Malware Analysis Report

2025-08-10 17:22

Sample ID 240417-s9t3vaga3y
Target 27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3
SHA256 27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3
Tags
glupteba discovery dropper evasion loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3

Threat Level: Known bad

The file 27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Adds Run key to start application

Manipulates WinMonFS driver.

Checks installed software on the system

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 15:49

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 15:49

Reported

2024-04-17 15:52

Platform

win11-20240412-en

Max time kernel

156s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2412 = "Marquesas Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 740 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 740 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 740 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4728 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4728 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4728 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4728 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe C:\Windows\system32\cmd.exe
PID 4728 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe C:\Windows\system32\cmd.exe
PID 5032 wrote to memory of 1660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5032 wrote to memory of 1660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4728 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4728 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4728 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4728 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4728 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4728 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4728 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe C:\Windows\rss\csrss.exe
PID 4728 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe C:\Windows\rss\csrss.exe
PID 4728 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe C:\Windows\rss\csrss.exe
PID 3740 wrote to memory of 1720 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3740 wrote to memory of 1720 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3740 wrote to memory of 1720 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3740 wrote to memory of 5004 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3740 wrote to memory of 5004 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3740 wrote to memory of 5004 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3740 wrote to memory of 3584 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3740 wrote to memory of 3584 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3740 wrote to memory of 3584 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3740 wrote to memory of 8 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3740 wrote to memory of 8 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3188 wrote to memory of 1544 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3188 wrote to memory of 1544 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3188 wrote to memory of 1544 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1544 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1544 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe

"C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe

"C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server2.theupdatetime.org tcp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 104.21.94.82:443 carsalessystem.com tcp
N/A 127.0.0.1:3478 udp
IT 142.251.27.127:19302 stun3.l.google.com udp
BG 185.82.216.108:443 server2.theupdatetime.org tcp

Files

memory/740-1-0x0000000004F60000-0x0000000005367000-memory.dmp

memory/740-2-0x0000000005370000-0x0000000005C5B000-memory.dmp

memory/740-3-0x0000000000400000-0x0000000003118000-memory.dmp

memory/4324-4-0x0000000004F70000-0x0000000004FA6000-memory.dmp

memory/4324-5-0x0000000074830000-0x0000000074FE1000-memory.dmp

memory/4324-6-0x0000000005690000-0x0000000005CBA000-memory.dmp

memory/4324-7-0x0000000005050000-0x0000000005060000-memory.dmp

memory/4324-8-0x0000000005540000-0x0000000005562000-memory.dmp

memory/4324-9-0x00000000055E0000-0x0000000005646000-memory.dmp

memory/4324-10-0x0000000005CC0000-0x0000000005D26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nvqbnzvn.2ql.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4324-19-0x0000000005EF0000-0x0000000006247000-memory.dmp

memory/4324-20-0x00000000052C0000-0x00000000052DE000-memory.dmp

memory/4324-21-0x0000000006490000-0x00000000064DC000-memory.dmp

memory/740-22-0x0000000000400000-0x0000000003118000-memory.dmp

memory/4324-23-0x00000000069F0000-0x0000000006A36000-memory.dmp

memory/740-24-0x0000000004F60000-0x0000000005367000-memory.dmp

memory/4324-25-0x0000000005050000-0x0000000005060000-memory.dmp

memory/4324-27-0x00000000078D0000-0x0000000007904000-memory.dmp

memory/4324-28-0x0000000070AA0000-0x0000000070AEC000-memory.dmp

memory/4324-29-0x0000000070CB0000-0x0000000071007000-memory.dmp

memory/4324-38-0x00000000078B0000-0x00000000078CE000-memory.dmp

memory/740-26-0x0000000000400000-0x0000000003118000-memory.dmp

memory/4324-39-0x0000000007910000-0x00000000079B4000-memory.dmp

memory/4324-40-0x000000007FDE0000-0x000000007FDF0000-memory.dmp

memory/740-41-0x0000000005370000-0x0000000005C5B000-memory.dmp

memory/4324-42-0x0000000008080000-0x00000000086FA000-memory.dmp

memory/4324-43-0x0000000007770000-0x000000000778A000-memory.dmp

memory/4324-44-0x0000000007AA0000-0x0000000007AAA000-memory.dmp

memory/4324-45-0x0000000074830000-0x0000000074FE1000-memory.dmp

memory/4324-46-0x0000000007BB0000-0x0000000007C46000-memory.dmp

memory/4324-47-0x0000000005050000-0x0000000005060000-memory.dmp

memory/4324-49-0x0000000007A50000-0x0000000007A61000-memory.dmp

memory/4324-50-0x0000000007B10000-0x0000000007B1E000-memory.dmp

memory/4324-51-0x0000000007B20000-0x0000000007B35000-memory.dmp

memory/4324-52-0x0000000007B70000-0x0000000007B8A000-memory.dmp

memory/4324-53-0x0000000007B90000-0x0000000007B98000-memory.dmp

memory/4324-56-0x0000000074830000-0x0000000074FE1000-memory.dmp

memory/740-57-0x0000000000400000-0x0000000003118000-memory.dmp

memory/4728-59-0x0000000004E40000-0x0000000005247000-memory.dmp

memory/4728-60-0x0000000005250000-0x0000000005B3B000-memory.dmp

memory/4728-61-0x0000000000400000-0x0000000003118000-memory.dmp

memory/4228-62-0x00000000748D0000-0x0000000075081000-memory.dmp

memory/4228-63-0x0000000004C90000-0x0000000004CA0000-memory.dmp

memory/4228-64-0x0000000004C90000-0x0000000004CA0000-memory.dmp

memory/4228-65-0x0000000005A50000-0x0000000005DA7000-memory.dmp

memory/4228-74-0x00000000065E0000-0x000000000662C000-memory.dmp

memory/4228-75-0x0000000004C90000-0x0000000004CA0000-memory.dmp

memory/4228-76-0x000000007F850000-0x000000007F860000-memory.dmp

memory/4228-77-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

memory/4228-78-0x0000000070E00000-0x0000000071157000-memory.dmp

memory/4228-87-0x00000000072C0000-0x0000000007364000-memory.dmp

memory/4228-88-0x00000000075D0000-0x00000000075E1000-memory.dmp

memory/4728-89-0x0000000000400000-0x0000000003118000-memory.dmp

memory/4228-90-0x0000000007620000-0x0000000007635000-memory.dmp

memory/4228-93-0x00000000748D0000-0x0000000075081000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/1268-95-0x00000000748D0000-0x0000000075081000-memory.dmp

memory/1268-96-0x00000000030C0000-0x00000000030D0000-memory.dmp

memory/1268-97-0x00000000030C0000-0x00000000030D0000-memory.dmp

memory/4728-98-0x0000000004E40000-0x0000000005247000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7596e14899c535b6a01cdd37c9cb5d80
SHA1 070cd580943b9c38f01749ee5aa93da04a0bb7d3
SHA256 3f80acebed8ad2d78fd80f72fde2aa0e0a8c1813cb61f2a80fcc4d4b01fce2d9
SHA512 1027a3c5166929534f30c46796a4383906392ba7637f8bd7614180cc263c737e2c4e0ff21b8c428bbaebd6abde7912dba8ec770835e2eae611baabb1575f606c

memory/1268-108-0x00000000030C0000-0x00000000030D0000-memory.dmp

memory/1268-109-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

memory/1268-110-0x0000000070E00000-0x0000000071157000-memory.dmp

memory/4728-119-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1268-120-0x000000007F8A0000-0x000000007F8B0000-memory.dmp

memory/4728-121-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1268-123-0x00000000748D0000-0x0000000075081000-memory.dmp

memory/2796-124-0x00000000748D0000-0x0000000075081000-memory.dmp

memory/2796-126-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

memory/2796-125-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a7ef6dcd5df7f0cf591e42fa16193079
SHA1 97a4aea5ed7db221a91fe692c20ab9bfecf6b4c0
SHA256 42913169d471ab1d34202dd4841345d4d9da1c5a6543893cce3c4b05842a4273
SHA512 0930c0a3c6fdaa8e0e00c52a069cc87891f26695fc8a6b75761bd3c3ffaf703fe7ea3bfaf4800f30be957333c3cdecde649f2e98428f92abfa8711826d4635ac

memory/4728-148-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 7740947cbe5a6c59c7a11b89f8072f28
SHA1 07ad653f241fa283d00a5fdbb8da836ed32b8497
SHA256 27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3
SHA512 3e9158e3d71df4589e3657f958739960fea7bb4b6c987bf6ece1564e52512413da11237824ae5d773647f09715669a816f23715701eb68d1ca67e8f7af01dbce

memory/4728-153-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 12c10fbc6ebaaa569bda048a252e23c5
SHA1 ceeb1bd109dd81c3fd17aedab037702efbb8ad92
SHA256 b87ac2faa76b84d70ff070e7ad60402285b96e25a09d8d810870a809bffa4440
SHA512 97d6ea9a7c5da254e963dcfa17909533f37770c4ba079bab3844e62253557127f0cb0d47afd214a580f43e32160601820ff1fe029d0b943debfac5e825a82ce7

memory/3740-187-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 fda2ac99691a995acfc371865b8d809b
SHA1 a3526425460062d63becff880485bafb991bb286
SHA256 b2d853f607807cc013af08bab50e08742b179cbe4f2a528475d0a97291301df7
SHA512 82937c1f38fc27818a1b07ad93e57a25745986e53aaa03fe22cf6da9c0358d0400b31ade7abb86399ece368594b97245b57a494366d90f315b04241c0c377f5f

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f80802320c3973cc67b61a74261e5d3e
SHA1 53ff68f79dae9343c51f251b8f567f78266ff318
SHA256 288aefdd6000e99456e903f3ce002c08ccd88ad70de88ef8892816d456f1373a
SHA512 79dd1ea21dee1b43457cf4af83032cd3b568a68e854c1d7a7575f9a55dcd644bdf6f87baae3a465eb9e1bd7df7858481341f02f53afe245ab7a75ea62a1433c6

memory/3740-246-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3740-254-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3188-262-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3740-263-0x0000000000400000-0x0000000003118000-memory.dmp

memory/280-264-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3740-265-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3740-267-0x0000000000400000-0x0000000003118000-memory.dmp

memory/280-268-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3740-269-0x0000000000400000-0x0000000003118000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 15:49

Reported

2024-04-17 15:52

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-162 = "Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 904 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 904 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 904 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4268 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4268 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4268 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4268 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe C:\Windows\system32\cmd.exe
PID 4268 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe C:\Windows\system32\cmd.exe
PID 4896 wrote to memory of 3944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4896 wrote to memory of 3944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4268 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4268 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4268 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4268 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4268 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4268 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4268 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe C:\Windows\rss\csrss.exe
PID 4268 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe C:\Windows\rss\csrss.exe
PID 4268 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe C:\Windows\rss\csrss.exe
PID 1604 wrote to memory of 3836 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1604 wrote to memory of 3836 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1604 wrote to memory of 3836 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1604 wrote to memory of 4364 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1604 wrote to memory of 4364 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1604 wrote to memory of 4364 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1604 wrote to memory of 3652 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1604 wrote to memory of 3652 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1604 wrote to memory of 3652 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1604 wrote to memory of 2288 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1604 wrote to memory of 2288 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 5060 wrote to memory of 3300 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 3300 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 3300 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3300 wrote to memory of 392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3300 wrote to memory of 392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3300 wrote to memory of 392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe

"C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe

"C:\Users\Admin\AppData\Local\Temp\27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 50.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 0be8ac97-6711-4226-8a5d-d4491c5fcee9.uuid.theupdatetime.org udp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server7.theupdatetime.org udp
US 162.159.133.233:443 cdn.discordapp.com tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
BG 185.82.216.108:443 server7.theupdatetime.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.108:443 server7.theupdatetime.org tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
BG 185.82.216.108:443 server7.theupdatetime.org tcp

Files

memory/904-1-0x0000000004DB0000-0x00000000051B1000-memory.dmp

memory/904-2-0x00000000051C0000-0x0000000005AAB000-memory.dmp

memory/904-3-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1088-4-0x00000000749D0000-0x0000000075180000-memory.dmp

memory/1088-6-0x00000000046D0000-0x00000000046E0000-memory.dmp

memory/1088-5-0x0000000004580000-0x00000000045B6000-memory.dmp

memory/1088-7-0x00000000046D0000-0x00000000046E0000-memory.dmp

memory/1088-8-0x0000000004D10000-0x0000000005338000-memory.dmp

memory/1088-9-0x0000000004C00000-0x0000000004C22000-memory.dmp

memory/1088-10-0x0000000004CA0000-0x0000000004D06000-memory.dmp

memory/1088-16-0x00000000054F0000-0x0000000005556000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ydd45lej.hbe.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1088-21-0x00000000056E0000-0x0000000005A34000-memory.dmp

memory/1088-22-0x0000000005BC0000-0x0000000005BDE000-memory.dmp

memory/1088-23-0x0000000005FB0000-0x0000000005FFC000-memory.dmp

memory/1088-24-0x0000000006190000-0x00000000061D4000-memory.dmp

memory/904-25-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1088-26-0x00000000046D0000-0x00000000046E0000-memory.dmp

memory/1088-27-0x0000000006F00000-0x0000000006F76000-memory.dmp

memory/904-28-0x0000000004DB0000-0x00000000051B1000-memory.dmp

memory/1088-29-0x0000000007600000-0x0000000007C7A000-memory.dmp

memory/1088-30-0x0000000006FB0000-0x0000000006FCA000-memory.dmp

memory/904-32-0x00000000051C0000-0x0000000005AAB000-memory.dmp

memory/1088-31-0x0000000007170000-0x00000000071A2000-memory.dmp

memory/1088-34-0x0000000070870000-0x00000000708BC000-memory.dmp

memory/1088-33-0x000000007F040000-0x000000007F050000-memory.dmp

memory/1088-35-0x00000000709F0000-0x0000000070D44000-memory.dmp

memory/1088-45-0x0000000007150000-0x000000000716E000-memory.dmp

memory/1088-46-0x00000000071B0000-0x0000000007253000-memory.dmp

memory/1088-47-0x00000000072C0000-0x00000000072CA000-memory.dmp

memory/1088-48-0x0000000007380000-0x0000000007416000-memory.dmp

memory/1088-49-0x00000000072E0000-0x00000000072F1000-memory.dmp

memory/1088-50-0x0000000007320000-0x000000000732E000-memory.dmp

memory/1088-51-0x0000000007330000-0x0000000007344000-memory.dmp

memory/1088-52-0x0000000007420000-0x000000000743A000-memory.dmp

memory/1088-53-0x0000000007360000-0x0000000007368000-memory.dmp

memory/1088-56-0x00000000749D0000-0x0000000075180000-memory.dmp

memory/904-58-0x0000000000400000-0x0000000003118000-memory.dmp

memory/904-59-0x0000000000400000-0x0000000003118000-memory.dmp

memory/4268-60-0x0000000004E10000-0x0000000005209000-memory.dmp

memory/4268-61-0x0000000000400000-0x0000000003118000-memory.dmp

memory/2248-64-0x0000000006070000-0x00000000063C4000-memory.dmp

memory/2248-63-0x00000000749D0000-0x0000000075180000-memory.dmp

memory/2248-65-0x00000000051B0000-0x00000000051C0000-memory.dmp

memory/2248-66-0x00000000051B0000-0x00000000051C0000-memory.dmp

memory/4268-76-0x0000000000400000-0x0000000003118000-memory.dmp

memory/2248-77-0x00000000051B0000-0x00000000051C0000-memory.dmp

memory/2248-79-0x000000007FA10000-0x000000007FA20000-memory.dmp

memory/2248-78-0x0000000070870000-0x00000000708BC000-memory.dmp

memory/2248-80-0x0000000070FF0000-0x0000000071344000-memory.dmp

memory/2248-90-0x00000000078D0000-0x0000000007973000-memory.dmp

memory/2248-91-0x0000000007BF0000-0x0000000007C01000-memory.dmp

memory/2248-92-0x0000000007C40000-0x0000000007C54000-memory.dmp

memory/2248-95-0x00000000749D0000-0x0000000075180000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/4268-98-0x0000000000400000-0x0000000003118000-memory.dmp

memory/2440-99-0x00000000749D0000-0x0000000075180000-memory.dmp

memory/2440-100-0x0000000004B40000-0x0000000004B50000-memory.dmp

memory/2440-101-0x0000000004B40000-0x0000000004B50000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a473c44fc1c061735a3d061a11c33b74
SHA1 4387d0e3870ed129ce24f8fa09b9d79efcc8be8c
SHA256 50d7131c9bdcebc396e823abd4e3b63f506f17ea08446fec6a42b82ad9bce0e5
SHA512 abade1fa1a96a36a7c8a06d283b9541f01a60cc46ff71c64d82d1251401e8400b159405a3ca4d72df7f9fcb2c6f4a6d8990e36e702ea67c6285df0b5e1f60464

memory/2440-112-0x0000000004B40000-0x0000000004B50000-memory.dmp

memory/2440-113-0x000000007F780000-0x000000007F790000-memory.dmp

memory/2440-114-0x0000000070870000-0x00000000708BC000-memory.dmp

memory/2440-115-0x0000000070FF0000-0x0000000071344000-memory.dmp

memory/2440-126-0x00000000749D0000-0x0000000075180000-memory.dmp

memory/2116-127-0x00000000749D0000-0x0000000075180000-memory.dmp

memory/2116-129-0x0000000005020000-0x0000000005030000-memory.dmp

memory/2116-128-0x0000000005020000-0x0000000005030000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a50db5de0a7193bd8aaa782e423e48e2
SHA1 d5437cd38ce78f07c7818dd502c8896cbb039153
SHA256 8ca52ab8e0355641738a0e58cf02d08b540f9e1cfe93e49c23d63da8dd389053
SHA512 7c169625868139aa6961810fbf055a7e07948ae0cd0473bfbaf20f7498c3d493c7d8f0999d805b505ba32528644d4f0d11f6cdc06b8e9d4bbc966e895905a7ef

memory/2116-140-0x0000000005020000-0x0000000005030000-memory.dmp

memory/2116-141-0x0000000070870000-0x00000000708BC000-memory.dmp

memory/2116-142-0x0000000070FF0000-0x0000000071344000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 7740947cbe5a6c59c7a11b89f8072f28
SHA1 07ad653f241fa283d00a5fdbb8da836ed32b8497
SHA256 27fca0ff589e04a0a4ef1b3ae7d8ebfc60441427af8eec7428761931315631b3
SHA512 3e9158e3d71df4589e3657f958739960fea7bb4b6c987bf6ece1564e52512413da11237824ae5d773647f09715669a816f23715701eb68d1ca67e8f7af01dbce

memory/4268-157-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 94c2a91dd52029cde57ca63bc53d7044
SHA1 4c6e420db3d337da70a36465f87706d39cc7b621
SHA256 c227c5ccc5ebd09373974f53cd465e027955ad68c50eabf83a5ba75b55113430
SHA512 4681033a1574c287651c0aa430fd2b67173114435c69e6d3ae79df38ca506123d38370dd1fe0489ad3e46e0fbe8604214e8125c331b0c2c2e0dbbc351aef7842

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e5dff8501a72db43864fb306db194376
SHA1 53a1bf749b3e5da34a6880b1c05bdf7ae573055f
SHA256 0d661984e1b9e711494b4c6fd3d49750b05b945bb42e85995720751edacd9fa4
SHA512 df22d3ce9dc84a81a6b281072e53452c5a66c7af5b2479a7cd613446f29aebcdb359a546305799a1205a8c362bfff292ba2c435cd9bdfc131d8a65808aec05c5

memory/1604-222-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7fa6eb1c8a8b1a71cde7b81496e5cb01
SHA1 b7253ed4830c05b7f43a2f05d64463b3bc304436
SHA256 3454a75be13df20680f8ac9720ad0ead40731786b0db80249553659234474be5
SHA512 4585b8387ef4be0054b7bb7a7c961f58ddf538e7d2f8e07c5c7952756c6f53d530a562846df9ca6cf81265ffddc44f88091addeed4e0a25e30cb1c87fe70532f

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1604-259-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/5060-267-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1604-269-0x0000000000400000-0x0000000003118000-memory.dmp

memory/536-270-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1604-272-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1604-275-0x0000000000400000-0x0000000003118000-memory.dmp

memory/536-276-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1604-278-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1604-281-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1604-284-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1604-287-0x0000000000400000-0x0000000003118000-memory.dmp