Malware Analysis Report

2025-08-10 17:22

Sample ID 240417-s93pzsee77
Target f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c
SHA256 f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c
Tags
glupteba discovery dropper evasion loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c

Threat Level: Known bad

The file f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Adds Run key to start application

Manipulates WinMonFS driver.

Checks installed software on the system

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 15:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 15:50

Reported

2024-04-17 15:53

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-491 = "India Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4160 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4160 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4160 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3604 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3604 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3604 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3604 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe C:\Windows\system32\cmd.exe
PID 3604 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe C:\Windows\system32\cmd.exe
PID 4440 wrote to memory of 1816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4440 wrote to memory of 1816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3604 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3604 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3604 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3604 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3604 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3604 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3604 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe C:\Windows\rss\csrss.exe
PID 3604 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe C:\Windows\rss\csrss.exe
PID 3604 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe C:\Windows\rss\csrss.exe
PID 4772 wrote to memory of 4088 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 4088 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 4088 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 5076 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 5076 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 5076 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 1496 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 1496 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 1496 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 2720 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4772 wrote to memory of 2720 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 524 wrote to memory of 3500 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 3500 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 3500 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3500 wrote to memory of 2084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3500 wrote to memory of 2084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3500 wrote to memory of 2084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe

"C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe

"C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 d6c8a868-3b37-4c1a-a11a-e96af11f7dad.uuid.databaseupgrade.ru udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 server16.databaseupgrade.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BE 172.253.120.127:19302 stun1.l.google.com udp
BG 185.82.216.108:443 server16.databaseupgrade.ru tcp
US 8.8.8.8:53 127.120.253.172.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.108:443 server16.databaseupgrade.ru tcp
BG 185.82.216.108:443 server16.databaseupgrade.ru tcp
US 8.8.8.8:53 41.244.122.92.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

memory/4160-1-0x0000000004EA0000-0x00000000052A7000-memory.dmp

memory/4160-2-0x00000000052B0000-0x0000000005B9B000-memory.dmp

memory/4160-3-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1888-4-0x00000000045F0000-0x0000000004626000-memory.dmp

memory/1888-5-0x0000000074940000-0x00000000750F0000-memory.dmp

memory/1888-6-0x00000000046E0000-0x00000000046F0000-memory.dmp

memory/1888-7-0x00000000046E0000-0x00000000046F0000-memory.dmp

memory/1888-8-0x0000000004D20000-0x0000000005348000-memory.dmp

memory/1888-9-0x0000000004CE0000-0x0000000004D02000-memory.dmp

memory/1888-11-0x0000000005430000-0x0000000005496000-memory.dmp

memory/1888-10-0x00000000053C0000-0x0000000005426000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fpvj4hsh.gc2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1888-21-0x0000000005560000-0x00000000058B4000-memory.dmp

memory/1888-22-0x0000000005BC0000-0x0000000005BDE000-memory.dmp

memory/1888-23-0x0000000005C20000-0x0000000005C6C000-memory.dmp

memory/1888-24-0x0000000006D30000-0x0000000006D74000-memory.dmp

memory/1888-25-0x00000000046E0000-0x00000000046F0000-memory.dmp

memory/1888-26-0x0000000006F10000-0x0000000006F86000-memory.dmp

memory/1888-27-0x0000000007610000-0x0000000007C8A000-memory.dmp

memory/1888-28-0x0000000006FB0000-0x0000000006FCA000-memory.dmp

memory/1888-31-0x00000000707E0000-0x000000007082C000-memory.dmp

memory/1888-30-0x0000000007160000-0x0000000007192000-memory.dmp

memory/1888-29-0x000000007F140000-0x000000007F150000-memory.dmp

memory/1888-32-0x0000000070980000-0x0000000070CD4000-memory.dmp

memory/1888-42-0x0000000007140000-0x000000000715E000-memory.dmp

memory/1888-43-0x00000000071A0000-0x0000000007243000-memory.dmp

memory/1888-44-0x0000000007290000-0x000000000729A000-memory.dmp

memory/1888-45-0x0000000007350000-0x00000000073E6000-memory.dmp

memory/1888-46-0x00000000072B0000-0x00000000072C1000-memory.dmp

memory/1888-47-0x00000000072F0000-0x00000000072FE000-memory.dmp

memory/1888-48-0x0000000007300000-0x0000000007314000-memory.dmp

memory/1888-49-0x00000000073F0000-0x000000000740A000-memory.dmp

memory/1888-50-0x0000000007330000-0x0000000007338000-memory.dmp

memory/1888-53-0x0000000074940000-0x00000000750F0000-memory.dmp

memory/4160-54-0x0000000000400000-0x0000000003118000-memory.dmp

memory/4160-55-0x0000000000400000-0x0000000003118000-memory.dmp

memory/4160-56-0x00000000052B0000-0x0000000005B9B000-memory.dmp

memory/3604-58-0x0000000004D20000-0x0000000005123000-memory.dmp

memory/3604-59-0x0000000005130000-0x0000000005A1B000-memory.dmp

memory/3604-60-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3108-61-0x0000000004700000-0x0000000004710000-memory.dmp

memory/3108-68-0x0000000005490000-0x00000000057E4000-memory.dmp

memory/3108-67-0x0000000004700000-0x0000000004710000-memory.dmp

memory/3108-73-0x00000000749E0000-0x0000000075190000-memory.dmp

memory/3108-74-0x0000000005B10000-0x0000000005B5C000-memory.dmp

memory/3108-75-0x0000000004700000-0x0000000004710000-memory.dmp

memory/3108-77-0x0000000071080000-0x00000000713D4000-memory.dmp

memory/3108-87-0x0000000006D60000-0x0000000006E03000-memory.dmp

memory/3108-76-0x00000000708E0000-0x000000007092C000-memory.dmp

memory/3108-88-0x0000000007020000-0x0000000007031000-memory.dmp

memory/3108-89-0x0000000007070000-0x0000000007084000-memory.dmp

memory/3108-92-0x00000000749E0000-0x0000000075190000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/4328-94-0x00000000749E0000-0x0000000075190000-memory.dmp

memory/4328-104-0x0000000005150000-0x0000000005160000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9d828ef73c83f52bd3b775a80a4949ba
SHA1 5b1af21742bbbf195dc2cb10198f7ddfb0add623
SHA256 52d29380ef92cdef61ec7a2b41898a93b93cb4294ff3f722379255ea9605d4f7
SHA512 70b10f0b3bfd3973e7f87945a77c9843dcfa3dfb0eaa38023405f0fbae669ece6e9abb8a720e6cd84fecfa11d7b21d99aa38eae16789b8d633896a729aaaf40e

memory/4328-105-0x0000000005150000-0x0000000005160000-memory.dmp

memory/3604-107-0x0000000004D20000-0x0000000005123000-memory.dmp

memory/4328-108-0x0000000005150000-0x0000000005160000-memory.dmp

memory/4328-109-0x000000007EF90000-0x000000007EFA0000-memory.dmp

memory/4328-111-0x0000000071080000-0x00000000713D4000-memory.dmp

memory/4328-110-0x00000000708E0000-0x000000007092C000-memory.dmp

memory/4328-122-0x00000000749E0000-0x0000000075190000-memory.dmp

memory/3604-123-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1812-134-0x00000000749E0000-0x0000000075190000-memory.dmp

memory/1812-133-0x0000000006490000-0x00000000067E4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f342dc753c3995489712335aa21d47c3
SHA1 1b41b62a45e04493b8aed4324f29f610a0832f64
SHA256 396f0ca7cc0f8b3a43a2af6f753d325b0308042c660f05ccee5d36bad2dfe9fa
SHA512 d9ed0e96a7fc3fde540c031541deb58f23df7ecb6fac773abb851859f166366563cec1b400bdb098b1ebaf728f2c269cb511d05879d3664fd7637b18f6caa3ca

memory/1812-137-0x00000000033F0000-0x0000000003400000-memory.dmp

memory/1812-138-0x00000000033F0000-0x0000000003400000-memory.dmp

memory/3604-136-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1812-139-0x000000007F940000-0x000000007F950000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 7f19abaf61cd0b4e1ab722b24500a526
SHA1 1b25b8834a89bf3d40e6a24d8f5a224930393c09
SHA256 f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c
SHA512 845ef67f21dfdcb83a58e0dfc2d16403db059eb7d3266a09eb39a3792025ac1eb4c6856b3ec72d9163a9473f693dfb8fe7e2aa6fbfe579047d57ae22af623874

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8524e8a4a9337448f6b3e48d8ad38919
SHA1 7d980103aad8c236a8780bac06cceebdfcd356b4
SHA256 8399d9363d4cea5d1bac0f1fddf430485fcff3a82dda12afa7860228a7265dfb
SHA512 146fc0cf1994d80570aa6cb486852cfa2697fef1f046dcc9c205ca39e377776b0ed53c635860c2221b69c40e53bd71113994e5483a2402d0a0df153fd053b1dc

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 363514d063ea9548bffe6ac02957b630
SHA1 25c54753f071ad0474e8dc34710317edad93e63c
SHA256 c488a6946bd6a81d451e42e6af44ef90b545d90fee4d1fcb1a912b94053bcbb7
SHA512 f72f8fb43d5a6ee09c68660c6f6d3457b074a907c1cc7677ffde55e78f2082e3192e34c9f4d54028037f3d98aaf3236c3fba396203fb602a704a05e310da92dc

memory/3604-205-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b273d7a8940f442df19c8096d0a87d9c
SHA1 ba5558ee6ca6fa632ec4510f49bbb79812dc4a84
SHA256 a6916563f04a291e5f90848a6050cbbe0dc71179b344ff43518a19c328788ab0
SHA512 3eac88389655e1e16b941286b1aecdf0ac235b9b6bdc31c8bd0aae4130cabef77be8594936704936640bb5b955685a4fa371ff596c95f4cb32a5b5ea40811cad

memory/4772-238-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4772-260-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/524-268-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4772-270-0x0000000000400000-0x0000000003118000-memory.dmp

memory/4212-272-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4772-273-0x0000000000400000-0x0000000003118000-memory.dmp

memory/4772-276-0x0000000000400000-0x0000000003118000-memory.dmp

memory/4212-278-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4772-279-0x0000000000400000-0x0000000003118000-memory.dmp

memory/4772-282-0x0000000000400000-0x0000000003118000-memory.dmp

memory/4772-285-0x0000000000400000-0x0000000003118000-memory.dmp

memory/4772-288-0x0000000000400000-0x0000000003118000-memory.dmp

memory/4772-291-0x0000000000400000-0x0000000003118000-memory.dmp

memory/4772-294-0x0000000000400000-0x0000000003118000-memory.dmp

memory/4772-297-0x0000000000400000-0x0000000003118000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 15:50

Reported

2024-04-17 15:52

Platform

win11-20240412-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-262 = "GMT Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2364 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2364 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5988 wrote to memory of 5164 N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5988 wrote to memory of 5164 N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5988 wrote to memory of 5164 N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5988 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe C:\Windows\system32\cmd.exe
PID 5988 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe C:\Windows\system32\cmd.exe
PID 3496 wrote to memory of 1760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3496 wrote to memory of 1760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5988 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5988 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5988 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5988 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5988 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5988 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5988 wrote to memory of 5584 N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe C:\Windows\rss\csrss.exe
PID 5988 wrote to memory of 5584 N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe C:\Windows\rss\csrss.exe
PID 5988 wrote to memory of 5584 N/A C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe C:\Windows\rss\csrss.exe
PID 5584 wrote to memory of 5984 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5584 wrote to memory of 5984 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5584 wrote to memory of 5984 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5584 wrote to memory of 984 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5584 wrote to memory of 984 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5584 wrote to memory of 984 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5584 wrote to memory of 2712 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5584 wrote to memory of 2712 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5584 wrote to memory of 2712 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5584 wrote to memory of 5596 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 5584 wrote to memory of 5596 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1088 wrote to memory of 3440 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1088 wrote to memory of 3440 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1088 wrote to memory of 3440 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 3320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3440 wrote to memory of 3320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3440 wrote to memory of 3320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe

"C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe

"C:\Users\Admin\AppData\Local\Temp\f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 488c45c8-10ec-4981-b9f1-f90344f80dcb.uuid.databaseupgrade.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 server9.databaseupgrade.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.108:443 server9.databaseupgrade.ru tcp
IT 142.251.27.127:19302 stun3.l.google.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.108:443 server9.databaseupgrade.ru tcp
BG 185.82.216.108:443 server9.databaseupgrade.ru tcp
N/A 127.0.0.1:31465 tcp

Files

memory/2364-1-0x0000000004F60000-0x000000000535B000-memory.dmp

memory/2364-2-0x0000000005360000-0x0000000005C4B000-memory.dmp

memory/2364-3-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1956-4-0x0000000004D10000-0x0000000004D46000-memory.dmp

memory/1956-5-0x00000000747F0000-0x0000000074FA1000-memory.dmp

memory/1956-6-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

memory/1956-7-0x0000000005380000-0x00000000059AA000-memory.dmp

memory/1956-8-0x00000000052B0000-0x00000000052D2000-memory.dmp

memory/1956-9-0x00000000059B0000-0x0000000005A16000-memory.dmp

memory/1956-10-0x0000000005300000-0x0000000005366000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b0crsfai.rzf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1956-19-0x0000000005DC0000-0x0000000006117000-memory.dmp

memory/1956-20-0x0000000006190000-0x00000000061AE000-memory.dmp

memory/1956-21-0x00000000061D0000-0x000000000621C000-memory.dmp

memory/1956-22-0x0000000006710000-0x0000000006756000-memory.dmp

memory/1956-23-0x00000000075A0000-0x00000000075D4000-memory.dmp

memory/1956-24-0x000000007FCD0000-0x000000007FCE0000-memory.dmp

memory/1956-26-0x0000000070BE0000-0x0000000070F37000-memory.dmp

memory/1956-25-0x0000000070A60000-0x0000000070AAC000-memory.dmp

memory/1956-35-0x00000000075E0000-0x00000000075FE000-memory.dmp

memory/1956-37-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

memory/1956-36-0x0000000007600000-0x00000000076A4000-memory.dmp

memory/1956-39-0x0000000007730000-0x000000000774A000-memory.dmp

memory/1956-38-0x0000000007D70000-0x00000000083EA000-memory.dmp

memory/1956-40-0x0000000007770000-0x000000000777A000-memory.dmp

memory/1956-41-0x0000000007880000-0x0000000007916000-memory.dmp

memory/1956-42-0x0000000007790000-0x00000000077A1000-memory.dmp

memory/1956-43-0x00000000077E0000-0x00000000077EE000-memory.dmp

memory/1956-44-0x00000000077F0000-0x0000000007805000-memory.dmp

memory/1956-45-0x0000000007840000-0x000000000785A000-memory.dmp

memory/1956-46-0x0000000007860000-0x0000000007868000-memory.dmp

memory/1956-49-0x00000000747F0000-0x0000000074FA1000-memory.dmp

memory/5988-51-0x0000000004E20000-0x0000000005224000-memory.dmp

memory/2364-52-0x0000000004F60000-0x000000000535B000-memory.dmp

memory/5988-53-0x0000000005230000-0x0000000005B1B000-memory.dmp

memory/5988-54-0x0000000000400000-0x0000000003118000-memory.dmp

memory/5164-55-0x00000000048C0000-0x00000000048D0000-memory.dmp

memory/5164-56-0x00000000048C0000-0x00000000048D0000-memory.dmp

memory/5164-57-0x0000000005680000-0x00000000059D7000-memory.dmp

memory/5164-58-0x00000000747F0000-0x0000000074FA1000-memory.dmp

memory/5164-68-0x0000000070CB0000-0x0000000071007000-memory.dmp

memory/5164-67-0x0000000070A60000-0x0000000070AAC000-memory.dmp

memory/5164-77-0x0000000006DD0000-0x0000000006E74000-memory.dmp

memory/5164-79-0x000000007F1F0000-0x000000007F200000-memory.dmp

memory/2364-78-0x0000000000400000-0x0000000003118000-memory.dmp

memory/5164-80-0x00000000048C0000-0x00000000048D0000-memory.dmp

memory/5164-81-0x0000000007120000-0x0000000007131000-memory.dmp

memory/5164-82-0x0000000007170000-0x0000000007185000-memory.dmp

memory/5164-85-0x00000000747F0000-0x0000000074FA1000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/456-93-0x0000000005A20000-0x0000000005D77000-memory.dmp

memory/456-94-0x00000000747F0000-0x0000000074FA1000-memory.dmp

memory/456-99-0x0000000004D40000-0x0000000004D50000-memory.dmp

memory/456-98-0x0000000004D40000-0x0000000004D50000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 723c62a84b014552d6af7132d1d5af4c
SHA1 4194076e36a73b087dcc4ba830a98cd18c0acc1e
SHA256 4c5fc6ad2b14e3398aad2a962a3f52829657df4b48c9c596eda30c534b1fc9f8
SHA512 14acfe86f538d3d0eeefedb6e8a7a926a87ee1644397c8c02541dc0c3bfb7e3168714142ac6fc58bc678131aa27981d0c1aeaa4450383a2bc51af57fc50d9829

memory/456-102-0x0000000070C70000-0x0000000070FC7000-memory.dmp

memory/456-111-0x0000000004D40000-0x0000000004D50000-memory.dmp

memory/456-101-0x0000000070A60000-0x0000000070AAC000-memory.dmp

memory/456-113-0x00000000747F0000-0x0000000074FA1000-memory.dmp

memory/1448-114-0x00000000747F0000-0x0000000074FA1000-memory.dmp

memory/1448-115-0x0000000005040000-0x0000000005050000-memory.dmp

memory/1448-117-0x0000000005040000-0x0000000005050000-memory.dmp

memory/1448-118-0x0000000005D90000-0x00000000060E7000-memory.dmp

memory/5988-116-0x0000000004E20000-0x0000000005224000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 31b7d9ac169a42558e621907561d6e1a
SHA1 c7dd543976d4e525df2baa862a3783eade74d5e3
SHA256 261536148d6a0791aaebf68adfe4c83a9e6734450a588734fcc0c2858369bd97
SHA512 dbf96ff392867865e6bbf0f5285ba6322b53bed47245c7ced5fe0eec35e9dbb7d7347c3e3aeed3619f45ee717261c37cb53659bf1c2c997d87d51c4d2cacf5a9

memory/1448-128-0x0000000070A60000-0x0000000070AAC000-memory.dmp

memory/1448-129-0x0000000071430000-0x0000000071787000-memory.dmp

memory/5988-138-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 7f19abaf61cd0b4e1ab722b24500a526
SHA1 1b25b8834a89bf3d40e6a24d8f5a224930393c09
SHA256 f9fdb86daba926b4ffb1099583cf2996a54f04a4f3bd2de6e2eb10eef12f3c9c
SHA512 845ef67f21dfdcb83a58e0dfc2d16403db059eb7d3266a09eb39a3792025ac1eb4c6856b3ec72d9163a9473f693dfb8fe7e2aa6fbfe579047d57ae22af623874

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 939771e3f481e09420e4c454dd203a8f
SHA1 a9c49622b3a934b4bf889366e2b6a16e388158ab
SHA256 f318e1c7961043106193b3632023ff901bbcb1160b19d112b978e9680b1eab92
SHA512 4202d7010c25a2ba8226f9f7bea7bbcbf2d775a70fd87b7e134f6afbad70f7323dd1a8d01a2113ecde47b89675e9da9cb926e04515844a8e80e81a175c056391

memory/5988-175-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d137116df4282ade26b666f4158b2e29
SHA1 cff9fa1ff8687361010ea124524759d8a6c85e3c
SHA256 0715ba1ba9ccbd574fa4ca3c533af96f84594e3af2a154b202103e8507d56e40
SHA512 d13252af13918443b808669a5f0ba265335bedab082135670cd120046d124ca1155173541c87f1bc89b4e2d03feb7c2c60818fa94741be7d94c3bf0196732f90

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f8a8eb099831eebf706647f344b1929c
SHA1 798839367d6829a8b52124586e3de46c6d410774
SHA256 08e1e11114d6307b1a737264eadd67363e63de945b0849ac5a35b669d0e62e80
SHA512 62b328c5bc40eb3e67e306ad4cab802ccb675fcc4c3ad8ed9717957bd2cfac4ccb95815754b6df20d0fa7f57d6b4ff0f10a44dfcab52745b475bb887a77d53fa

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/5584-240-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1088-249-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5584-251-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3728-254-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5584-255-0x0000000000400000-0x0000000003118000-memory.dmp

memory/5584-259-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3728-262-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5584-263-0x0000000000400000-0x0000000003118000-memory.dmp

memory/5584-267-0x0000000000400000-0x0000000003118000-memory.dmp

memory/5584-271-0x0000000000400000-0x0000000003118000-memory.dmp

memory/5584-275-0x0000000000400000-0x0000000003118000-memory.dmp

memory/5584-279-0x0000000000400000-0x0000000003118000-memory.dmp

memory/5584-283-0x0000000000400000-0x0000000003118000-memory.dmp

memory/5584-287-0x0000000000400000-0x0000000003118000-memory.dmp

memory/5584-291-0x0000000000400000-0x0000000003118000-memory.dmp

memory/5584-295-0x0000000000400000-0x0000000003118000-memory.dmp