Malware Analysis Report

2025-08-10 17:22

Sample ID 240417-s4f9ssfg3v
Target 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572
SHA256 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572
Tags
glupteba discovery dropper evasion loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572

Threat Level: Known bad

The file 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Manipulates WinMonFS driver.

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 15:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 15:40

Reported

2024-04-17 15:43

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4128 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4128 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4128 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe C:\Windows\system32\cmd.exe
PID 2652 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe C:\Windows\system32\cmd.exe
PID 2712 wrote to memory of 940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2712 wrote to memory of 940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2652 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe C:\Windows\rss\csrss.exe
PID 2652 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe C:\Windows\rss\csrss.exe
PID 2652 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe C:\Windows\rss\csrss.exe
PID 552 wrote to memory of 1352 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 552 wrote to memory of 1352 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 552 wrote to memory of 1352 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 552 wrote to memory of 1424 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 552 wrote to memory of 1424 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 552 wrote to memory of 1424 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 552 wrote to memory of 3108 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 552 wrote to memory of 3108 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 552 wrote to memory of 3108 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 552 wrote to memory of 4192 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 552 wrote to memory of 4192 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3328 wrote to memory of 2560 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3328 wrote to memory of 2560 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3328 wrote to memory of 2560 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 3408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2560 wrote to memory of 3408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2560 wrote to memory of 3408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe

"C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe

"C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 216.183.117.104.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 6ae6db9b-6d5a-42aa-9db7-e026b0c02cdd.uuid.databaseupgrade.ru udp
US 8.8.8.8:53 stun.sipgate.net udp
US 8.8.8.8:53 server2.databaseupgrade.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 15.197.250.192:3478 stun.sipgate.net udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server2.databaseupgrade.ru tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 192.250.197.15.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BG 185.82.216.108:443 server2.databaseupgrade.ru tcp
BG 185.82.216.108:443 server2.databaseupgrade.ru tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
BG 185.82.216.108:443 server2.databaseupgrade.ru tcp
US 8.8.8.8:53 udp
N/A 127.0.0.1:31465 tcp

Files

memory/4128-1-0x0000000004E60000-0x000000000525C000-memory.dmp

memory/4128-2-0x0000000005260000-0x0000000005B4B000-memory.dmp

memory/4128-3-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1432-4-0x00000000025A0000-0x00000000025D6000-memory.dmp

memory/1432-5-0x0000000073FB0000-0x0000000074760000-memory.dmp

memory/1432-7-0x0000000002620000-0x0000000002630000-memory.dmp

memory/1432-6-0x0000000002620000-0x0000000002630000-memory.dmp

memory/1432-8-0x0000000004C80000-0x00000000052A8000-memory.dmp

memory/1432-9-0x0000000004BB0000-0x0000000004BD2000-memory.dmp

memory/1432-11-0x0000000005420000-0x0000000005486000-memory.dmp

memory/1432-10-0x00000000052B0000-0x0000000005316000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oypmvv22.0s5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1432-21-0x0000000005510000-0x0000000005864000-memory.dmp

memory/1432-22-0x0000000005BA0000-0x0000000005BBE000-memory.dmp

memory/1432-23-0x0000000005BD0000-0x0000000005C1C000-memory.dmp

memory/1432-24-0x00000000060E0000-0x0000000006124000-memory.dmp

memory/1432-25-0x0000000006CB0000-0x0000000006D26000-memory.dmp

memory/1432-27-0x0000000006F50000-0x0000000006F6A000-memory.dmp

memory/1432-26-0x00000000075B0000-0x0000000007C2A000-memory.dmp

memory/1432-31-0x0000000070420000-0x0000000070774000-memory.dmp

memory/1432-43-0x0000000002620000-0x0000000002630000-memory.dmp

memory/1432-42-0x0000000007170000-0x0000000007213000-memory.dmp

memory/1432-44-0x0000000007260000-0x000000000726A000-memory.dmp

memory/1432-41-0x0000000007150000-0x000000000716E000-memory.dmp

memory/1432-30-0x000000006FE50000-0x000000006FE9C000-memory.dmp

memory/1432-29-0x0000000007110000-0x0000000007142000-memory.dmp

memory/1432-45-0x0000000007370000-0x0000000007406000-memory.dmp

memory/1432-28-0x000000007FAA0000-0x000000007FAB0000-memory.dmp

memory/1432-46-0x0000000007270000-0x0000000007281000-memory.dmp

memory/1432-47-0x00000000072B0000-0x00000000072BE000-memory.dmp

memory/1432-48-0x00000000072D0000-0x00000000072E4000-memory.dmp

memory/1432-49-0x0000000007320000-0x000000000733A000-memory.dmp

memory/1432-50-0x0000000007310000-0x0000000007318000-memory.dmp

memory/1432-53-0x0000000073FB0000-0x0000000074760000-memory.dmp

memory/2652-55-0x0000000004E10000-0x000000000520A000-memory.dmp

memory/2652-56-0x0000000000400000-0x0000000003118000-memory.dmp

memory/2460-64-0x00000000048E0000-0x00000000048F0000-memory.dmp

memory/2460-63-0x0000000005910000-0x0000000005C64000-memory.dmp

memory/2652-69-0x0000000005210000-0x0000000005AFB000-memory.dmp

memory/2460-62-0x00000000048E0000-0x00000000048F0000-memory.dmp

memory/2460-70-0x0000000073FB0000-0x0000000074760000-memory.dmp

memory/2460-72-0x000000006FE50000-0x000000006FE9C000-memory.dmp

memory/4128-71-0x0000000004E60000-0x000000000525C000-memory.dmp

memory/2460-74-0x00000000705B0000-0x0000000070904000-memory.dmp

memory/2460-85-0x00000000048E0000-0x00000000048F0000-memory.dmp

memory/2460-84-0x00000000070B0000-0x0000000007153000-memory.dmp

memory/2460-73-0x000000007FD80000-0x000000007FD90000-memory.dmp

memory/2460-86-0x00000000073E0000-0x00000000073F1000-memory.dmp

memory/2460-87-0x0000000007430000-0x0000000007444000-memory.dmp

memory/2460-90-0x0000000073FB0000-0x0000000074760000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/4760-92-0x0000000073FB0000-0x0000000074760000-memory.dmp

memory/4760-94-0x0000000005B40000-0x0000000005E94000-memory.dmp

memory/4760-93-0x00000000027F0000-0x0000000002800000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 339d73b1f03a27511d6af323a8971805
SHA1 31b6a37cf168eb9711713f76653b08b8cf4e86fe
SHA256 12277bd8b3ebbd53a01f03c76c611670e6baed817a8724fdaddda6fc87009d96
SHA512 85c4e24525c19622b03e31c9f160d26c5828ee26e2e97c39ed1856a260ec189a14e02142a19f293fdf75a9882e2401a090768f48fb76f46774e53ceebabedc69

memory/4760-106-0x00000000027F0000-0x0000000002800000-memory.dmp

memory/4128-105-0x0000000000400000-0x0000000003118000-memory.dmp

memory/4760-108-0x00000000705D0000-0x0000000070924000-memory.dmp

memory/4760-118-0x00000000027F0000-0x0000000002800000-memory.dmp

memory/4760-107-0x000000006FE50000-0x000000006FE9C000-memory.dmp

memory/4760-120-0x0000000073FB0000-0x0000000074760000-memory.dmp

memory/3620-122-0x0000000004C90000-0x0000000004CA0000-memory.dmp

memory/3620-123-0x0000000004C90000-0x0000000004CA0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2f40020435e536b5d7790b67f3c09f6a
SHA1 1828c76e41de28420812d0eb59e6614dd767afc3
SHA256 a7715f666679e192678396abe90766aed80c6d140e28a11dd357835b0b34333f
SHA512 6ca912ddba15db2a0c71f73db75fcde6907e430dd2fbb631f7cacd263bf7e69138f3c872429af99241b86bf93be47d272319d5c8ad4325d7d180b27bc614d1c0

memory/3620-121-0x0000000073FB0000-0x0000000074760000-memory.dmp

memory/2652-134-0x0000000004E10000-0x000000000520A000-memory.dmp

memory/3620-136-0x00000000705D0000-0x0000000070924000-memory.dmp

memory/3620-135-0x000000006FE50000-0x000000006FE9C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 eca19b4eb5c269b948c21aeada803d50
SHA1 06e9274af530b892a3270652f5098c795c27a9db
SHA256 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572
SHA512 344dd68cecdc59d2f7d0f689287cde1b52dd9c808b30fd4a80079c8437b9df4cfe12a62792f0548887e90403debfce6c39bb1934789931bfddbc4c2c089c2df4

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c18a10162c4139d9b83a2d4ba51cb313
SHA1 d9e8b2998db9d44f66e1194992e226238c45a65f
SHA256 a841283a3a666f5325588667c48040d82d9413538b184de69010d932f1bde8ee
SHA512 911bbf4014cffac548e64da88822e339a80553d7e587f6d332e45b75d012dea15b18b28a339481cf13648baaf1161e7b6dd0ae00bceeac077cc56c6866eb2828

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 076a6ca7b9862e4ef173d8e38b4f2f54
SHA1 e0c2656744623b4cb3a9f7560bd873840a3bc07d
SHA256 92c9a9e9a7f900437dda7a44f5fdbc0d377017c8140740164c84204b20ae4a99
SHA512 a8f190cb3029cc8b49a804a7fa47f044427415b6ea7f0135e73676c6e01db4de82f36694388046c9423a1e9ebb859c3d499d7c297ebfb55176edacd569b16295

memory/2652-197-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 def1cefebd5910ddf101c8e2c5cb1720
SHA1 8468bbc9f43a173ef2503a9301e8a3c77573783f
SHA256 d4631e891bb0f9aeedfdd9f223fa9f5dc9857d30e831f8ec0839539429522381
SHA512 d9c15cf3d05d1b483821e05edb7d700f9de7cc7b3f0eb13a1f964f19b9404494cdd443b21b7732cc6215ecb94d47fa82874a2e1e98a58e8b1664ff42e96a702c

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/552-254-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3328-262-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/552-265-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3092-267-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/552-269-0x0000000000400000-0x0000000003118000-memory.dmp

memory/552-273-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3092-275-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/552-277-0x0000000000400000-0x0000000003118000-memory.dmp

memory/552-281-0x0000000000400000-0x0000000003118000-memory.dmp

memory/552-285-0x0000000000400000-0x0000000003118000-memory.dmp

memory/552-289-0x0000000000400000-0x0000000003118000-memory.dmp

memory/552-293-0x0000000000400000-0x0000000003118000-memory.dmp

memory/552-297-0x0000000000400000-0x0000000003118000-memory.dmp

memory/552-301-0x0000000000400000-0x0000000003118000-memory.dmp

memory/552-305-0x0000000000400000-0x0000000003118000-memory.dmp

memory/552-309-0x0000000000400000-0x0000000003118000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 15:40

Reported

2024-04-17 15:43

Platform

win11-20240412-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5056 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5056 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5056 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3912 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3912 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3912 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3912 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe C:\Windows\system32\cmd.exe
PID 3912 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe C:\Windows\system32\cmd.exe
PID 3048 wrote to memory of 2264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3048 wrote to memory of 2264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3912 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3912 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3912 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3912 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3912 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3912 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3912 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe C:\Windows\rss\csrss.exe
PID 3912 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe C:\Windows\rss\csrss.exe
PID 3912 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe C:\Windows\rss\csrss.exe
PID 3192 wrote to memory of 800 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 800 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 800 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 2864 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 2864 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 2864 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 1916 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 1916 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 1916 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 3548 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3192 wrote to memory of 3548 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2056 wrote to memory of 1348 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 1348 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 1348 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 4664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1348 wrote to memory of 4664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1348 wrote to memory of 4664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe

"C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe

"C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
NL 23.62.61.56:443 www.bing.com tcp
US 8.8.8.8:53 server6.databaseupgrade.ru udp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server6.databaseupgrade.ru tcp
US 172.67.221.71:443 carsalessystem.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BG 185.82.216.108:443 server6.databaseupgrade.ru tcp
BG 185.82.216.108:443 server6.databaseupgrade.ru tcp
BG 185.82.216.108:443 server6.databaseupgrade.ru tcp

Files

memory/5056-1-0x0000000004F60000-0x0000000005362000-memory.dmp

memory/5056-2-0x0000000005370000-0x0000000005C5B000-memory.dmp

memory/5056-3-0x0000000000400000-0x0000000003118000-memory.dmp

memory/2400-4-0x0000000004BD0000-0x0000000004C06000-memory.dmp

memory/2400-5-0x0000000074940000-0x00000000750F1000-memory.dmp

memory/2400-8-0x0000000005240000-0x000000000586A000-memory.dmp

memory/2400-7-0x0000000004B80000-0x0000000004B90000-memory.dmp

memory/2400-6-0x0000000004B80000-0x0000000004B90000-memory.dmp

memory/2400-9-0x00000000058D0000-0x00000000058F2000-memory.dmp

memory/2400-10-0x0000000005970000-0x00000000059D6000-memory.dmp

memory/2400-11-0x00000000059E0000-0x0000000005A46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vo3f40er.1ti.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2400-20-0x0000000005A50000-0x0000000005DA7000-memory.dmp

memory/2400-21-0x0000000006060000-0x000000000607E000-memory.dmp

memory/2400-22-0x0000000006090000-0x00000000060DC000-memory.dmp

memory/2400-23-0x0000000007200000-0x0000000007246000-memory.dmp

memory/2400-24-0x000000007F2C0000-0x000000007F2D0000-memory.dmp

memory/2400-25-0x0000000007480000-0x00000000074B4000-memory.dmp

memory/2400-26-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

memory/2400-27-0x0000000070E20000-0x0000000071177000-memory.dmp

memory/2400-36-0x00000000074C0000-0x00000000074DE000-memory.dmp

memory/2400-37-0x0000000004B80000-0x0000000004B90000-memory.dmp

memory/2400-38-0x00000000074E0000-0x0000000007584000-memory.dmp

memory/2400-39-0x0000000007C50000-0x00000000082CA000-memory.dmp

memory/2400-40-0x0000000007600000-0x000000000761A000-memory.dmp

memory/2400-41-0x0000000007640000-0x000000000764A000-memory.dmp

memory/2400-42-0x0000000007700000-0x0000000007796000-memory.dmp

memory/2400-43-0x0000000007680000-0x0000000007691000-memory.dmp

memory/2400-44-0x00000000076B0000-0x00000000076BE000-memory.dmp

memory/2400-45-0x00000000076C0000-0x00000000076D5000-memory.dmp

memory/2400-46-0x00000000077C0000-0x00000000077DA000-memory.dmp

memory/2400-47-0x00000000077B0000-0x00000000077B8000-memory.dmp

memory/2400-50-0x0000000074940000-0x00000000750F1000-memory.dmp

memory/3912-52-0x0000000004E60000-0x000000000525E000-memory.dmp

memory/3912-53-0x0000000005260000-0x0000000005B4B000-memory.dmp

memory/5056-54-0x0000000004F60000-0x0000000005362000-memory.dmp

memory/3912-55-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1916-56-0x0000000006400000-0x0000000006757000-memory.dmp

memory/1916-58-0x0000000005440000-0x0000000005450000-memory.dmp

memory/1916-57-0x0000000005440000-0x0000000005450000-memory.dmp

memory/5056-67-0x0000000005370000-0x0000000005C5B000-memory.dmp

memory/1916-68-0x0000000074940000-0x00000000750F1000-memory.dmp

memory/1916-70-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

memory/1916-71-0x0000000070E00000-0x0000000071157000-memory.dmp

memory/1916-69-0x000000007FC00000-0x000000007FC10000-memory.dmp

memory/1916-80-0x0000000007B20000-0x0000000007BC4000-memory.dmp

memory/5056-81-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1916-82-0x0000000007E70000-0x0000000007E81000-memory.dmp

memory/1916-83-0x0000000007EC0000-0x0000000007ED5000-memory.dmp

memory/1916-86-0x0000000074940000-0x00000000750F1000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/656-89-0x0000000074940000-0x00000000750F1000-memory.dmp

memory/656-90-0x00000000053E0000-0x00000000053F0000-memory.dmp

memory/656-99-0x00000000053E0000-0x00000000053F0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 29116e46b31d17bb971092deda648f53
SHA1 f77a26733a905d385b16022f0ef62a635f8c116b
SHA256 16b38bfbd80d629f68356ac3a10450e8050398aa8bfe6acc6f1bdd8ffe8501c3
SHA512 b0556dc0f2798297086435e75b524952d94d883394f22f4914e4d9c3756a0512d0a8c11d618ec688c42c2c5f87d2dd4b02315b60c341b707cd5a2ecf89496eb6

memory/656-103-0x0000000070E00000-0x0000000071157000-memory.dmp

memory/656-102-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

memory/656-101-0x000000007FA00000-0x000000007FA10000-memory.dmp

memory/656-112-0x00000000053E0000-0x00000000053F0000-memory.dmp

memory/656-114-0x0000000074940000-0x00000000750F1000-memory.dmp

memory/3912-115-0x0000000004E60000-0x000000000525E000-memory.dmp

memory/3696-119-0x0000000006410000-0x0000000006767000-memory.dmp

memory/3696-118-0x0000000074940000-0x00000000750F1000-memory.dmp

memory/3696-126-0x0000000003530000-0x0000000003540000-memory.dmp

memory/3696-127-0x0000000003530000-0x0000000003540000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 816229ba96e852f9b66ede7cfb7b80de
SHA1 2093b264a3a047633fae9110641dda7a305587de
SHA256 62dab729ab32af100534afd2c9e18247f23fdf036a70ab23178a09be0971e3b5
SHA512 23d4024dc8152425173d0ad9b0fe1f880d61069204c34cbc0604b3e80e0fa81b9240bd6b24d9bca25e1eb40773fc968fb9478d81a90f9997647ca93359b58274

memory/3696-129-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

memory/3696-130-0x0000000070DC0000-0x0000000071117000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 eca19b4eb5c269b948c21aeada803d50
SHA1 06e9274af530b892a3270652f5098c795c27a9db
SHA256 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572
SHA512 344dd68cecdc59d2f7d0f689287cde1b52dd9c808b30fd4a80079c8437b9df4cfe12a62792f0548887e90403debfce6c39bb1934789931bfddbc4c2c089c2df4

memory/3912-146-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 100679712fc1dffca35a7aa3c4a84d69
SHA1 fa62dfbb168a4e687284c2435414aa339f352225
SHA256 d0f0511f91bc226134492622dbe46cb24850db9f7e6fd7242050dc393a7a63e6
SHA512 5a312091799d09dbae069216176ccf11862e1dacd3cd00189f473a411e1b95fdd016b587117e033055db645e61a8d49b51d4810f02b9d381e2f9077e3d87e0e5

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f10f3cb89f7953a59d2ab7f2444a9c6a
SHA1 2fa2a8d1d45c2fa422afc9901cce209feb26787f
SHA256 6d6422ba11349b03f224f212a603ff467f43f860ef51232aa640b6d431707b86
SHA512 a790799b60fd26124cc7c940b49b0b43f7177a8632216db5d0038132e96c62d91a9485d5c3ea080e609210e1312c133648fcbe3c7bf704f51820648b21f1c0cb

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 88492a83bfda91f1a7c4092b7c3dea02
SHA1 7868d470578c64091cfb135cd7b27fb7291fe67d
SHA256 f67248bc5878c5fae2f6d3b7ba1eefcdee85e7b1b27375b4cb18f82745b48727
SHA512 2c1d795b2ed5dcf7ff5f4259bbee83d3c36dace5463a6c56e86a9e7cd284cd2e35d8f567ba1947c160c7e0ffa1561feedf981556b7024442868aaa45ac29df78

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3192-239-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2056-247-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3192-248-0x0000000000400000-0x0000000003118000-memory.dmp

memory/2012-250-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3192-251-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3192-254-0x0000000000400000-0x0000000003118000-memory.dmp

memory/2012-256-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3192-257-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3192-260-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3192-263-0x0000000000400000-0x0000000003118000-memory.dmp

memory/2012-265-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3192-266-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3192-269-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3192-272-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3192-275-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3192-278-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3192-281-0x0000000000400000-0x0000000003118000-memory.dmp