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server14.thestatsfiles.ru udp
US 162.159.129.233:443 cdn.discordapp.com tcp
ZA 74.125.27.36:19302 stun2.l.google.com udp
BG 185.82.216.96:443 server14.thestatsfiles.ru tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 36.27.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BG 185.82.216.96:443 server14.thestatsfiles.ru tcp

Files

memory/3624-1-0x0000000004EC0000-0x00000000052BB000-memory.dmp

memory/3624-2-0x00000000052C0000-0x0000000005BAB000-memory.dmp

memory/3624-3-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/3180-4-0x0000000002F30000-0x0000000002F66000-memory.dmp

memory/3180-5-0x00000000742A0000-0x0000000074A50000-memory.dmp

memory/3180-6-0x0000000003010000-0x0000000003020000-memory.dmp

memory/3180-7-0x0000000003010000-0x0000000003020000-memory.dmp

memory/3180-8-0x00000000056A0000-0x0000000005CC8000-memory.dmp

memory/3180-9-0x0000000005540000-0x0000000005562000-memory.dmp

memory/3180-10-0x00000000055E0000-0x0000000005646000-memory.dmp

memory/3180-11-0x0000000005D40000-0x0000000005DA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4hfvrean.42a.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3180-21-0x0000000005EF0000-0x0000000006244000-memory.dmp

memory/3180-22-0x0000000006590000-0x00000000065AE000-memory.dmp

memory/3180-23-0x00000000065C0000-0x000000000660C000-memory.dmp

memory/3180-24-0x0000000006AF0000-0x0000000006B34000-memory.dmp

memory/3180-25-0x00000000078D0000-0x0000000007946000-memory.dmp

memory/3180-26-0x0000000007FD0000-0x000000000864A000-memory.dmp

memory/3180-27-0x0000000007950000-0x000000000796A000-memory.dmp

memory/3180-29-0x0000000007B10000-0x0000000007B42000-memory.dmp

memory/3180-41-0x0000000007B50000-0x0000000007B6E000-memory.dmp

memory/3180-43-0x0000000007B70000-0x0000000007C13000-memory.dmp

memory/3180-44-0x0000000007C60000-0x0000000007C6A000-memory.dmp

memory/3180-42-0x0000000003010000-0x0000000003020000-memory.dmp

memory/3180-31-0x0000000070530000-0x0000000070884000-memory.dmp

memory/3180-30-0x0000000070140000-0x000000007018C000-memory.dmp

memory/3180-28-0x000000007F610000-0x000000007F620000-memory.dmp

memory/3180-45-0x0000000007D20000-0x0000000007DB6000-memory.dmp

memory/3180-46-0x0000000007C80000-0x0000000007C91000-memory.dmp

memory/3180-47-0x0000000007CC0000-0x0000000007CCE000-memory.dmp

memory/3180-48-0x0000000007CD0000-0x0000000007CE4000-memory.dmp

memory/3180-50-0x0000000007D10000-0x0000000007D18000-memory.dmp

memory/3180-49-0x0000000007DC0000-0x0000000007DDA000-memory.dmp

memory/3180-53-0x00000000742A0000-0x0000000074A50000-memory.dmp

memory/3624-54-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/3624-56-0x00000000052C0000-0x0000000005BAB000-memory.dmp

memory/3028-57-0x0000000004CE0000-0x00000000050D9000-memory.dmp

memory/3028-58-0x00000000050E0000-0x00000000059CB000-memory.dmp

memory/3028-59-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/2884-61-0x0000000005300000-0x0000000005310000-memory.dmp

memory/2884-60-0x0000000005300000-0x0000000005310000-memory.dmp

memory/2884-63-0x0000000074340000-0x0000000074AF0000-memory.dmp

memory/2884-62-0x00000000060F0000-0x0000000006444000-memory.dmp

memory/2884-73-0x00000000067F0000-0x000000000683C000-memory.dmp

memory/2884-75-0x0000000070240000-0x000000007028C000-memory.dmp

memory/2884-74-0x000000007F2E0000-0x000000007F2F0000-memory.dmp

memory/2884-76-0x00000000709E0000-0x0000000070D34000-memory.dmp

memory/2884-86-0x0000000007990000-0x0000000007A33000-memory.dmp

memory/2884-87-0x0000000005300000-0x0000000005310000-memory.dmp

memory/2884-88-0x0000000007CB0000-0x0000000007CC1000-memory.dmp

memory/2884-89-0x0000000007D00000-0x0000000007D14000-memory.dmp

memory/2884-92-0x0000000074340000-0x0000000074AF0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/5968-94-0x0000000074340000-0x0000000074AF0000-memory.dmp

memory/5968-95-0x0000000002CC0000-0x0000000002CD0000-memory.dmp

memory/5968-96-0x0000000002CC0000-0x0000000002CD0000-memory.dmp

memory/5968-106-0x0000000005D70000-0x00000000060C4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c09a15a21609513e726dccefbf7e28a8
SHA1 8a830cb940e9d47278f6097eebf2eaaaa63a5456
SHA256 9079404fd609a914c37f14f15a256505bf0462540d7dc94e864211d9953a0acb
SHA512 bffe0dc64bdada4a3a5faf4eea0920a4b08fe29069d17eab5fea831711184ac5885d34b24154743b9dd7ae112f6fe4de0f66ba2f332a95717a246f55cee03eb9

memory/5968-109-0x0000000070240000-0x000000007028C000-memory.dmp

memory/5968-108-0x000000007F940000-0x000000007F950000-memory.dmp

memory/5968-110-0x00000000703C0000-0x0000000070714000-memory.dmp

memory/5968-121-0x0000000002CC0000-0x0000000002CD0000-memory.dmp

memory/5968-122-0x0000000002CC0000-0x0000000002CD0000-memory.dmp

memory/3028-120-0x0000000004CE0000-0x00000000050D9000-memory.dmp

memory/5968-124-0x0000000074340000-0x0000000074AF0000-memory.dmp

memory/5380-125-0x0000000074340000-0x0000000074AF0000-memory.dmp

memory/5380-126-0x0000000004B50000-0x0000000004B60000-memory.dmp

memory/5380-127-0x00000000059B0000-0x0000000005D04000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cc69fe90cb790008bf2130ca8fac508b
SHA1 f1585e510638dd1cabfdfcf4320089c1d81080b7
SHA256 49e27863f82b04e4c8adce34806b47eea0ad85a21cd54ece413c86d38f6c8676
SHA512 ebc668ccd9a25e97585dcbe5b2fbf3d22e5072e33a2b1fdc5e63fc5c7e5a63865680e0ddb1982c23d0796f392bb9076b51bfe4cf55cb78591508b6bcf0777e4a

C:\Windows\rss\csrss.exe

MD5 6e14d1db9ff992aee67deedb2ecd6c0a
SHA1 45e97da453e466f6a3fc2e50cfdd267f4a3bc39c
SHA256 1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db
SHA512 e3df7318d301c0041bbad97d516dc901ad29c044e32758771170c3c86f0d21a394a90b012610c78ea6e12e18ab040fc86185051e85770a386c4cc27684d8e3b8

memory/3028-158-0x0000000000400000-0x0000000002F4A000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 821296e78f3b8f7706ec903e7acfd1e5
SHA1 6dd6a38de0bb75936d699a3c7975af359cc4c278
SHA256 8f4d8186549f99438937ac301ce72515de6a77662d83fd702f107c3472223e73
SHA512 e1f288f4af1cc9eea72ce3d48775f0fb2d35030ac9e51ff2d1730956b4c8143330d3e9e3a0ee2d6266d2bc90ff237d434e76df298879c913f52fb1a479513eab

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bea13d127e1616f9a88d7173b33324d5
SHA1 450e1a03a7413c66f5fd13560a853bcccf6b343e
SHA256 c5b2055550742232f9808640f280f75f52b0956396fff20fdc98c0d0a3c36c51
SHA512 34074196231b1745784f34ebe9f9c0836314aa780cdfda90bdecbf89c2e3cd2444e69335cb38cf75f69290daab4ce087a44bb7e9f0c8c3e861e50c700eac4daa

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7cb24e472a5855c53f48f05345c1c309
SHA1 b1313ce021540f6f2d80d19df9dbe1a11238a4c6
SHA256 14ebab1471813a91384552745345006d71ed0fedb3afffe119f87692b12d3ddd
SHA512 51069420696a790d52e497b8da3fa88764e840ae5eed56a579eb00b8860a2f9e33d596c0578a4b8fab11df18dc65dfba88600fed0690e2df1f730ff409a9e149

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2968-263-0x0000000000400000-0x0000000002F4A000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2968-267-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/1944-271-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2968-273-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/3548-274-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2968-275-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/2968-277-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/3548-278-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2968-279-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/2968-281-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/2968-283-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/2968-285-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/2968-287-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/2968-289-0x0000000000400000-0x0000000002F4A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:36

Reported

2024-04-06 21:39

Platform

win11-20240221-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3504 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3504 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3504 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3504 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe C:\Windows\system32\cmd.exe
PID 3504 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe C:\Windows\system32\cmd.exe
PID 916 wrote to memory of 904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 916 wrote to memory of 904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3504 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3504 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3504 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3504 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3504 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3504 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3504 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe C:\Windows\rss\csrss.exe
PID 3504 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe C:\Windows\rss\csrss.exe
PID 3504 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe C:\Windows\rss\csrss.exe
PID 1096 wrote to memory of 2800 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1096 wrote to memory of 2800 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1096 wrote to memory of 2800 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1096 wrote to memory of 460 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1096 wrote to memory of 460 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1096 wrote to memory of 460 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1096 wrote to memory of 4520 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1096 wrote to memory of 4520 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1096 wrote to memory of 4520 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1096 wrote to memory of 3400 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1096 wrote to memory of 3400 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3612 wrote to memory of 2400 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3612 wrote to memory of 2400 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3612 wrote to memory of 2400 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2400 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2400 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe

"C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1008 -ip 1008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 2208

C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe

"C:\Users\Admin\AppData\Local\Temp\1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3040 -ip 3040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 932

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 468dadf3-85d7-49f2-9169-03422f978375.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 server3.thestatsfiles.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun.l.google.com udp
BG 185.82.216.96:443 server3.thestatsfiles.ru tcp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.96:443 server3.thestatsfiles.ru tcp

Files

memory/3040-1-0x0000000005070000-0x0000000005477000-memory.dmp

memory/3040-2-0x0000000005480000-0x0000000005D6B000-memory.dmp

memory/3040-3-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/1008-4-0x0000000003380000-0x00000000033B6000-memory.dmp

memory/1008-5-0x00000000749B0000-0x0000000075161000-memory.dmp

memory/1008-7-0x0000000005C80000-0x00000000062AA000-memory.dmp

memory/1008-6-0x0000000005640000-0x0000000005650000-memory.dmp

memory/1008-8-0x0000000005640000-0x0000000005650000-memory.dmp

memory/1008-9-0x00000000059C0000-0x00000000059E2000-memory.dmp

memory/1008-10-0x0000000005B60000-0x0000000005BC6000-memory.dmp

memory/1008-11-0x0000000005BD0000-0x0000000005C36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o5o4aiad.nph.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1008-20-0x00000000063B0000-0x0000000006707000-memory.dmp

memory/1008-21-0x0000000006840000-0x000000000685E000-memory.dmp

memory/1008-22-0x0000000006880000-0x00000000068CC000-memory.dmp

memory/1008-23-0x0000000006DF0000-0x0000000006E36000-memory.dmp

memory/1008-24-0x0000000007C70000-0x0000000007CA4000-memory.dmp

memory/1008-26-0x0000000070C20000-0x0000000070C6C000-memory.dmp

memory/1008-25-0x000000007FD80000-0x000000007FD90000-memory.dmp

memory/1008-27-0x0000000070DA0000-0x00000000710F7000-memory.dmp

memory/1008-36-0x0000000007CB0000-0x0000000007CCE000-memory.dmp

memory/1008-37-0x0000000007CD0000-0x0000000007D74000-memory.dmp

memory/1008-38-0x0000000008440000-0x0000000008ABA000-memory.dmp

memory/1008-39-0x0000000007E00000-0x0000000007E1A000-memory.dmp

memory/1008-40-0x0000000007E40000-0x0000000007E4A000-memory.dmp

memory/1008-41-0x00000000749B0000-0x0000000075161000-memory.dmp

memory/3040-42-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/3040-44-0x0000000005480000-0x0000000005D6B000-memory.dmp

memory/3504-45-0x0000000004C90000-0x000000000508A000-memory.dmp

memory/3504-46-0x0000000005090000-0x000000000597B000-memory.dmp

memory/3504-47-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/4580-48-0x0000000074A50000-0x0000000075201000-memory.dmp

memory/4580-50-0x00000000051A0000-0x00000000051B0000-memory.dmp

memory/4580-49-0x00000000051A0000-0x00000000051B0000-memory.dmp

memory/4580-59-0x0000000005ED0000-0x0000000006227000-memory.dmp

memory/4580-60-0x0000000006530000-0x000000000657C000-memory.dmp

memory/4580-62-0x0000000070D30000-0x0000000070D7C000-memory.dmp

memory/4580-61-0x000000007FD00000-0x000000007FD10000-memory.dmp

memory/4580-63-0x0000000070ED0000-0x0000000071227000-memory.dmp

memory/4580-72-0x00000000074E0000-0x0000000007584000-memory.dmp

memory/4580-74-0x00000000051A0000-0x00000000051B0000-memory.dmp

memory/4580-73-0x00000000051A0000-0x00000000051B0000-memory.dmp

memory/4580-75-0x0000000007AE0000-0x0000000007B76000-memory.dmp

memory/4580-76-0x0000000007A00000-0x0000000007A11000-memory.dmp

memory/4580-77-0x0000000007A40000-0x0000000007A4E000-memory.dmp

memory/4580-79-0x0000000007A90000-0x0000000007AAA000-memory.dmp

memory/4580-78-0x0000000007A50000-0x0000000007A65000-memory.dmp

memory/4580-80-0x0000000007AB0000-0x0000000007AB8000-memory.dmp

memory/4580-83-0x0000000074A50000-0x0000000075201000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/3360-86-0x00000000026B0000-0x00000000026C0000-memory.dmp

memory/3360-87-0x00000000026B0000-0x00000000026C0000-memory.dmp

memory/3360-88-0x0000000005700000-0x0000000005A57000-memory.dmp

memory/3360-85-0x0000000074A50000-0x0000000075201000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 12e3230d7c3440c77fa5b71c395a3ad7
SHA1 43986f7d71553a4ee50e3a9c6e1a997d54bc4fc9
SHA256 73d80e515b5b9a17aa7eb9065e4fccbf9364cbe698cb8317c67c8717cb076ee0
SHA512 ffe01cbe11c2cde8378f2512b1e817eb55bdc55a21eb70e19877a7fa2f66c33ef9b83d868c2060083c09391c6d9b3a02039c73ad369a588529f3c66a03b067ba

memory/3360-99-0x0000000070D30000-0x0000000070D7C000-memory.dmp

memory/3360-98-0x000000007F250000-0x000000007F260000-memory.dmp

memory/3360-100-0x0000000070F80000-0x00000000712D7000-memory.dmp

memory/3504-109-0x0000000004C90000-0x000000000508A000-memory.dmp

memory/3360-110-0x00000000026B0000-0x00000000026C0000-memory.dmp

memory/3360-112-0x0000000074A50000-0x0000000075201000-memory.dmp

memory/2404-113-0x0000000074A50000-0x0000000075201000-memory.dmp

memory/2404-122-0x0000000005E20000-0x0000000006177000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d281830f49f88e8570a2f7e0ed3ea6ff
SHA1 64f4086a2879708f41ff464f38be6b7a422aa3fa
SHA256 bec9510b8bf0bd4518344d1cdffccae96fd8697571764c3e773e1b1e0325b568
SHA512 f689107f951345fcda821be13e4177ec1763f49a9e2c050c888b85422fade55a41d17269dc8ca9b000c901a4621f4d7896f283b6d460ecdfee792586ac88f4d1

memory/2404-126-0x0000000070EB0000-0x0000000071207000-memory.dmp

memory/2404-125-0x0000000070D30000-0x0000000070D7C000-memory.dmp

memory/2404-124-0x000000007FAE0000-0x000000007FAF0000-memory.dmp

memory/2404-136-0x0000000002D90000-0x0000000002DA0000-memory.dmp

memory/3504-135-0x0000000000400000-0x0000000002F4A000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 6e14d1db9ff992aee67deedb2ecd6c0a
SHA1 45e97da453e466f6a3fc2e50cfdd267f4a3bc39c
SHA256 1383f55836f906b8f316a624b17e4811f21b9e88f06c097a369aebac5e2db0db
SHA512 e3df7318d301c0041bbad97d516dc901ad29c044e32758771170c3c86f0d21a394a90b012610c78ea6e12e18ab040fc86185051e85770a386c4cc27684d8e3b8

memory/3504-142-0x0000000000400000-0x0000000002F4A000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a948ccd83b8fcabe479a8fc6bd0142f8
SHA1 2302a312dcc832543df17df1feecee5db60ccfaf
SHA256 ddd897b55489a91241934d28ce277fd47107e522f4456fa8541d130d8abb6bb2
SHA512 0bd58fce6cc632e88e8dd3dca3103a6ee111bb71a2467af67c3315e579bf0c87b8b84aacfdfb226831af743d02283c18de3cc72408ac39d0945d151ce8011274

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f7d4b4790ceb84f8bb250c226bf1395c
SHA1 e34ffc42896985204f8ce4b5b409bc9f846d6abe
SHA256 d29010927a8929da080efbcccf66f30fb94f52854869fff1010f0c4af0a631e9
SHA512 d9796081ac4682c9763e938d78b9150b4068430e3b20ad6f335e1af81216d6f57e2fc2de4871d84f4771e162e7a99b241a0a9bbc606d48de184f92bedc7f2a08

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 da2575799133ce32cc82df3352eaab0f
SHA1 11f7cc32b64187f9d6f91a5ef5f2b7d28635e309
SHA256 f81d4297af8357e5d713f8f75b4a49b6e6f8b86570606b63318f5daba158f2d1
SHA512 4e2d3e575abee3beb2ae01638f790c6f39e5adcff4cf3fd149343d12584b5f11cc63c27040870deaa620d4be34e0973d658a0a98929bb622350593b1b465256d

memory/1096-218-0x0000000000400000-0x0000000002F4A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1096-238-0x0000000000400000-0x0000000002F4A000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3612-245-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1096-247-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/3824-248-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1096-249-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/1096-251-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/3824-252-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1096-253-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/1096-255-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/1096-257-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/1096-259-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/1096-261-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/1096-263-0x0000000000400000-0x0000000002F4A000-memory.dmp