Malware Analysis Report

2025-08-06 03:32

Sample ID 240419-rd5zssfb51
Target 46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1
SHA256 46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1
Tags
glupteba discovery dropper evasion loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1

Threat Level: Known bad

The file 46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Adds Run key to start application

Checks installed software on the system

Manipulates WinMonFS driver.

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-19 14:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 14:05

Reported

2024-04-19 14:08

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1972 = "Belarus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2412 = "Marquesas Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3724 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3724 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3724 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 924 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 924 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 924 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 924 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe C:\Windows\system32\cmd.exe
PID 924 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe C:\Windows\system32\cmd.exe
PID 628 wrote to memory of 4692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 628 wrote to memory of 4692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 924 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 924 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 924 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 924 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 924 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 924 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 924 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe C:\Windows\rss\csrss.exe
PID 924 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe C:\Windows\rss\csrss.exe
PID 924 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe C:\Windows\rss\csrss.exe
PID 3156 wrote to memory of 3860 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 3860 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 3860 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 1252 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 1252 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 1252 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 5044 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 5044 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 5044 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 380 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3156 wrote to memory of 380 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 5104 wrote to memory of 932 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 5104 wrote to memory of 932 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 5104 wrote to memory of 932 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 932 wrote to memory of 456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 932 wrote to memory of 456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 932 wrote to memory of 456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe

"C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe

"C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 13.89.179.14:443 tcp
US 8.8.8.8:53 239.249.30.184.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 156.33.209.4.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 132.250.30.184.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 006e253e-1a9a-4699-96c5-ca4ee042343c.uuid.dumperstats.org udp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 server1.dumperstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
BG 185.82.216.111:443 server1.dumperstats.org tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BE 2.17.197.240:80 tcp
BG 185.82.216.111:443 server1.dumperstats.org tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
BG 185.82.216.111:443 server1.dumperstats.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
BG 185.82.216.111:443 server1.dumperstats.org tcp

Files

memory/3724-1-0x0000000003A80000-0x0000000003E88000-memory.dmp

memory/3724-2-0x0000000003E90000-0x000000000477B000-memory.dmp

memory/3724-3-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3932-4-0x0000000002F80000-0x0000000002FB6000-memory.dmp

memory/3932-5-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/3932-7-0x0000000001310000-0x0000000001320000-memory.dmp

memory/3932-6-0x0000000001310000-0x0000000001320000-memory.dmp

memory/3932-8-0x00000000056D0000-0x0000000005CF8000-memory.dmp

memory/3932-9-0x0000000005670000-0x0000000005692000-memory.dmp

memory/3932-10-0x0000000005D70000-0x0000000005DD6000-memory.dmp

memory/3932-11-0x0000000005E50000-0x0000000005EB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_npm1bjnp.1nk.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3932-21-0x0000000005F40000-0x0000000006294000-memory.dmp

memory/3932-22-0x0000000006560000-0x000000000657E000-memory.dmp

memory/3932-23-0x00000000065B0000-0x00000000065FC000-memory.dmp

memory/3932-24-0x0000000006AF0000-0x0000000006B34000-memory.dmp

memory/3932-25-0x00000000078A0000-0x0000000007916000-memory.dmp

memory/3932-26-0x0000000007FA0000-0x000000000861A000-memory.dmp

memory/3932-27-0x0000000007920000-0x000000000793A000-memory.dmp

memory/3932-28-0x000000007FC70000-0x000000007FC80000-memory.dmp

memory/3932-29-0x0000000007AE0000-0x0000000007B12000-memory.dmp

memory/3932-30-0x0000000070A60000-0x0000000070AAC000-memory.dmp

memory/3932-31-0x0000000070C00000-0x0000000070F54000-memory.dmp

memory/3932-41-0x0000000007B20000-0x0000000007B3E000-memory.dmp

memory/3932-42-0x0000000007B40000-0x0000000007BE3000-memory.dmp

memory/3932-43-0x0000000007C30000-0x0000000007C3A000-memory.dmp

memory/3932-44-0x0000000007D40000-0x0000000007DD6000-memory.dmp

memory/3932-45-0x0000000007C40000-0x0000000007C51000-memory.dmp

memory/3932-46-0x0000000007C80000-0x0000000007C8E000-memory.dmp

memory/3932-47-0x0000000007CA0000-0x0000000007CB4000-memory.dmp

memory/3932-48-0x0000000007CF0000-0x0000000007D0A000-memory.dmp

memory/3932-49-0x0000000007CE0000-0x0000000007CE8000-memory.dmp

memory/3932-52-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/924-54-0x0000000003A70000-0x0000000003E71000-memory.dmp

memory/3724-55-0x0000000003A80000-0x0000000003E88000-memory.dmp

memory/924-56-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3724-57-0x0000000003E90000-0x000000000477B000-memory.dmp

memory/2992-58-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/2992-59-0x0000000002C50000-0x0000000002C60000-memory.dmp

memory/2992-60-0x0000000002C50000-0x0000000002C60000-memory.dmp

memory/2992-70-0x0000000005B00000-0x0000000005E54000-memory.dmp

memory/2992-71-0x0000000070A60000-0x0000000070AAC000-memory.dmp

memory/2992-72-0x00000000711E0000-0x0000000071534000-memory.dmp

memory/3724-82-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2992-84-0x0000000007360000-0x0000000007403000-memory.dmp

memory/2992-83-0x000000007FC90000-0x000000007FCA0000-memory.dmp

memory/2992-85-0x0000000007690000-0x00000000076A1000-memory.dmp

memory/2992-86-0x00000000076E0000-0x00000000076F4000-memory.dmp

memory/2992-89-0x0000000074BC0000-0x0000000075370000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/812-93-0x0000000004E40000-0x0000000004E50000-memory.dmp

memory/812-92-0x0000000074BC0000-0x0000000075370000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 493b335158929e019b5143a00f04a105
SHA1 f20b948f31c907bdbdb5806932fd7a9a45e33af6
SHA256 7bcf9abf102fc2d4f634a2f663e9bedd1c676ae9483e1cd58d0006317f538765
SHA512 4746f03adaea3d272f9c45f8d21b1c96ca8d8296f9dd80871d9686c3b7abbadce5e09f3e0203015fdd83b69d590cf4d6a66cbf25d3e8fd3143cd19affac158f5

memory/924-104-0x0000000003A70000-0x0000000003E71000-memory.dmp

memory/812-106-0x0000000070A60000-0x0000000070AAC000-memory.dmp

memory/812-105-0x000000007F860000-0x000000007F870000-memory.dmp

memory/812-107-0x00000000711E0000-0x0000000071534000-memory.dmp

memory/812-117-0x0000000004E40000-0x0000000004E50000-memory.dmp

memory/812-119-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/4776-120-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/4776-130-0x0000000002DC0000-0x0000000002DD0000-memory.dmp

memory/4776-131-0x0000000002DC0000-0x0000000002DD0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1799176f8fd04cfa11955477bd1db0a0
SHA1 7a469b700ffb06bae0d5aa6f1599d21a94fcd0b6
SHA256 4d6c339198bcf833e822ed537b39c7e826a17b6bed91baaafe63bae4d75d5bb4
SHA512 680aaf2e194c25b8ee87b571cc387091aba013d0c1559b3f9bbb3e8eba262eb8e5f6487e7d0dfbc441279e03d137dda79ba1268649537082c946e0d6002a7c4c

memory/4776-133-0x0000000006060000-0x00000000063B4000-memory.dmp

memory/4776-134-0x0000000070A60000-0x0000000070AAC000-memory.dmp

memory/4776-135-0x0000000070AB0000-0x0000000070E04000-memory.dmp

memory/924-145-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4776-146-0x0000000002DC0000-0x0000000002DD0000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 d616be058a31d75ba1d247d434f2ff79
SHA1 2242dcdb4d5c12d95555297adfc3735a45d4db94
SHA256 46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1
SHA512 1dd88cd847a7c66b972bf8230e732d11bfcc0b53fd60696cd3319da0fce7d02f8196095e8bb6e688627db66618d84d899286f54ca6af210d61b323743753d822

memory/924-152-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1379f71951f358b10d4480700ec58eb0
SHA1 9ca81b21af3d3a1c4cb74708a025e7ba0cbef428
SHA256 b056adf9a40c2a17b3b719a3ba7bb6106555c81eb0dfd46059bc6ec542b42221
SHA512 62ed0a66947a4ebe7e6bf94995f6ce78ff04586a51a1633e781fcf88d82b8d2a625f67049709bacccdd51e5a924605b0abf9d888ea10b85f7d2210c627d0e2e7

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f4b9eb4e934bfbdee47df5e9391fb3d8
SHA1 1723567b4e15211cfb26e43b47d6ad7d626ef849
SHA256 eab4355e5e48128be016db8d428f8ae2935f3919b881e30f1e03bdedf67c8eb9
SHA512 b07c5934d7f61f8b840e0bd864bcfd0cfa8b34fb1d475d30354ef976a592950e3ee7e73d8533f842459fc0382d12a444af3682b083d801545a19267c5dc4d09c

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3c6e4d066d6be24638dc22e54d087833
SHA1 5466d397aeb9282dc8b59bc23b37e9f27a1910a4
SHA256 921435de9fbb7832699d8befb37a29d74c629b0cbd7bb6b7cb1c7cd07572b03b
SHA512 30671dd9958da3376db9189ebdf0d80bfea2b6dbf60be5d96338da929c3fd03038c68d2602f0799b225014261f26b9c40265bc99c64e8b65f97849948ae07dd5

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3156-256-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/5104-265-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3156-266-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1856-268-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3156-269-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3156-272-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1856-274-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3156-275-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3156-278-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3156-281-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1856-283-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3156-284-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3156-287-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3156-290-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3156-293-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3156-296-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3156-299-0x0000000000400000-0x0000000001DFD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 14:05

Reported

2024-04-19 14:08

Platform

win11-20240412-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1932 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1932 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1932 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3100 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3100 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3100 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3100 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe C:\Windows\system32\cmd.exe
PID 3100 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe C:\Windows\system32\cmd.exe
PID 2020 wrote to memory of 3320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2020 wrote to memory of 3320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3100 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3100 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3100 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3100 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3100 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3100 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3100 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe C:\Windows\rss\csrss.exe
PID 3100 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe C:\Windows\rss\csrss.exe
PID 3100 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe C:\Windows\rss\csrss.exe
PID 1456 wrote to memory of 1460 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1456 wrote to memory of 1460 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1456 wrote to memory of 1460 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1456 wrote to memory of 2292 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1456 wrote to memory of 2292 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1456 wrote to memory of 2292 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1456 wrote to memory of 3292 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1456 wrote to memory of 3292 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1456 wrote to memory of 3292 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1456 wrote to memory of 2296 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1456 wrote to memory of 2296 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4268 wrote to memory of 3944 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4268 wrote to memory of 3944 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4268 wrote to memory of 3944 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3944 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3944 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe

"C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe

"C:\Users\Admin\AppData\Local\Temp\46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 3ded9103-d062-4911-982b-7abda7b76972.uuid.dumperstats.org udp
US 8.8.8.8:53 server12.dumperstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun.l.google.com udp
BG 185.82.216.111:443 server12.dumperstats.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.111:443 server12.dumperstats.org tcp
BG 185.82.216.111:443 server12.dumperstats.org tcp
N/A 127.0.0.1:31465 tcp

Files

memory/1932-1-0x0000000003C40000-0x0000000004045000-memory.dmp

memory/1932-2-0x0000000004050000-0x000000000493B000-memory.dmp

memory/1932-3-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4752-4-0x0000000005130000-0x0000000005166000-memory.dmp

memory/4752-5-0x0000000074140000-0x00000000748F1000-memory.dmp

memory/4752-6-0x0000000001500000-0x0000000001510000-memory.dmp

memory/4752-7-0x0000000001500000-0x0000000001510000-memory.dmp

memory/4752-8-0x00000000057A0000-0x0000000005DCA000-memory.dmp

memory/4752-9-0x00000000056F0000-0x0000000005712000-memory.dmp

memory/4752-11-0x0000000005FB0000-0x0000000006016000-memory.dmp

memory/4752-10-0x0000000005ED0000-0x0000000005F36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ksdhj3mw.ti0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4752-20-0x00000000060A0000-0x00000000063F7000-memory.dmp

memory/4752-21-0x00000000065A0000-0x00000000065BE000-memory.dmp

memory/4752-22-0x0000000006660000-0x00000000066AC000-memory.dmp

memory/4752-23-0x0000000006B80000-0x0000000006BC6000-memory.dmp

memory/4752-25-0x00000000079E0000-0x0000000007A14000-memory.dmp

memory/4752-26-0x00000000703B0000-0x00000000703FC000-memory.dmp

memory/4752-24-0x000000007FC00000-0x000000007FC10000-memory.dmp

memory/4752-27-0x00000000705C0000-0x0000000070917000-memory.dmp

memory/4752-36-0x0000000007A20000-0x0000000007A3E000-memory.dmp

memory/4752-37-0x0000000001500000-0x0000000001510000-memory.dmp

memory/4752-38-0x0000000007A40000-0x0000000007AE4000-memory.dmp

memory/4752-40-0x0000000007B70000-0x0000000007B8A000-memory.dmp

memory/4752-39-0x00000000081B0000-0x000000000882A000-memory.dmp

memory/4752-41-0x0000000007BB0000-0x0000000007BBA000-memory.dmp

memory/4752-42-0x0000000007C70000-0x0000000007D06000-memory.dmp

memory/4752-43-0x0000000007BE0000-0x0000000007BF1000-memory.dmp

memory/4752-44-0x0000000007C20000-0x0000000007C2E000-memory.dmp

memory/4752-45-0x0000000007C30000-0x0000000007C45000-memory.dmp

memory/4752-46-0x0000000007D30000-0x0000000007D4A000-memory.dmp

memory/4752-47-0x0000000007D20000-0x0000000007D28000-memory.dmp

memory/4752-50-0x0000000074140000-0x00000000748F1000-memory.dmp

memory/1932-51-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1932-53-0x0000000004050000-0x000000000493B000-memory.dmp

memory/3100-54-0x00000000039C0000-0x0000000003DC8000-memory.dmp

memory/3100-55-0x0000000003F10000-0x00000000047FB000-memory.dmp

memory/3100-56-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2324-57-0x00000000741D0000-0x0000000074981000-memory.dmp

memory/2324-58-0x00000000028E0000-0x00000000028F0000-memory.dmp

memory/2324-59-0x00000000028E0000-0x00000000028F0000-memory.dmp

memory/2324-68-0x0000000005890000-0x0000000005BE7000-memory.dmp

memory/2324-69-0x0000000005D10000-0x0000000005D5C000-memory.dmp

memory/2324-71-0x00000000704C0000-0x000000007050C000-memory.dmp

memory/2324-70-0x000000007FB50000-0x000000007FB60000-memory.dmp

memory/2324-72-0x0000000070640000-0x0000000070997000-memory.dmp

memory/2324-82-0x0000000006F10000-0x0000000006FB4000-memory.dmp

memory/2324-81-0x00000000028E0000-0x00000000028F0000-memory.dmp

memory/2324-83-0x0000000007270000-0x0000000007281000-memory.dmp

memory/2324-84-0x00000000072C0000-0x00000000072D5000-memory.dmp

memory/2324-87-0x00000000741D0000-0x0000000074981000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/2616-89-0x00000000741D0000-0x0000000074981000-memory.dmp

memory/2616-90-0x0000000004E10000-0x0000000004E20000-memory.dmp

memory/2616-91-0x0000000004E10000-0x0000000004E20000-memory.dmp

memory/2616-100-0x0000000005B40000-0x0000000005E97000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6bd029d1ffa3306bf4377bd454381e34
SHA1 81db8ddaedade16f17e473c30a3a70aad79076f0
SHA256 83c96b77fa39228e2f143572e86a69c20589fd2f57c7911be7f7d74f3165e5af
SHA512 f25902540c2b2e50dd9f5f6cf22f01f42ef77c42e52beeb3597e30b2f6fb3ecad7018a4a654dce7de7207344ccf98b776179a237b277631d71e378a9d6948e4f

memory/2616-103-0x00000000704C0000-0x000000007050C000-memory.dmp

memory/2616-102-0x000000007F070000-0x000000007F080000-memory.dmp

memory/2616-104-0x00000000706C0000-0x0000000070A17000-memory.dmp

memory/2616-113-0x0000000004E10000-0x0000000004E20000-memory.dmp

memory/2616-115-0x00000000741D0000-0x0000000074981000-memory.dmp

memory/2132-116-0x00000000741D0000-0x0000000074981000-memory.dmp

memory/2132-117-0x0000000003240000-0x0000000003250000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4ec04f8ce891a64b86e2baeeb98ad158
SHA1 006d0f859d235752fc1bfcba0bb5d8dc25ee63d5
SHA256 299af16b65f2238b4772fed8f36edf38aa4090bb85002e9b382c43757cbc8afc
SHA512 e1d5002a2d356fbf8fcfaff5fc2359b76b37259db4a205ff427e43ee7dd09b9ea8ee934f9977534381fa7b125b4cee27dc4b323699076c31ec740fc01adadf45

memory/3100-127-0x00000000039C0000-0x0000000003DC8000-memory.dmp

memory/2132-128-0x00000000704C0000-0x000000007050C000-memory.dmp

memory/2132-129-0x0000000070640000-0x0000000070997000-memory.dmp

memory/3100-138-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 d616be058a31d75ba1d247d434f2ff79
SHA1 2242dcdb4d5c12d95555297adfc3735a45d4db94
SHA256 46aff647ac1d30bbd6338c5b00a0f6df59b8928958bde42c829edf59568c44f1
SHA512 1dd88cd847a7c66b972bf8230e732d11bfcc0b53fd60696cd3319da0fce7d02f8196095e8bb6e688627db66618d84d899286f54ca6af210d61b323743753d822

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cb8d36f726a535999458a1278c3ad67a
SHA1 e61c9e961813bd7e57256946c286fbbb7b6940b7
SHA256 fa606ab4d15f932649f5c28e062b0058dd630825e1c3eb0fb65811bdbe29bcf8
SHA512 9deadf1bf317d28876b48d504d782833b156cd94f4fb15ade7a182da6162338a2622ff4a7f8409e6b8052d2948ebafb968a49f8949c7c9b808af93b47f67def6

memory/3100-181-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 859b026559119f3cf39c7670bc77e6fa
SHA1 5fb25d5626e69f0a3d3b61aa6fd73ced4c89b307
SHA256 dbc18b3b37aee5f0e62e23148df8625bdabea03610e47d5b33ec792cd831a3bd
SHA512 87c5dd0b6bdb534b1d3f940c1d0223854d6712634969cecc1211390d899d6bb8cfc23d4ca81e1fdd980cf8e97fed4294a783266cc476940132e63ff63a6c1c11

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 df0031685d9c03e6e16ace9db0f7c932
SHA1 5b29980b11fe9d329a1c8f10d7059e4b4a140c83
SHA256 4499c8c18940b8ef843012b24cbb28d64b9be7ad2f4932908f5257765ab44188
SHA512 79dec5c0b4d4373f1d80c5d7b580d1931cce5ba2d5e483a44c868b6d5065359541ce3a535f42f82f9a7d2a2dea258a5ee302b63bf3082996190e1087ac624082

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1456-246-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4268-254-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1456-255-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4756-257-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1456-258-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1456-261-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4756-263-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1456-264-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1456-267-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1456-270-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4756-272-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1456-273-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1456-276-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1456-279-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1456-282-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1456-285-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1456-288-0x0000000000400000-0x0000000001DFD000-memory.dmp