Malware Analysis Report

2025-08-10 17:21

Sample ID 240417-tby5ksef57
Target 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16
SHA256 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16
Tags
glupteba discovery dropper evasion loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16

Threat Level: Known bad

The file 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Manipulates WinMonFS driver.

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 15:53

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 15:53

Reported

2024-04-17 15:56

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-3142 = "South Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5088 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5088 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5088 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2464 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2464 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2464 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2464 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe C:\Windows\system32\cmd.exe
PID 2464 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe C:\Windows\system32\cmd.exe
PID 2308 wrote to memory of 2120 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2308 wrote to memory of 2120 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2464 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2464 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2464 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2464 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2464 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2464 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2464 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe C:\Windows\rss\csrss.exe
PID 2464 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe C:\Windows\rss\csrss.exe
PID 2464 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe C:\Windows\rss\csrss.exe
PID 5080 wrote to memory of 4644 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5080 wrote to memory of 4644 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5080 wrote to memory of 4644 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5080 wrote to memory of 4056 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5080 wrote to memory of 4056 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5080 wrote to memory of 4056 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5080 wrote to memory of 3632 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5080 wrote to memory of 3632 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5080 wrote to memory of 3632 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5080 wrote to memory of 4976 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 5080 wrote to memory of 4976 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3008 wrote to memory of 2344 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2344 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2344 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 3928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2344 wrote to memory of 3928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2344 wrote to memory of 3928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe

"C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe

"C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 69b9c83c-15a4-4b40-b4e1-0ec0b1523476.uuid.myfastupdate.org udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 server12.myfastupdate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
NL 74.125.128.127:19302 stun2.l.google.com udp
BG 185.82.216.111:443 server12.myfastupdate.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 127.128.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.111:443 server12.myfastupdate.org tcp
US 8.8.8.8:53 16.244.122.92.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
BG 185.82.216.111:443 server12.myfastupdate.org tcp

Files

memory/5088-1-0x0000000004E60000-0x0000000005260000-memory.dmp

memory/5088-2-0x0000000005260000-0x0000000005B4B000-memory.dmp

memory/5088-3-0x0000000000400000-0x0000000003118000-memory.dmp

memory/2948-4-0x0000000002750000-0x0000000002786000-memory.dmp

memory/2948-5-0x0000000074D20000-0x00000000754D0000-memory.dmp

memory/2948-6-0x0000000005130000-0x0000000005758000-memory.dmp

memory/2948-7-0x0000000004AF0000-0x0000000004B00000-memory.dmp

memory/2948-8-0x0000000004D40000-0x0000000004D62000-memory.dmp

memory/2948-9-0x0000000004EE0000-0x0000000004F46000-memory.dmp

memory/2948-10-0x0000000005080000-0x00000000050E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tkcv1wqn.pma.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2948-20-0x0000000005760000-0x0000000005AB4000-memory.dmp

memory/2948-21-0x0000000005D30000-0x0000000005D4E000-memory.dmp

memory/2948-22-0x0000000005D50000-0x0000000005D9C000-memory.dmp

memory/2948-23-0x00000000062A0000-0x00000000062E4000-memory.dmp

memory/2948-24-0x0000000007030000-0x00000000070A6000-memory.dmp

memory/2948-25-0x0000000007730000-0x0000000007DAA000-memory.dmp

memory/2948-26-0x00000000070D0000-0x00000000070EA000-memory.dmp

memory/2948-27-0x000000007F020000-0x000000007F030000-memory.dmp

memory/2948-28-0x0000000007290000-0x00000000072C2000-memory.dmp

memory/2948-29-0x0000000070BC0000-0x0000000070C0C000-memory.dmp

memory/2948-30-0x0000000070D40000-0x0000000071094000-memory.dmp

memory/2948-41-0x0000000004AF0000-0x0000000004B00000-memory.dmp

memory/2948-40-0x00000000072D0000-0x00000000072EE000-memory.dmp

memory/2948-42-0x00000000072F0000-0x0000000007393000-memory.dmp

memory/2948-43-0x00000000073E0000-0x00000000073EA000-memory.dmp

memory/2948-44-0x0000000004AF0000-0x0000000004B00000-memory.dmp

memory/2948-45-0x00000000074A0000-0x0000000007536000-memory.dmp

memory/2948-46-0x0000000007400000-0x0000000007411000-memory.dmp

memory/2948-47-0x0000000007440000-0x000000000744E000-memory.dmp

memory/2948-48-0x0000000007450000-0x0000000007464000-memory.dmp

memory/2948-49-0x0000000007540000-0x000000000755A000-memory.dmp

memory/2948-50-0x0000000007490000-0x0000000007498000-memory.dmp

memory/2948-53-0x0000000074D20000-0x00000000754D0000-memory.dmp

memory/5088-56-0x0000000004E60000-0x0000000005260000-memory.dmp

memory/2464-55-0x0000000004DA0000-0x00000000051A4000-memory.dmp

memory/2464-57-0x00000000051B0000-0x0000000005A9B000-memory.dmp

memory/2464-58-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3828-59-0x0000000074D20000-0x00000000754D0000-memory.dmp

memory/3828-60-0x0000000004B70000-0x0000000004B80000-memory.dmp

memory/3828-61-0x0000000004B70000-0x0000000004B80000-memory.dmp

memory/3828-71-0x0000000005960000-0x0000000005CB4000-memory.dmp

memory/3828-73-0x0000000070BC0000-0x0000000070C0C000-memory.dmp

memory/5088-72-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3828-74-0x0000000071340000-0x0000000071694000-memory.dmp

memory/3828-84-0x00000000071F0000-0x0000000007293000-memory.dmp

memory/3828-85-0x000000007EFF0000-0x000000007F000000-memory.dmp

memory/3828-87-0x0000000004B70000-0x0000000004B80000-memory.dmp

memory/3828-86-0x0000000004B70000-0x0000000004B80000-memory.dmp

memory/3828-88-0x00000000074D0000-0x00000000074E1000-memory.dmp

memory/3828-89-0x0000000007520000-0x0000000007534000-memory.dmp

memory/3828-92-0x0000000074D20000-0x00000000754D0000-memory.dmp

memory/1332-94-0x0000000074D20000-0x00000000754D0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/1332-95-0x00000000048C0000-0x00000000048D0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bc0462fe83ac5580e6ee8ebdfe32268c
SHA1 35b8e102787eb3b28727f09050f50f2d3ad7b735
SHA256 6f43ce1bdc258f21555b9d6e23db49688ee84233ed9bb9762d39191d27c6d68a
SHA512 454b56ed0d4a6dc72e4cdf09023249c35f4910ecdad056e6da1413f30ff35312d444397e1e919ff61a0823efe8cba47b854a7da0814670eb328579c74d8508ba

memory/1332-108-0x0000000070D40000-0x0000000071094000-memory.dmp

memory/1332-118-0x00000000048C0000-0x00000000048D0000-memory.dmp

memory/1332-107-0x000000007FC00000-0x000000007FC10000-memory.dmp

memory/1332-106-0x0000000070BC0000-0x0000000070C0C000-memory.dmp

memory/2464-119-0x0000000004DA0000-0x00000000051A4000-memory.dmp

memory/1332-121-0x0000000074D20000-0x00000000754D0000-memory.dmp

memory/2992-122-0x0000000074D20000-0x00000000754D0000-memory.dmp

memory/2992-123-0x0000000005310000-0x0000000005320000-memory.dmp

memory/2992-124-0x0000000005310000-0x0000000005320000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 eb4894aedba59cc0c0763618730db6a9
SHA1 cd28cdbedcdbfc484bf8a528d39a6721545340c5
SHA256 6e394e8a35d8fee4b47dc306801d3987f7224b0363cd95355e2eacdba1cc4fd1
SHA512 a4d06fefc2d6fe2e4807e166fea853498b383c1ffbd302339457c806a3d2544bcd33f225b119f7a71a7ddaa3a2c280e2c26bc4dbda1a91f9b53dd55f2475f215

memory/2992-135-0x0000000070BC0000-0x0000000070C0C000-memory.dmp

memory/2992-136-0x0000000071340000-0x0000000071694000-memory.dmp

memory/2464-146-0x0000000000400000-0x0000000003118000-memory.dmp

memory/2464-147-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 3fe4b0b8dd103c35ae252f01d81c91ea
SHA1 59181f7ecebf622327d782cc7bf9722b5fe04324
SHA256 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16
SHA512 0678814f70b1a7b8181ce8f74e42d7779d8e846feb4d222f679d3443fb77abd1e468d85b31621c38479336b457aef3d4837ac7880c26fd0549a93b389b878fb6

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1c77ad8e7afc8a704b0f2c75e0fe708c
SHA1 646fec39d6db0782e5f014c0fb5cadd6a7517f81
SHA256 02bd6425617f8d2a75c8ae129de60032603b283795f50d7bc4a07389aa2da2d3
SHA512 c7c597429538bbd13ddb34c4cd485ac4d597b3aefecc5260f81a0b116821f4d44664c7aaa37ea7de469ada6091e1803770773d0accd47eea113df1097f686748

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cd6aeea9cca8f4a9ea1584f083ca285a
SHA1 dc79a9099cc0bb15fc3fb324bbc95332769b8b02
SHA256 6e7b254ab714d94771053fe488fb5c486d1d14d15e0c77e5c808473cb1ab388e
SHA512 0c673fffa7e1a7e520ed635d9ff6e96d9ceed68f283b416e8769e2b330c3a3e7c36ce6b307af903430350346f4ed6100e2f29e4582b19043ce757c1995cac67d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 87a6752cdf6a2f45c8207c204f733fa0
SHA1 e97a78373af074aa0aaa17e966d2499d23e95041
SHA256 7ed419227e9ab94f67933c62bd0533e1ca1deb9360eb14f54b95bb25bcbb6856
SHA512 905d3760a7d302e540ff045b488d608ae7f08e3888e873ad203762fbd3562d459eb18592acda87d1d28f3dfb88c860581b3ff8781a41cbf759921a9aead966bc

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2464-255-0x0000000000400000-0x0000000003118000-memory.dmp

memory/5080-256-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3008-266-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5080-267-0x0000000000400000-0x0000000003118000-memory.dmp

memory/5080-270-0x0000000000400000-0x0000000003118000-memory.dmp

memory/4832-271-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5080-274-0x0000000000400000-0x0000000003118000-memory.dmp

memory/5080-278-0x0000000000400000-0x0000000003118000-memory.dmp

memory/4832-279-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5080-282-0x0000000000400000-0x0000000003118000-memory.dmp

memory/5080-286-0x0000000000400000-0x0000000003118000-memory.dmp

memory/5080-290-0x0000000000400000-0x0000000003118000-memory.dmp

memory/5080-294-0x0000000000400000-0x0000000003118000-memory.dmp

memory/5080-298-0x0000000000400000-0x0000000003118000-memory.dmp

memory/5080-302-0x0000000000400000-0x0000000003118000-memory.dmp

memory/5080-306-0x0000000000400000-0x0000000003118000-memory.dmp

memory/5080-310-0x0000000000400000-0x0000000003118000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 15:53

Reported

2024-04-17 15:56

Platform

win11-20240412-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4656 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4656 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4656 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3108 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3108 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3108 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3108 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe C:\Windows\system32\cmd.exe
PID 3108 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe C:\Windows\system32\cmd.exe
PID 2524 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2524 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3108 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3108 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3108 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3108 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3108 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3108 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3108 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe C:\Windows\rss\csrss.exe
PID 3108 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe C:\Windows\rss\csrss.exe
PID 3108 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe C:\Windows\rss\csrss.exe
PID 5016 wrote to memory of 2732 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5016 wrote to memory of 2732 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5016 wrote to memory of 2732 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5016 wrote to memory of 2412 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5016 wrote to memory of 2412 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5016 wrote to memory of 2412 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5016 wrote to memory of 1184 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5016 wrote to memory of 1184 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5016 wrote to memory of 1184 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5016 wrote to memory of 3784 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 5016 wrote to memory of 3784 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 5012 wrote to memory of 556 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 5012 wrote to memory of 556 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 5012 wrote to memory of 556 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 3232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 556 wrote to memory of 3232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 556 wrote to memory of 3232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe

"C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe

"C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 1fbf80a6-62ff-4d0a-9d72-3ff53a51dd42.uuid.myfastupdate.org udp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server9.myfastupdate.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.111:443 server9.myfastupdate.org tcp
NL 52.111.243.29:443 tcp
BG 185.82.216.111:443 server9.myfastupdate.org tcp

Files

memory/4656-1-0x0000000004F60000-0x000000000535A000-memory.dmp

memory/4656-2-0x0000000005360000-0x0000000005C4B000-memory.dmp

memory/4656-3-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1184-4-0x0000000002570000-0x00000000025A6000-memory.dmp

memory/1184-5-0x0000000074A80000-0x0000000075231000-memory.dmp

memory/1184-6-0x0000000004B40000-0x0000000004B50000-memory.dmp

memory/1184-7-0x0000000004B40000-0x0000000004B50000-memory.dmp

memory/1184-8-0x0000000005180000-0x00000000057AA000-memory.dmp

memory/1184-9-0x0000000004F80000-0x0000000004FA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2ck3to1d.200.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1184-15-0x0000000005040000-0x00000000050A6000-memory.dmp

memory/1184-16-0x00000000050B0000-0x0000000005116000-memory.dmp

memory/1184-20-0x0000000005830000-0x0000000005B87000-memory.dmp

memory/1184-21-0x0000000005D30000-0x0000000005D4E000-memory.dmp

memory/1184-22-0x0000000005DF0000-0x0000000005E3C000-memory.dmp

memory/1184-23-0x0000000006310000-0x0000000006356000-memory.dmp

memory/1184-25-0x000000007F830000-0x000000007F840000-memory.dmp

memory/1184-24-0x0000000007170000-0x00000000071A4000-memory.dmp

memory/1184-26-0x0000000070CF0000-0x0000000070D3C000-memory.dmp

memory/1184-27-0x0000000070E70000-0x00000000711C7000-memory.dmp

memory/1184-36-0x00000000071B0000-0x00000000071CE000-memory.dmp

memory/1184-37-0x00000000071D0000-0x0000000007274000-memory.dmp

memory/1184-38-0x0000000004B40000-0x0000000004B50000-memory.dmp

memory/1184-39-0x0000000007930000-0x0000000007FAA000-memory.dmp

memory/1184-40-0x00000000072F0000-0x000000000730A000-memory.dmp

memory/1184-41-0x0000000007330000-0x000000000733A000-memory.dmp

memory/1184-42-0x0000000007440000-0x00000000074D6000-memory.dmp

memory/1184-43-0x0000000007350000-0x0000000007361000-memory.dmp

memory/1184-44-0x00000000073A0000-0x00000000073AE000-memory.dmp

memory/1184-45-0x00000000073B0000-0x00000000073C5000-memory.dmp

memory/1184-46-0x0000000007400000-0x000000000741A000-memory.dmp

memory/1184-47-0x0000000007420000-0x0000000007428000-memory.dmp

memory/1184-50-0x0000000074A80000-0x0000000075231000-memory.dmp

memory/4656-52-0x0000000004F60000-0x000000000535A000-memory.dmp

memory/3108-53-0x0000000004E20000-0x0000000005220000-memory.dmp

memory/3108-54-0x0000000005220000-0x0000000005B0B000-memory.dmp

memory/3108-55-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3404-56-0x0000000074A80000-0x0000000075231000-memory.dmp

memory/3404-57-0x00000000047E0000-0x00000000047F0000-memory.dmp

memory/3404-58-0x00000000047E0000-0x00000000047F0000-memory.dmp

memory/3404-67-0x0000000070CF0000-0x0000000070D3C000-memory.dmp

memory/3404-68-0x0000000070E70000-0x00000000711C7000-memory.dmp

memory/3404-77-0x0000000006C60000-0x0000000006D04000-memory.dmp

memory/4656-78-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3404-79-0x000000007F4C0000-0x000000007F4D0000-memory.dmp

memory/3404-81-0x00000000047E0000-0x00000000047F0000-memory.dmp

memory/3404-80-0x00000000047E0000-0x00000000047F0000-memory.dmp

memory/3404-82-0x0000000006FA0000-0x0000000006FB1000-memory.dmp

memory/3404-83-0x0000000006FF0000-0x0000000007005000-memory.dmp

memory/3404-86-0x0000000074A80000-0x0000000075231000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/4404-89-0x0000000074A80000-0x0000000075231000-memory.dmp

memory/4404-90-0x0000000005110000-0x0000000005120000-memory.dmp

memory/4404-97-0x0000000005E60000-0x00000000061B7000-memory.dmp

memory/4404-96-0x0000000005110000-0x0000000005120000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9f9da3768726b79f60e3f4ec18a6250c
SHA1 090f9924b51ea203a59b4d41f5638ffcda17c991
SHA256 3d8787fee1469a631ebd0a4ad44ee7fc6ca684a669b8f5373e0792d5d9fd6ce7
SHA512 7f068733668a9c0956978de6a1cf6998ec10bc700ea656391d27d1e6645b72311230e728358c3792f53cbc908686b5762b8689f3f9975e9c2b56a48647bbbcb4

memory/4404-102-0x000000007F590000-0x000000007F5A0000-memory.dmp

memory/4404-103-0x0000000070CF0000-0x0000000070D3C000-memory.dmp

memory/4404-104-0x0000000070F00000-0x0000000071257000-memory.dmp

memory/4404-113-0x0000000005110000-0x0000000005120000-memory.dmp

memory/4404-115-0x0000000074A80000-0x0000000075231000-memory.dmp

memory/1172-116-0x0000000074A80000-0x0000000075231000-memory.dmp

memory/1172-117-0x00000000055E0000-0x00000000055F0000-memory.dmp

memory/1172-118-0x00000000055E0000-0x00000000055F0000-memory.dmp

memory/3108-119-0x0000000004E20000-0x0000000005220000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 774bd37fd8d85aca1b6d92305adbc023
SHA1 689414c2fb61d7c84d67b8ddff78508e999e4640
SHA256 4a3bd50e2b7201cb5c2d681d85e8da92e47dde7ef29ed82f445d95a65ddeefd0
SHA512 2a826d8086b2848c1fc967020b8fa14e5317b66c5aae184a58a345dc6de9def448c9a5b92a8eeabe7cd1074dca2dcd859e70e8332210956c1377535530eb2acb

memory/1172-129-0x000000007EFE0000-0x000000007EFF0000-memory.dmp

memory/1172-130-0x0000000070CF0000-0x0000000070D3C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 3fe4b0b8dd103c35ae252f01d81c91ea
SHA1 59181f7ecebf622327d782cc7bf9722b5fe04324
SHA256 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16
SHA512 0678814f70b1a7b8181ce8f74e42d7779d8e846feb4d222f679d3443fb77abd1e468d85b31621c38479336b457aef3d4837ac7880c26fd0549a93b389b878fb6

memory/3108-147-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5f2cba67257c58126a1884a25301c7af
SHA1 06d11611cb8d87cf0f8dc844a60a0b2914dfca1f
SHA256 f1dc744b36dda45466d7f456aa783961c7eaae1f69879399af24968c36d72de7
SHA512 90acb232d7e0216cdbe8afdb8b9cb8e78e05da6962bf180728b7c4db6d07ead1dcbffdb87be9f6d378e770948828c21c26501ac8d7d3c4f75a1c3337d6cf53a2

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b0ce59de354af48a7acd075370e8595f
SHA1 df4dd579c8ab4c8f27f0f9303b9fbf62e3935de0
SHA256 fe88223be89d17539810636301555a1446007ebac5f95a044ce8631126874bd7
SHA512 dfd7cc45a03dcb1c288366b0bacb341febdf9b84071b40d3d8ba39cbf1cc5d723aa5c48513814ca6d6331d927d21bbb348b2c813d23ea8fd0040ac2db71de292

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 69a4c689648a62ed8e1477252a1fb6d6
SHA1 dc021eeada8f1bf9f06ba8fa5b04ef51c69d28c8
SHA256 7293ebec92561905e26965b55c0b6a432925706fa8d898c30c9cde1e8fb4780e
SHA512 a0632c2925781159e43e9e92e7a2d748882582683435285710b77ab61acd9e2f686483db2ab445530e452b4854194353db89a0a6b2dba6840b08f71365af0d97

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/5016-240-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/5012-249-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5016-250-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3472-252-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5016-253-0x0000000000400000-0x0000000003118000-memory.dmp

memory/5016-256-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3472-258-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5016-259-0x0000000000400000-0x0000000003118000-memory.dmp

memory/5016-262-0x0000000000400000-0x0000000003118000-memory.dmp

memory/5016-265-0x0000000000400000-0x0000000003118000-memory.dmp

memory/5016-268-0x0000000000400000-0x0000000003118000-memory.dmp

memory/5016-271-0x0000000000400000-0x0000000003118000-memory.dmp

memory/5016-273-0x0000000000400000-0x0000000003118000-memory.dmp

memory/5016-277-0x0000000000400000-0x0000000003118000-memory.dmp

memory/5016-280-0x0000000000400000-0x0000000003118000-memory.dmp

memory/5016-283-0x0000000000400000-0x0000000003118000-memory.dmp