Malware Analysis Report

2025-08-05 12:17

Sample ID 240419-2nt1dshe33
Target 8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24
SHA256 8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24
Tags
glupteba discovery dropper evasion loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24

Threat Level: Known bad

The file 8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Adds Run key to start application

Checks installed software on the system

Manipulates WinMonFS driver.

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Program crash

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-19 22:44

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 22:44

Reported

2024-04-19 22:46

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4404 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4404 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4404 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe C:\Windows\system32\cmd.exe
PID 1732 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe C:\Windows\system32\cmd.exe
PID 3620 wrote to memory of 2392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3620 wrote to memory of 2392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1732 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe C:\Windows\rss\csrss.exe
PID 1732 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe C:\Windows\rss\csrss.exe
PID 1732 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe C:\Windows\rss\csrss.exe
PID 4324 wrote to memory of 4432 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 4432 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 4432 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 3964 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 3964 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 3964 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 2104 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 2104 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 2104 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 984 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4324 wrote to memory of 984 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2156 wrote to memory of 2776 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 2776 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 2776 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 5048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2776 wrote to memory of 5048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2776 wrote to memory of 5048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe

"C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1304 -ip 1304

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 2392

C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe

"C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4404 -ip 4404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 1012

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1732 -ip 1732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 844

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 a3bba3b3-18f5-43a7-ac89-6bf1effe0d49.uuid.allstatsin.ru udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 8.8.8.8:53 server2.allstatsin.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.104:443 server2.allstatsin.ru tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
N/A 127.0.0.1:3478 udp
US 8.8.8.8:53 stun3.l.google.com udp
IT 142.251.27.127:19302 stun3.l.google.com udp
US 8.8.8.8:53 127.27.251.142.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
BG 185.82.216.104:443 server2.allstatsin.ru tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BG 185.82.216.104:443 server2.allstatsin.ru tcp
N/A 127.0.0.1:31465 tcp

Files

memory/4404-1-0x0000000003CF0000-0x00000000040EE000-memory.dmp

memory/4404-2-0x00000000040F0000-0x00000000049DB000-memory.dmp

memory/4404-3-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1304-4-0x0000000002C10000-0x0000000002C46000-memory.dmp

memory/1304-5-0x0000000074470000-0x0000000074C20000-memory.dmp

memory/1304-6-0x0000000005130000-0x0000000005140000-memory.dmp

memory/1304-7-0x0000000005130000-0x0000000005140000-memory.dmp

memory/1304-8-0x0000000005770000-0x0000000005D98000-memory.dmp

memory/1304-9-0x0000000005530000-0x0000000005552000-memory.dmp

memory/1304-10-0x00000000055D0000-0x0000000005636000-memory.dmp

memory/1304-16-0x0000000005DA0000-0x0000000005E06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a3snvprg.y2x.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1304-21-0x0000000006020000-0x0000000006374000-memory.dmp

memory/1304-22-0x00000000064E0000-0x00000000064FE000-memory.dmp

memory/1304-23-0x0000000006530000-0x000000000657C000-memory.dmp

memory/1304-24-0x0000000006900000-0x0000000006944000-memory.dmp

memory/1304-25-0x0000000007810000-0x0000000007886000-memory.dmp

memory/1304-27-0x00000000078B0000-0x00000000078CA000-memory.dmp

memory/1304-26-0x0000000007F10000-0x000000000858A000-memory.dmp

memory/1304-28-0x000000007F3F0000-0x000000007F400000-memory.dmp

memory/1304-29-0x0000000007A70000-0x0000000007AA2000-memory.dmp

memory/1304-30-0x0000000070310000-0x000000007035C000-memory.dmp

memory/1304-42-0x0000000007AD0000-0x0000000007B73000-memory.dmp

memory/1304-41-0x0000000007AB0000-0x0000000007ACE000-memory.dmp

memory/1304-31-0x0000000070490000-0x00000000707E4000-memory.dmp

memory/1304-43-0x0000000007BC0000-0x0000000007BCA000-memory.dmp

memory/1304-44-0x0000000074470000-0x0000000074C20000-memory.dmp

memory/4404-46-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1732-47-0x0000000003B00000-0x0000000003EF9000-memory.dmp

memory/1732-48-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/4404-49-0x00000000040F0000-0x00000000049DB000-memory.dmp

memory/3396-51-0x00000000044E0000-0x00000000044F0000-memory.dmp

memory/3396-50-0x0000000074510000-0x0000000074CC0000-memory.dmp

memory/3396-52-0x00000000044E0000-0x00000000044F0000-memory.dmp

memory/3396-62-0x00000000056D0000-0x0000000005A24000-memory.dmp

memory/3396-63-0x0000000005B40000-0x0000000005B8C000-memory.dmp

memory/3396-64-0x000000007F420000-0x000000007F430000-memory.dmp

memory/3396-66-0x00000000705B0000-0x0000000070904000-memory.dmp

memory/3396-65-0x0000000070410000-0x000000007045C000-memory.dmp

memory/3396-77-0x0000000006CD0000-0x0000000006D73000-memory.dmp

memory/3396-76-0x00000000044E0000-0x00000000044F0000-memory.dmp

memory/3396-78-0x00000000044E0000-0x00000000044F0000-memory.dmp

memory/3396-79-0x00000000070D0000-0x0000000007166000-memory.dmp

memory/3396-80-0x0000000007000000-0x0000000007011000-memory.dmp

memory/3396-81-0x0000000007040000-0x000000000704E000-memory.dmp

memory/3396-82-0x0000000007050000-0x0000000007064000-memory.dmp

memory/3396-83-0x0000000007090000-0x00000000070AA000-memory.dmp

memory/3396-84-0x0000000007080000-0x0000000007088000-memory.dmp

memory/3396-87-0x0000000074510000-0x0000000074CC0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/3900-91-0x0000000004FF0000-0x0000000005000000-memory.dmp

memory/3900-97-0x0000000005CD0000-0x0000000006024000-memory.dmp

memory/3900-90-0x0000000004FF0000-0x0000000005000000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e6cfedca03e8d2dacb5b848902985830
SHA1 fa1d05fa6571224d6d5b99dba62196eb9fc9429c
SHA256 ef774e6d9eae14cb6c5f5181e4531801f4f08841b486af28ffc90cc5dbd605b3
SHA512 a56f91226d130b8926c3e3dff5f22796d3c97fdeda0f6cd10f105d3da02b191edd74fc0832ddfdc7013b00b05a2a8a740c3cf3ddcc460bc32c84033709258cfa

memory/3900-89-0x0000000074510000-0x0000000074CC0000-memory.dmp

memory/3900-104-0x0000000070410000-0x000000007045C000-memory.dmp

memory/3900-116-0x0000000004FF0000-0x0000000005000000-memory.dmp

memory/3900-115-0x0000000004FF0000-0x0000000005000000-memory.dmp

memory/3900-105-0x0000000070BB0000-0x0000000070F04000-memory.dmp

memory/3900-103-0x000000007F810000-0x000000007F820000-memory.dmp

memory/3900-118-0x0000000074510000-0x0000000074CC0000-memory.dmp

memory/4460-119-0x0000000074510000-0x0000000074CC0000-memory.dmp

memory/4460-122-0x0000000004A20000-0x0000000004A30000-memory.dmp

memory/4460-121-0x0000000004A20000-0x0000000004A30000-memory.dmp

memory/1732-120-0x0000000003B00000-0x0000000003EF9000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cc05f6f44f143598aaf490a9e6d67dde
SHA1 8c2d194f11922b6c9a54a0b7eddad8ef90edaee5
SHA256 619b05843ae3fd3eb757d59e8f6487b0aa44161dfff432c59c6db8b0df6a46d7
SHA512 9a0b10049679e9bcf75c3ccb781db86ef4c215e084e425a507c14e42cd492218b18680587ab0688ceba3378942eb335315d0bddd6752747969fb3f57b7245833

memory/1732-132-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/4460-135-0x000000007F780000-0x000000007F790000-memory.dmp

memory/4460-134-0x0000000070410000-0x000000007045C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 b413116e9122e54828de168502cf3316
SHA1 75b3d573fa4ffaed32d1aeaa548b9db874ccf277
SHA256 8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24
SHA512 f6bc90690e144c0c2bc951d64bbc16c653d50cd7c3f939849c992aa176ed27e6b6f651388a7cebedf5bdb0ff150023b2ba5f89768ecacf7dfe76448538e15004

memory/1732-154-0x0000000000400000-0x0000000001E06000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7af9a748790861aa93f9b07332432b47
SHA1 9b87908f8b5bb00ad55014771789873e118d5cab
SHA256 e177663443f8db6eb3fed68c547f971e2c057f9eb2717a1aab76944d61ba7d56
SHA512 0330d0cf92ee7caf28ce0a774a711f95ebe5fb42e39307c03e202d072d37cea48bc508e3b44045fda02e6d0d159d901db0aff83668f61c0aaa48c0844a58c5b0

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e48b2cad2d22bc8e85a6f31cf80a607f
SHA1 c7234a653435b198887c2d2913f9c98a5fd6e6bb
SHA256 a2bcb996aba79d1584db5163e543b94e1caf60cbb85fd12dc1d3f73e7ff91223
SHA512 2a97a1983420b7c0f1219119ca102ff5f5c9bda78a6f8a78cd3fe0c9686157f276d585ab81786aa07b4e5090df02b01449fcac7297d9e587edaa722f1d2efef7

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 69ae55d360bc13baae2dc342c439ed47
SHA1 f55288c3c7b5f20100a721c5758d290a599ab90f
SHA256 76b2ea51d11a84688503985b5f4f187d4191f51cc956e07efb966a9be6e66352
SHA512 8fa3ab54a51a1775e79094ae596a295e9a06db2ad7df5391b4be3bb0fb21a345419ec6c7dc0f751a52b22fa19fa0ab288aa15e0c2a0b0dd95ada43cf74165703

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4324-256-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/4324-257-0x0000000000400000-0x0000000001E06000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2156-265-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4324-266-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1360-267-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4324-268-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/4324-270-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1360-271-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4324-272-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/4324-274-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/4324-276-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/4324-278-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/4324-280-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/4324-282-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/4324-284-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/4324-286-0x0000000000400000-0x0000000001E06000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 22:44

Reported

2024-04-19 22:46

Platform

win11-20240412-en

Max time kernel

149s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2392 = "Aleutian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2856 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 772 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 772 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 772 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 772 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe C:\Windows\system32\cmd.exe
PID 772 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe C:\Windows\system32\cmd.exe
PID 2340 wrote to memory of 4884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2340 wrote to memory of 4884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 772 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 772 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 772 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 772 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 772 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 772 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 772 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe C:\Windows\rss\csrss.exe
PID 772 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe C:\Windows\rss\csrss.exe
PID 772 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe C:\Windows\rss\csrss.exe
PID 3224 wrote to memory of 4924 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3224 wrote to memory of 4924 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3224 wrote to memory of 4924 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3224 wrote to memory of 2580 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3224 wrote to memory of 2580 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3224 wrote to memory of 2580 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3224 wrote to memory of 2424 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3224 wrote to memory of 2424 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3224 wrote to memory of 2424 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3224 wrote to memory of 4708 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3224 wrote to memory of 4708 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 5116 wrote to memory of 3396 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 5116 wrote to memory of 3396 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 5116 wrote to memory of 3396 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3396 wrote to memory of 1172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3396 wrote to memory of 1172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3396 wrote to memory of 1172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe

"C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe

"C:\Users\Admin\AppData\Local\Temp\8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 772 -ip 772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 fca21d48-a04e-4c12-bbad-878bd06e4b7e.uuid.allstatsin.ru udp
US 8.8.8.8:53 stun3.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server10.allstatsin.ru udp
US 162.159.129.233:443 cdn.discordapp.com tcp
IT 142.251.27.127:19302 stun3.l.google.com udp
US 8.8.8.8:53 127.27.251.142.in-addr.arpa udp
BG 185.82.216.104:443 server10.allstatsin.ru tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BG 185.82.216.104:443 server10.allstatsin.ru tcp

Files

memory/2856-1-0x0000000003CE0000-0x00000000040E1000-memory.dmp

memory/2856-2-0x00000000040F0000-0x00000000049DB000-memory.dmp

memory/2856-3-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/2168-4-0x00000000022B0000-0x00000000022E6000-memory.dmp

memory/2168-5-0x00000000741C0000-0x0000000074971000-memory.dmp

memory/2168-6-0x0000000002310000-0x0000000002320000-memory.dmp

memory/2168-8-0x0000000004DC0000-0x00000000053EA000-memory.dmp

memory/2168-7-0x0000000002310000-0x0000000002320000-memory.dmp

memory/2168-9-0x0000000004C10000-0x0000000004C32000-memory.dmp

memory/2168-10-0x00000000053F0000-0x0000000005456000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_54yske4t.bda.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2168-11-0x0000000005460000-0x00000000054C6000-memory.dmp

memory/2168-20-0x0000000005700000-0x0000000005A57000-memory.dmp

memory/2168-21-0x0000000005AB0000-0x0000000005ACE000-memory.dmp

memory/2168-22-0x0000000005AF0000-0x0000000005B3C000-memory.dmp

memory/2168-23-0x0000000006070000-0x00000000060B6000-memory.dmp

memory/2168-24-0x000000007F6D0000-0x000000007F6E0000-memory.dmp

memory/2168-25-0x0000000006F70000-0x0000000006FA4000-memory.dmp

memory/2168-26-0x0000000070430000-0x000000007047C000-memory.dmp

memory/2168-27-0x00000000705B0000-0x0000000070907000-memory.dmp

memory/2168-36-0x0000000006FB0000-0x0000000006FCE000-memory.dmp

memory/2168-37-0x0000000006FD0000-0x0000000007074000-memory.dmp

memory/2168-38-0x0000000002310000-0x0000000002320000-memory.dmp

memory/2168-39-0x0000000007740000-0x0000000007DBA000-memory.dmp

memory/2168-40-0x0000000007100000-0x000000000711A000-memory.dmp

memory/2168-41-0x0000000007140000-0x000000000714A000-memory.dmp

memory/2168-42-0x0000000007200000-0x0000000007296000-memory.dmp

memory/2168-43-0x0000000007170000-0x0000000007181000-memory.dmp

memory/2168-44-0x00000000071B0000-0x00000000071BE000-memory.dmp

memory/2168-45-0x00000000071C0000-0x00000000071D5000-memory.dmp

memory/2168-46-0x00000000072C0000-0x00000000072DA000-memory.dmp

memory/2168-47-0x00000000072A0000-0x00000000072A8000-memory.dmp

memory/2168-50-0x00000000741C0000-0x0000000074971000-memory.dmp

memory/2856-51-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/772-53-0x0000000003B10000-0x0000000003F0C000-memory.dmp

memory/2856-54-0x00000000040F0000-0x00000000049DB000-memory.dmp

memory/772-55-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/3792-57-0x0000000004C80000-0x0000000004C90000-memory.dmp

memory/3792-58-0x0000000004C80000-0x0000000004C90000-memory.dmp

memory/3792-56-0x0000000074260000-0x0000000074A11000-memory.dmp

memory/3792-67-0x0000000005A50000-0x0000000005DA7000-memory.dmp

memory/3792-68-0x00000000062F0000-0x000000000633C000-memory.dmp

memory/3792-71-0x0000000070790000-0x0000000070AE7000-memory.dmp

memory/3792-70-0x0000000070540000-0x000000007058C000-memory.dmp

memory/3792-69-0x000000007FCF0000-0x000000007FD00000-memory.dmp

memory/3792-82-0x0000000004C80000-0x0000000004C90000-memory.dmp

memory/3792-81-0x0000000004C80000-0x0000000004C90000-memory.dmp

memory/3792-80-0x00000000071E0000-0x0000000007284000-memory.dmp

memory/3792-83-0x0000000007510000-0x0000000007521000-memory.dmp

memory/3792-84-0x0000000007560000-0x0000000007575000-memory.dmp

memory/3792-87-0x0000000074260000-0x0000000074A11000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/3948-91-0x0000000003290000-0x00000000032A0000-memory.dmp

memory/3948-90-0x0000000003290000-0x00000000032A0000-memory.dmp

memory/3948-89-0x0000000074260000-0x0000000074A11000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 933e1cb4f8b916bc7293241d3e79123b
SHA1 0e844fbeb427cb483ef2cd82bb1467bc099b5ac7
SHA256 6bc8883774e9728cfb29a01450fb27bbe896c5bffdd75f5f4d31f134b9ff10b8
SHA512 4f6e1519877769120026f3e06a9ab838202f0526683edd75e1b4d8f973bdb798e4d5df95bce022520a428690ec367520fa916b0fb4070cfba3cf59354cba4d37

memory/3948-102-0x0000000070540000-0x000000007058C000-memory.dmp

memory/3948-101-0x000000007F3E0000-0x000000007F3F0000-memory.dmp

memory/3948-103-0x0000000070790000-0x0000000070AE7000-memory.dmp

memory/3948-112-0x0000000003290000-0x00000000032A0000-memory.dmp

memory/3948-114-0x0000000074260000-0x0000000074A11000-memory.dmp

memory/772-116-0x0000000003B10000-0x0000000003F0C000-memory.dmp

memory/1772-115-0x0000000074260000-0x0000000074A11000-memory.dmp

memory/1772-125-0x0000000005C10000-0x0000000005F67000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 86f4c5df68fc976011d9e978ac68aefe
SHA1 128119f6ca2f0b7cb3d94528ad248c8f9f6b76a6
SHA256 1757a052f97afee726bf346d7be4f16c25858f3b4d4db994bae6a78d7495f9ca
SHA512 9f9a9ead691ca025022bf1cb67d5245802f9b5e3a00e012d04ae54af0979707b9468166ceb65ef8ec2f4c3f29ae649af7bb6929b4e32fa28b0ca3cd3277be474

memory/1772-127-0x0000000070540000-0x000000007058C000-memory.dmp

memory/1772-128-0x00000000706C0000-0x0000000070A17000-memory.dmp

memory/772-137-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1772-138-0x000000007F040000-0x000000007F050000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 b413116e9122e54828de168502cf3316
SHA1 75b3d573fa4ffaed32d1aeaa548b9db874ccf277
SHA256 8faf805ee985ec1c1f9433fee7e2a4827d64a5b19327d4e7710f31d259637f24
SHA512 f6bc90690e144c0c2bc951d64bbc16c653d50cd7c3f939849c992aa176ed27e6b6f651388a7cebedf5bdb0ff150023b2ba5f89768ecacf7dfe76448538e15004

memory/772-148-0x0000000000400000-0x0000000001E06000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 95bd15b96c5f02b1ae769b920a607083
SHA1 7f7a9e14940927d20e72ef07b7b2573585e0989d
SHA256 e280f0c6fe26564ebc5b1392e8178b9a33f0f200bc26d8f488de7a56463d2393
SHA512 c7670dc94dc03a50a8161fd5b7845ace44968e473d2b07420838a9ee348212c277054c97135b5e2074696156aa46bd1461b6026d45fa6a532945b68967fe65b5

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 238509234f06082ccb7dfd5c106dd32f
SHA1 0ea8e4bef414306f2789a9f111c1a662df544abb
SHA256 e6b11dc52273e4549d07fcce091359080adcba125ccb49125bdcb11d10b76d8d
SHA512 d8fdd311b1ee908540b8c3ad6813a179cdc89963c79eb275f061e87d070f8a6915b09bbe7065405d899e0b96a948b7d5d286c50dde0f82686a9419f72a2c87c0

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 504044f6c90c04de2b95ce25c4f484e4
SHA1 318360f98f843112bf30fc945ef643cf527a7691
SHA256 a0b2e34f20ae376f0f25be1db7473f56595f184fdb62381b244c10b56bf9d593
SHA512 4ab0bb30620cc31b1fba6a75e72f7fad033ba9a3db215f484fc65599a27e66837406f34320b302b8d2a1529975ecd6b1cf7aadfc131bd7e7a9e32b2db24fff9a

memory/3224-239-0x0000000000400000-0x0000000001E06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3224-245-0x0000000000400000-0x0000000001E06000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/5116-252-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3224-253-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/2272-254-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3224-255-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/3224-257-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/2272-258-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3224-259-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/3224-261-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/3224-263-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/2272-264-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3224-265-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/3224-267-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/3224-269-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/3224-271-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/3224-273-0x0000000000400000-0x0000000001E06000-memory.dmp