Malware Analysis Report

2025-08-05 12:18

Sample ID 240419-2pv9vaad4z
Target 2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf
SHA256 2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf
Tags
glupteba discovery dropper evasion loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf

Threat Level: Known bad

The file 2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Checks installed software on the system

Adds Run key to start application

Manipulates WinMonFS driver.

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-19 22:45

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 22:45

Reported

2024-04-19 22:48

Platform

win11-20240412-en

Max time kernel

150s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3184 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3184 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3184 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3736 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3736 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3736 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3736 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe C:\Windows\system32\cmd.exe
PID 3736 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe C:\Windows\system32\cmd.exe
PID 1636 wrote to memory of 1648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1636 wrote to memory of 1648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3736 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3736 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3736 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3736 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3736 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3736 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3736 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe C:\Windows\rss\csrss.exe
PID 3736 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe C:\Windows\rss\csrss.exe
PID 3736 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe C:\Windows\rss\csrss.exe
PID 2112 wrote to memory of 4656 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 4656 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 4656 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2360 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2360 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2360 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2468 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2468 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2468 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 3528 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2112 wrote to memory of 3528 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4488 wrote to memory of 872 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4488 wrote to memory of 872 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4488 wrote to memory of 872 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 872 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 872 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 872 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe

"C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe

"C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3184 -ip 3184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 956

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 e1e688d4-dcb1-43dc-8dee-5ec199cb216b.uuid.statscreate.org udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server6.statscreate.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
N/A 127.0.0.1:3478 udp
N/A 127.0.0.1:3478 udp
NL 74.125.128.127:19302 stun2.l.google.com udp
BG 185.82.216.96:443 server6.statscreate.org tcp

Files

memory/3184-1-0x0000000003E70000-0x0000000004275000-memory.dmp

memory/3184-2-0x0000000004280000-0x0000000004B6B000-memory.dmp

memory/3184-3-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/5008-4-0x00000000029C0000-0x00000000029F6000-memory.dmp

memory/5008-5-0x00000000051E0000-0x000000000580A000-memory.dmp

memory/5008-6-0x0000000073F00000-0x00000000746B1000-memory.dmp

memory/5008-7-0x0000000002640000-0x0000000002650000-memory.dmp

memory/5008-8-0x0000000004F90000-0x0000000004FB2000-memory.dmp

memory/5008-9-0x0000000005030000-0x0000000005096000-memory.dmp

memory/5008-10-0x0000000005110000-0x0000000005176000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_roupebqd.lzl.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5008-19-0x0000000005950000-0x0000000005CA7000-memory.dmp

memory/5008-20-0x0000000005E50000-0x0000000005E6E000-memory.dmp

memory/5008-21-0x0000000005EA0000-0x0000000005EEC000-memory.dmp

memory/5008-22-0x00000000063D0000-0x0000000006416000-memory.dmp

memory/5008-23-0x000000007FB60000-0x000000007FB70000-memory.dmp

memory/5008-24-0x0000000007260000-0x0000000007294000-memory.dmp

memory/5008-25-0x0000000070170000-0x00000000701BC000-memory.dmp

memory/5008-26-0x00000000702F0000-0x0000000070647000-memory.dmp

memory/5008-35-0x00000000072C0000-0x00000000072DE000-memory.dmp

memory/5008-37-0x0000000002640000-0x0000000002650000-memory.dmp

memory/5008-36-0x00000000072E0000-0x0000000007384000-memory.dmp

memory/5008-38-0x0000000007A40000-0x00000000080BA000-memory.dmp

memory/5008-39-0x0000000007400000-0x000000000741A000-memory.dmp

memory/5008-40-0x0000000007440000-0x000000000744A000-memory.dmp

memory/5008-41-0x0000000007550000-0x00000000075E6000-memory.dmp

memory/5008-42-0x0000000007460000-0x0000000007471000-memory.dmp

memory/5008-43-0x00000000074B0000-0x00000000074BE000-memory.dmp

memory/5008-44-0x00000000074C0000-0x00000000074D5000-memory.dmp

memory/5008-45-0x0000000007510000-0x000000000752A000-memory.dmp

memory/5008-46-0x0000000007500000-0x0000000007508000-memory.dmp

memory/5008-49-0x0000000073F00000-0x00000000746B1000-memory.dmp

memory/3184-52-0x0000000003E70000-0x0000000004275000-memory.dmp

memory/3184-51-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/3736-53-0x0000000003B50000-0x0000000003F57000-memory.dmp

memory/3736-54-0x0000000003F60000-0x000000000484B000-memory.dmp

memory/3736-55-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/2504-56-0x0000000073FA0000-0x0000000074751000-memory.dmp

memory/2504-57-0x00000000054D0000-0x00000000054E0000-memory.dmp

memory/2504-58-0x00000000054D0000-0x00000000054E0000-memory.dmp

memory/2504-67-0x00000000062F0000-0x0000000006647000-memory.dmp

memory/2504-68-0x0000000006A20000-0x0000000006A6C000-memory.dmp

memory/2504-69-0x000000007F610000-0x000000007F620000-memory.dmp

memory/2504-71-0x0000000070430000-0x0000000070787000-memory.dmp

memory/2504-70-0x0000000070280000-0x00000000702CC000-memory.dmp

memory/2504-80-0x0000000007A40000-0x0000000007AE4000-memory.dmp

memory/2504-81-0x00000000054D0000-0x00000000054E0000-memory.dmp

memory/2504-82-0x00000000054D0000-0x00000000054E0000-memory.dmp

memory/2504-83-0x0000000007D70000-0x0000000007D81000-memory.dmp

memory/2504-84-0x0000000007DC0000-0x0000000007DD5000-memory.dmp

memory/2504-87-0x0000000073FA0000-0x0000000074751000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/2024-89-0x0000000073FA0000-0x0000000074751000-memory.dmp

memory/2024-90-0x0000000004950000-0x0000000004960000-memory.dmp

memory/2024-91-0x0000000004950000-0x0000000004960000-memory.dmp

memory/2024-97-0x0000000005850000-0x0000000005BA7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4278fef99fac402f67bf5d4bf21334ad
SHA1 a935d4480ec2de7e73bd684b68c7c3d2176d4cc1
SHA256 94b95ba524982ea2fe4e92cf339c443fea1f9415528b1544d16bb3556a68db89
SHA512 f3b35a0a956201cc079c9e059d38b5034a7600452bb709f8e001f62b568981f881e3aa3456b8c361cdbb40e8eb47fde5c728cd1c2582869e6b10fa04163373bd

memory/2024-102-0x0000000070280000-0x00000000702CC000-memory.dmp

memory/2024-112-0x0000000004950000-0x0000000004960000-memory.dmp

memory/2024-103-0x00000000704D0000-0x0000000070827000-memory.dmp

memory/2024-114-0x0000000073FA0000-0x0000000074751000-memory.dmp

memory/4308-115-0x0000000073FA0000-0x0000000074751000-memory.dmp

memory/4308-116-0x0000000005110000-0x0000000005120000-memory.dmp

memory/3736-117-0x0000000003B50000-0x0000000003F57000-memory.dmp

memory/3736-123-0x0000000000400000-0x0000000001E06000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6890a3ab12f486eb871cf5d5c636bc59
SHA1 550040815d403771a167ae853f1268bfeb2ee251
SHA256 32a1810b3d838096b015b1d5d7d8f617e2cd83548dd08e227d5b3c9e92abec85
SHA512 4ddc473df6b31f7d55bba696b7746171fe6ad5f6189ced71f5d1b0f281340917996b6297d76fe15dda6cf00c81532ada8a58be9f759088f8ca69aaf1c8828ace

memory/4308-128-0x0000000070280000-0x00000000702CC000-memory.dmp

memory/4308-129-0x000000007F200000-0x000000007F210000-memory.dmp

memory/4308-130-0x00000000704D0000-0x0000000070827000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 3c2ca248add7f3cd420d2efe789b5457
SHA1 4f91c6e9a3137914e2c83f6fbfdab880d6a1fde3
SHA256 2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf
SHA512 b210fd51bbbc88fdf4a0ed407aa10dd750c82148b61cc63a5dc44e3a3f71dfd75b9baa91a4f0adc58cbcee373bd1669a2cdcc1099be58eb3e7c24093ab40968b

memory/3736-147-0x0000000000400000-0x0000000001E06000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bb795cf9f6d7541d0e2d364381a1b23c
SHA1 470c873caf8a5a8c0df03dd8d125bc98da6fec53
SHA256 5a6cc578d450347820ceee49387ea1af96d3e5e3273381a492e9171efeb23770
SHA512 39a3ffffc0adcdb30e834f6c01c1b2da703932adc875058a29dbf47f1e38b06674563df57283bd97eb5c2222862ee6bfe494d5676d6eb69ff4fd94bd022e6417

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 92e4eb0af17c235f3b2ef63c545c9f12
SHA1 fbefb418dd213af9d8ccbcc897aaa1bd53fbb81e
SHA256 9f38225f5f389003ad3255d66fdb3fe0084abc58b79810b4402cd5197bcc0260
SHA512 caf630f108d4d2ad0a02b66779d55a8ed0a1d978e8406e09011109e887b3c9d8d0b53762904c202d9837f7ee51a1c561048af0a7a1813305fcae04199ecf08ed

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 11e5f3c291c12ad947f81a6636d5d7b8
SHA1 691c9609db3db5b2144c7fefde193af8a73d0243
SHA256 6d2697a666d06949bb50fe2384e7ea0f02140131334b57138a11242f835bf662
SHA512 1cc0a725cc0af780bac8b8743302296e6c96e0cbdc0e3e0e51bd81b48a07b3109a9f1df8eb195c09e515a26d897f4fc8fd3534ec745a5498b517b06bbae9f2f4

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2112-244-0x0000000000400000-0x0000000001E06000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4488-252-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2112-253-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/2112-254-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/404-255-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2112-256-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/404-258-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2112-259-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/2112-261-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/2112-263-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/2112-264-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/2112-266-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/2112-268-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/2112-270-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/2112-273-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/2112-275-0x0000000000400000-0x0000000001E06000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 22:45

Reported

2024-04-19 22:48

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-262 = "GMT Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2300 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2300 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2300 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe C:\Windows\system32\cmd.exe
PID 4872 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe C:\Windows\system32\cmd.exe
PID 5068 wrote to memory of 2504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5068 wrote to memory of 2504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4872 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe C:\Windows\rss\csrss.exe
PID 4872 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe C:\Windows\rss\csrss.exe
PID 4872 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe C:\Windows\rss\csrss.exe
PID 1904 wrote to memory of 412 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 412 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 412 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 2076 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 2076 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 2076 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 556 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 556 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 556 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 1128 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1904 wrote to memory of 1128 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4428 wrote to memory of 2936 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4428 wrote to memory of 2936 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4428 wrote to memory of 2936 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2936 wrote to memory of 420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2936 wrote to memory of 420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2936 wrote to memory of 420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe

"C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe

"C:\Users\Admin\AppData\Local\Temp\2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 156.33.209.4.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 198.32.209.4.in-addr.arpa udp
US 8.8.8.8:53 43dcc853-3c63-4447-a6c4-8fe92f4a08f7.uuid.statscreate.org udp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 server4.statscreate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
BE 172.253.120.127:19302 stun1.l.google.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server4.statscreate.org tcp
US 8.8.8.8:53 127.120.253.172.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
BG 185.82.216.96:443 server4.statscreate.org tcp

Files

memory/2300-1-0x0000000003C30000-0x0000000004032000-memory.dmp

memory/2300-2-0x0000000004040000-0x000000000492B000-memory.dmp

memory/2300-3-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/3500-4-0x0000000003280000-0x00000000032B6000-memory.dmp

memory/3500-5-0x0000000074640000-0x0000000074DF0000-memory.dmp

memory/3500-7-0x0000000005B10000-0x0000000006138000-memory.dmp

memory/3500-6-0x0000000003470000-0x0000000003480000-memory.dmp

memory/3500-8-0x00000000058C0000-0x00000000058E2000-memory.dmp

memory/3500-9-0x00000000061B0000-0x0000000006216000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qratz0wo.qrf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3500-15-0x0000000006290000-0x00000000062F6000-memory.dmp

memory/3500-20-0x0000000006300000-0x0000000006654000-memory.dmp

memory/3500-21-0x0000000006870000-0x000000000688E000-memory.dmp

memory/3500-22-0x00000000068C0000-0x000000000690C000-memory.dmp

memory/3500-23-0x0000000006DE0000-0x0000000006E24000-memory.dmp

memory/3500-24-0x0000000007BA0000-0x0000000007C16000-memory.dmp

memory/3500-25-0x00000000082A0000-0x000000000891A000-memory.dmp

memory/3500-26-0x0000000007C40000-0x0000000007C5A000-memory.dmp

memory/3500-28-0x0000000007E00000-0x0000000007E32000-memory.dmp

memory/3500-27-0x000000007FD00000-0x000000007FD10000-memory.dmp

memory/3500-29-0x00000000704E0000-0x000000007052C000-memory.dmp

memory/3500-30-0x0000000070660000-0x00000000709B4000-memory.dmp

memory/3500-41-0x0000000003470000-0x0000000003480000-memory.dmp

memory/3500-40-0x0000000007E40000-0x0000000007E5E000-memory.dmp

memory/3500-42-0x0000000007E60000-0x0000000007F03000-memory.dmp

memory/3500-43-0x0000000007F50000-0x0000000007F5A000-memory.dmp

memory/3500-44-0x0000000003470000-0x0000000003480000-memory.dmp

memory/3500-45-0x0000000008010000-0x00000000080A6000-memory.dmp

memory/3500-46-0x0000000007F70000-0x0000000007F81000-memory.dmp

memory/3500-47-0x0000000007FB0000-0x0000000007FBE000-memory.dmp

memory/3500-48-0x0000000007FC0000-0x0000000007FD4000-memory.dmp

memory/3500-49-0x00000000080B0000-0x00000000080CA000-memory.dmp

memory/3500-50-0x0000000008000000-0x0000000008008000-memory.dmp

memory/3500-53-0x0000000074640000-0x0000000074DF0000-memory.dmp

memory/2300-54-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/4872-57-0x0000000003AE0000-0x0000000003EE8000-memory.dmp

memory/2300-56-0x0000000004040000-0x000000000492B000-memory.dmp

memory/4872-58-0x0000000003EF0000-0x00000000047DB000-memory.dmp

memory/4872-59-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1820-60-0x00000000746E0000-0x0000000074E90000-memory.dmp

memory/1820-61-0x0000000002970000-0x0000000002980000-memory.dmp

memory/1820-62-0x0000000002970000-0x0000000002980000-memory.dmp

memory/1820-72-0x0000000005C30000-0x0000000005F84000-memory.dmp

memory/1820-73-0x0000000006060000-0x00000000060AC000-memory.dmp

memory/1820-74-0x000000007FB10000-0x000000007FB20000-memory.dmp

memory/1820-76-0x0000000070760000-0x0000000070AB4000-memory.dmp

memory/1820-75-0x00000000705E0000-0x000000007062C000-memory.dmp

memory/1820-87-0x0000000002970000-0x0000000002980000-memory.dmp

memory/1820-86-0x0000000007220000-0x00000000072C3000-memory.dmp

memory/1820-88-0x0000000002970000-0x0000000002980000-memory.dmp

memory/1820-89-0x0000000007530000-0x0000000007541000-memory.dmp

memory/1820-90-0x0000000007580000-0x0000000007594000-memory.dmp

memory/1820-93-0x00000000746E0000-0x0000000074E90000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/4156-95-0x00000000746E0000-0x0000000074E90000-memory.dmp

memory/4156-96-0x00000000047A0000-0x00000000047B0000-memory.dmp

memory/4156-97-0x00000000047A0000-0x00000000047B0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8a85959228f0c3a845e3acf7abcc76b3
SHA1 5482aa4ca1392fa977e18f07521f4f3a0f8fe00e
SHA256 37461ead509e64c1130d88da5f0093ca9c4dd8a5677b2edadef610e988b895f1
SHA512 42e0f586311f05b49d82f86f1d0257e8105b4700a4d18ca912367969c1ff08e1d1945eddddc2aff0fb65bbe3b6a1e7b3f1e043d4d6376828ad13f41abbddd12d

memory/4156-108-0x000000007EE10000-0x000000007EE20000-memory.dmp

memory/4156-109-0x00000000705E0000-0x000000007062C000-memory.dmp

memory/4156-110-0x0000000070760000-0x0000000070AB4000-memory.dmp

memory/4156-120-0x00000000047A0000-0x00000000047B0000-memory.dmp

memory/4156-121-0x00000000047A0000-0x00000000047B0000-memory.dmp

memory/4156-123-0x00000000746E0000-0x0000000074E90000-memory.dmp

memory/1144-124-0x00000000746E0000-0x0000000074E90000-memory.dmp

memory/1144-125-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

memory/1144-135-0x0000000005D10000-0x0000000006064000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1d23ce03068a0736694e2ad91511f898
SHA1 fb08646bdff254fa853e78e2c8e75f85bbd83d9f
SHA256 675cd3dd964ab035ebab905b03eaf6027a18b45436982816451c17e20dd10979
SHA512 da5c4bdd44a84d5d1e787450cd0e44e71e5baf167c023bbb2d13d0a3a3b9978ed7d346e0aacedfd4d1d82146c550ac7c3bbcbffe6b3c6890651d8bc5d3ad8350

memory/4872-137-0x0000000003AE0000-0x0000000003EE8000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 3c2ca248add7f3cd420d2efe789b5457
SHA1 4f91c6e9a3137914e2c83f6fbfdab880d6a1fde3
SHA256 2d9f8dedcd0763e47a8c0adc514992596e7dcc0bc00260a8721a1dcea9d686bf
SHA512 b210fd51bbbc88fdf4a0ed407aa10dd750c82148b61cc63a5dc44e3a3f71dfd75b9baa91a4f0adc58cbcee373bd1669a2cdcc1099be58eb3e7c24093ab40968b

memory/4872-158-0x0000000000400000-0x0000000001E06000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2ed9d6795d9c1eaef88d0a74cbdde0f3
SHA1 a07243bc88e0622e8a962fa745707111e11e4a49
SHA256 f5dd3fa2e246c0ae851242152742fba15f020ffb4e63c8e6386b73ab2836d0a9
SHA512 7d278509f747ca33189dc7e513a6b763a34905adfb474d1f36ba19ca34faef0f6a23206d26903609100a853521fb84433c6fbf7c5e8c8df15cb84c65b2eefbe3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 331cf7d633cb4af83b12361fd09cdf9d
SHA1 217adcc1ace94d23fe5f27b07db3a4b9c42e14dc
SHA256 41668d850021cee07e0bb15327de733c54cec3cba3f370abcc5acaf082db31fa
SHA512 48ba8f611407def985c04edb5ffdd2a823ac66da3a93490f2bff67d86971649f2d54399bf859529d12ea33119d5749d5a2db9e56c81c02ab0f9df15512b9fa3b

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cfd22cb0b9e66f4309e494e75b7144f5
SHA1 3e93020707da44fe6cdd85870012cc19f0683ecf
SHA256 cdb785dad216c61e735db11824dfabd58dd477b4901b0adf1a2373fe01207724
SHA512 95d1328aec25d6453e9766a0f7bfe1b24b90231d5480385f3d76e79d1bb56b91734ff68212725ea3ee5d3e65f879d2ae06aaf2a106abc3c9716ad1b84013da2b

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1904-264-0x0000000000400000-0x0000000001E06000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4428-272-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1904-273-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1904-274-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/5016-275-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1904-276-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1904-278-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/5016-279-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1904-280-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1904-283-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1904-284-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1904-286-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1904-288-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1904-290-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1904-293-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1904-294-0x0000000000400000-0x0000000001E06000-memory.dmp