Malware Analysis Report

2025-08-06 03:33

Sample ID 240419-rdatnafb4w
Target 4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b
SHA256 4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b
Tags
glupteba discovery dropper evasion loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b

Threat Level: Known bad

The file 4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Checks installed software on the system

Manipulates WinMonFS driver.

Adds Run key to start application

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Program crash

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-19 14:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 14:04

Reported

2024-04-19 14:06

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-3142 = "South Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1124 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1124 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1124 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5008 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5008 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5008 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5008 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe C:\Windows\system32\cmd.exe
PID 5008 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe C:\Windows\system32\cmd.exe
PID 4496 wrote to memory of 1920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4496 wrote to memory of 1920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5008 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5008 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5008 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5008 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5008 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5008 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5008 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe C:\Windows\rss\csrss.exe
PID 5008 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe C:\Windows\rss\csrss.exe
PID 5008 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe C:\Windows\rss\csrss.exe
PID 2832 wrote to memory of 1884 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 1884 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 1884 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 548 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 548 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 548 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 464 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 464 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 464 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 1220 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2832 wrote to memory of 1220 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4300 wrote to memory of 3568 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4300 wrote to memory of 3568 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4300 wrote to memory of 3568 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3568 wrote to memory of 1068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3568 wrote to memory of 1068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3568 wrote to memory of 1068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe

"C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe

"C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 98f7d8de-8918-4945-877a-b175804cd18f.uuid.myfastupdate.org udp
US 8.8.8.8:53 stun.l.google.com udp
US 8.8.8.8:53 server10.myfastupdate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun.l.google.com udp
BG 185.82.216.111:443 server10.myfastupdate.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.111:443 server10.myfastupdate.org tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 156.33.209.4.in-addr.arpa udp
US 8.8.8.8:53 132.250.30.184.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
BG 185.82.216.111:443 server10.myfastupdate.org tcp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
BG 185.82.216.111:443 server10.myfastupdate.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
N/A 127.0.0.1:31465 tcp

Files

memory/1124-1-0x0000000003A20000-0x0000000003E25000-memory.dmp

memory/1124-2-0x0000000003E30000-0x000000000471B000-memory.dmp

memory/1124-3-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4832-4-0x0000000005090000-0x00000000050C6000-memory.dmp

memory/4832-5-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/4832-6-0x00000000051C0000-0x00000000051D0000-memory.dmp

memory/4832-7-0x0000000005800000-0x0000000005E28000-memory.dmp

memory/4832-8-0x0000000005780000-0x00000000057A2000-memory.dmp

memory/4832-9-0x0000000005EA0000-0x0000000005F06000-memory.dmp

memory/4832-10-0x0000000005F10000-0x0000000005F76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jdlgy441.0m3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4832-16-0x0000000006040000-0x0000000006394000-memory.dmp

memory/4832-21-0x0000000006660000-0x000000000667E000-memory.dmp

memory/4832-22-0x00000000066A0000-0x00000000066EC000-memory.dmp

memory/4832-23-0x0000000006C10000-0x0000000006C54000-memory.dmp

memory/4832-24-0x00000000079E0000-0x0000000007A56000-memory.dmp

memory/4832-26-0x00000000079A0000-0x00000000079BA000-memory.dmp

memory/4832-25-0x00000000080E0000-0x000000000875A000-memory.dmp

memory/4832-28-0x000000007FD40000-0x000000007FD50000-memory.dmp

memory/4832-27-0x0000000007BE0000-0x0000000007C12000-memory.dmp

memory/4832-29-0x0000000070420000-0x000000007046C000-memory.dmp

memory/4832-30-0x00000000709F0000-0x0000000070D44000-memory.dmp

memory/4832-40-0x0000000007C20000-0x0000000007C3E000-memory.dmp

memory/4832-41-0x0000000007C40000-0x0000000007CE3000-memory.dmp

memory/4832-42-0x0000000007D30000-0x0000000007D3A000-memory.dmp

memory/4832-43-0x0000000007DF0000-0x0000000007E86000-memory.dmp

memory/4832-44-0x0000000007D50000-0x0000000007D61000-memory.dmp

memory/4832-45-0x0000000007D90000-0x0000000007D9E000-memory.dmp

memory/4832-46-0x0000000007DA0000-0x0000000007DB4000-memory.dmp

memory/4832-47-0x0000000007E90000-0x0000000007EAA000-memory.dmp

memory/4832-48-0x0000000007DD0000-0x0000000007DD8000-memory.dmp

memory/4832-51-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/1124-52-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1124-55-0x0000000003E30000-0x000000000471B000-memory.dmp

memory/5008-54-0x0000000003960000-0x0000000003D5C000-memory.dmp

memory/5008-56-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4656-57-0x0000000074620000-0x0000000074DD0000-memory.dmp

memory/4656-58-0x00000000046E0000-0x00000000046F0000-memory.dmp

memory/4656-59-0x00000000046E0000-0x00000000046F0000-memory.dmp

memory/4656-60-0x0000000005550000-0x00000000058A4000-memory.dmp

memory/4656-70-0x0000000005EF0000-0x0000000005F3C000-memory.dmp

memory/4656-71-0x000000007F910000-0x000000007F920000-memory.dmp

memory/4656-72-0x0000000070520000-0x000000007056C000-memory.dmp

memory/4656-73-0x0000000070CC0000-0x0000000071014000-memory.dmp

memory/4656-84-0x0000000006C70000-0x0000000006D13000-memory.dmp

memory/4656-83-0x00000000046E0000-0x00000000046F0000-memory.dmp

memory/4656-85-0x00000000070C0000-0x00000000070D1000-memory.dmp

memory/4656-86-0x0000000007110000-0x0000000007124000-memory.dmp

memory/4656-89-0x0000000074620000-0x0000000074DD0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/4812-93-0x0000000002500000-0x0000000002510000-memory.dmp

memory/4812-92-0x0000000002500000-0x0000000002510000-memory.dmp

memory/4812-91-0x0000000074620000-0x0000000074DD0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a23f3a3436be67651701a9dad9074c28
SHA1 2e88a023a0b1b3fd66a2ba79377cc2c8a706e522
SHA256 5568d7e3fdf077c16e0be4158fbb50463032c5eda25b64f3906b1e419a7dc3e8
SHA512 c88f0f5550cce56b1b3fe9cd4cfce92e6a778fe75d2231400a99470e68aedc0a84b970ca334f8ff936704dad15c89fb9439d3827bfe6e738e23d8406b5f161a5

memory/4812-105-0x0000000070520000-0x000000007056C000-memory.dmp

memory/4812-104-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

memory/4812-106-0x0000000070CC0000-0x0000000071014000-memory.dmp

memory/4812-117-0x0000000074620000-0x0000000074DD0000-memory.dmp

memory/1860-118-0x0000000074620000-0x0000000074DD0000-memory.dmp

memory/1860-120-0x0000000005020000-0x0000000005030000-memory.dmp

memory/1860-119-0x0000000005020000-0x0000000005030000-memory.dmp

memory/1860-130-0x0000000006110000-0x0000000006464000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bc198db7059f91c3a370db720fd72e6c
SHA1 eea397f0f5c295458926ace995460bcb36384dd8
SHA256 4c410743f9a2e803502017a83acb365db4cb5484f81b159949a15180142e5d8d
SHA512 b42bb21b408a19cfe20b133d614ca620a23760c474fa4e66f1273bbfaf71cc42b232e31200ba68b9dba1a5f900b004120eb63354565eba3fe51a0bd0541908af

memory/1860-134-0x00000000706A0000-0x00000000709F4000-memory.dmp

memory/1860-133-0x0000000070520000-0x000000007056C000-memory.dmp

memory/5008-132-0x0000000003960000-0x0000000003D5C000-memory.dmp

memory/1860-144-0x000000007EE20000-0x000000007EE30000-memory.dmp

memory/1860-145-0x0000000005020000-0x0000000005030000-memory.dmp

memory/1860-146-0x0000000005020000-0x0000000005030000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 87c0283fa05fc8944128eeb59baff711
SHA1 a6a14767ea1b83fd2c9d9eed73d47ce11a8a5a56
SHA256 4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b
SHA512 5edc5a2cec74696bca82f6900e02510ccb7b7ad1eafab7db0437f5c231260d3559e83cc63d37d5910b16d2cbfd2ace7da280dfe6dfd82d10b695050c60eb714e

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 10dc3154071ee65dc4915ff8632decd5
SHA1 6ae5529fe1572ab31258300f6cbb8d1ef8a8753a
SHA256 b716b6054024ca377094e54c253d8ce2577f682c47355e9b3ca944b8556c2cd9
SHA512 eed82d029664ea0f76d83cc8733b2110481c59a96b95decad48265760502ac230f3e28c3cf7fab2181c7a60f03cf8c1937c0de4a1a42ea172b6aafad087907b9

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5fd57cec112bfa4c0590c8449b1c4a75
SHA1 3d2c59c712467a6e12681861946aa5c8929cccdc
SHA256 4766f548dad351635f788f02430b6c6318cace77bcda18fa78f5db92f77cc007
SHA512 31bdb541e45d92f04df94bd983ffb1f1f64421d056633a9245312db4ff3cedd73f322808f54072bbcaf4bab9bda5b6d7544727e25bef62e0f97b24c2ef2570bf

memory/5008-222-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 42d220a539d6b129d31bacf95df90fca
SHA1 42a9d511303db6c7a526dffba08bbc4857de9e22
SHA256 6aa021bf87eb6ee2544305d242e3fb5331aaed2c287e7959aede46b555ff923a
SHA512 1ad1998fa462a76ecce198e28b1476378cfbf4a92d791cb80064630502cff57fa17e250042e7f2566c599a1f1b2b9fdf2c57454443b3689033b22e2d56cc8c07

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2832-259-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4300-268-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2832-269-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2116-271-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2832-272-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2832-275-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2116-277-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2832-278-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2832-281-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2832-284-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2116-286-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2832-287-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2832-290-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2832-293-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2832-296-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2832-299-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2832-302-0x0000000000400000-0x0000000001DFD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 14:04

Reported

2024-04-19 14:06

Platform

win11-20240412-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-571 = "China Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2412 = "Marquesas Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1556 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1556 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1556 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe C:\Windows\system32\cmd.exe
PID 5052 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe C:\Windows\system32\cmd.exe
PID 3928 wrote to memory of 1196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3928 wrote to memory of 1196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5052 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe C:\Windows\rss\csrss.exe
PID 5052 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe C:\Windows\rss\csrss.exe
PID 5052 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe C:\Windows\rss\csrss.exe
PID 1864 wrote to memory of 2828 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1864 wrote to memory of 2828 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1864 wrote to memory of 2828 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1864 wrote to memory of 2556 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1864 wrote to memory of 2556 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1864 wrote to memory of 2556 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1864 wrote to memory of 3064 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1864 wrote to memory of 3064 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1864 wrote to memory of 3064 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1864 wrote to memory of 3928 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1864 wrote to memory of 3928 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4988 wrote to memory of 3352 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4988 wrote to memory of 3352 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4988 wrote to memory of 3352 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3352 wrote to memory of 4032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3352 wrote to memory of 4032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3352 wrote to memory of 4032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe

"C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1136 -ip 1136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 2412

C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe

"C:\Users\Admin\AppData\Local\Temp\4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 67d587a7-4cf7-415a-981b-84aed1172419.uuid.myfastupdate.org udp
US 8.8.8.8:53 server14.myfastupdate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BE 172.253.120.127:19302 stun1.l.google.com udp
BG 185.82.216.111:443 server14.myfastupdate.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.111:443 server14.myfastupdate.org tcp
BG 185.82.216.111:443 server14.myfastupdate.org tcp
IE 52.111.236.22:443 tcp
BG 185.82.216.111:443 server14.myfastupdate.org tcp
N/A 127.0.0.1:31465 tcp

Files

memory/1556-1-0x0000000003C80000-0x0000000004083000-memory.dmp

memory/1556-2-0x0000000004090000-0x000000000497B000-memory.dmp

memory/1556-3-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1136-4-0x0000000003300000-0x0000000003336000-memory.dmp

memory/1136-5-0x00000000740A0000-0x0000000074851000-memory.dmp

memory/1136-7-0x0000000002F60000-0x0000000002F70000-memory.dmp

memory/1136-6-0x0000000005AB0000-0x00000000060DA000-memory.dmp

memory/1136-8-0x0000000002F60000-0x0000000002F70000-memory.dmp

memory/1136-9-0x00000000059F0000-0x0000000005A12000-memory.dmp

memory/1136-10-0x00000000060E0000-0x0000000006146000-memory.dmp

memory/1136-11-0x0000000006150000-0x00000000061B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hbfwtgq1.pgc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1136-20-0x0000000006280000-0x00000000065D7000-memory.dmp

memory/1136-21-0x00000000067B0000-0x00000000067CE000-memory.dmp

memory/1136-22-0x0000000006850000-0x000000000689C000-memory.dmp

memory/1136-23-0x0000000007930000-0x0000000007976000-memory.dmp

memory/1136-24-0x000000007FC80000-0x000000007FC90000-memory.dmp

memory/1136-26-0x0000000070310000-0x000000007035C000-memory.dmp

memory/1136-25-0x0000000007C60000-0x0000000007C94000-memory.dmp

memory/1136-27-0x00000000704B0000-0x0000000070807000-memory.dmp

memory/1136-36-0x0000000007CA0000-0x0000000007CBE000-memory.dmp

memory/1136-37-0x0000000007CC0000-0x0000000007D64000-memory.dmp

memory/1136-38-0x0000000008430000-0x0000000008AAA000-memory.dmp

memory/1136-39-0x0000000007DF0000-0x0000000007E0A000-memory.dmp

memory/1136-40-0x0000000007E30000-0x0000000007E3A000-memory.dmp

memory/1136-41-0x00000000740A0000-0x0000000074851000-memory.dmp

memory/5052-43-0x0000000003B20000-0x0000000003F23000-memory.dmp

memory/5052-44-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1556-45-0x0000000003C80000-0x0000000004083000-memory.dmp

memory/1752-46-0x00000000740A0000-0x0000000074851000-memory.dmp

memory/1752-47-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

memory/1752-48-0x0000000005840000-0x0000000005B97000-memory.dmp

memory/1752-57-0x0000000070310000-0x000000007035C000-memory.dmp

memory/1752-58-0x0000000070560000-0x00000000708B7000-memory.dmp

memory/1556-67-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1752-69-0x0000000006EA0000-0x0000000006F44000-memory.dmp

memory/1752-70-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

memory/1752-68-0x000000007EF20000-0x000000007EF30000-memory.dmp

memory/1752-71-0x00000000072C0000-0x0000000007356000-memory.dmp

memory/1752-72-0x00000000071E0000-0x00000000071F1000-memory.dmp

memory/1752-73-0x0000000007220000-0x000000000722E000-memory.dmp

memory/1752-74-0x0000000007230000-0x0000000007245000-memory.dmp

memory/1752-75-0x0000000007270000-0x000000000728A000-memory.dmp

memory/1752-76-0x0000000007290000-0x0000000007298000-memory.dmp

memory/1752-79-0x00000000740A0000-0x0000000074851000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/2136-81-0x00000000740A0000-0x0000000074851000-memory.dmp

memory/2136-82-0x00000000053C0000-0x00000000053D0000-memory.dmp

memory/2136-83-0x00000000053C0000-0x00000000053D0000-memory.dmp

memory/2136-84-0x0000000006070000-0x00000000063C7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cae997a66df219bd4adf5bd82a538ba1
SHA1 983edcc4dc6dce320b83c57931971193b8c489a9
SHA256 ffac5043a38ce3baa9c8e7ef47125a8588a2762ac37f11191a4306c3624247a1
SHA512 b8eb790778177fd12b917748f3b6139522f8349156c5a5384d90627988706caf0a850e96b551a5d5c560faa894c77bce2d5070e3fcad6bba60f1ec76bad8c5b7

memory/2136-95-0x0000000070580000-0x00000000708D7000-memory.dmp

memory/2136-94-0x0000000070310000-0x000000007035C000-memory.dmp

memory/5052-104-0x0000000003B20000-0x0000000003F23000-memory.dmp

memory/2136-105-0x00000000053C0000-0x00000000053D0000-memory.dmp

memory/2136-107-0x00000000740A0000-0x0000000074851000-memory.dmp

memory/4312-109-0x00000000740A0000-0x0000000074851000-memory.dmp

memory/4312-110-0x0000000004800000-0x0000000004810000-memory.dmp

memory/4312-119-0x0000000005770000-0x0000000005AC7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f977b28d5efb37f1a66c8f8a2ff8c8ce
SHA1 650db722d10c765e0b709bff2cab764177bcf473
SHA256 54aecc0c1b3c6b292466017b2e4c2edc8f79ab9410421001beff6aa3045828f9
SHA512 69d62a5ab5fbf350ec6bb4bea15639968976c3290c2f17aa70cac78561dddc27e9b9d07fc3900392f02f4b5741ce9a00d47f468255ebae213dfad08956b30969

memory/4312-122-0x0000000070490000-0x00000000707E7000-memory.dmp

memory/4312-121-0x0000000070310000-0x000000007035C000-memory.dmp

memory/5052-131-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4312-132-0x000000007FAB0000-0x000000007FAC0000-memory.dmp

memory/4312-133-0x0000000004800000-0x0000000004810000-memory.dmp

memory/4312-134-0x0000000004800000-0x0000000004810000-memory.dmp

memory/4312-136-0x00000000740A0000-0x0000000074851000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 87c0283fa05fc8944128eeb59baff711
SHA1 a6a14767ea1b83fd2c9d9eed73d47ce11a8a5a56
SHA256 4297d32428b0bbdb7d3efcbd39e58bda78359a6f7f456fe8758140560bec889b
SHA512 5edc5a2cec74696bca82f6900e02510ccb7b7ad1eafab7db0437f5c231260d3559e83cc63d37d5910b16d2cbfd2ace7da280dfe6dfd82d10b695050c60eb714e

memory/5052-140-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1864-143-0x0000000003D00000-0x0000000004100000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6a571a51c376004ed4923a9c753c5c43
SHA1 605ab4ccbda95641633b289eb5c7058d62ae3c27
SHA256 a4dca8f787847bc6dbdd594610fc87f4e463623d2e5b16c3e0754282d5e0c6ee
SHA512 6419a65df5e81eab7584f8b69b2baf3ddb6c28f01c39095cc934f14c5466f271ee4a5ff9ab1c049aed49d03500a3670528ce0a2f2e115541c14d78188ecc0ac5

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ccb39a51b7c56673639c00a8af87e7ce
SHA1 fc67074b00793547f59bb6a8c9df54fe838ce058
SHA256 b9862e627e945571e87853209fb20fa74dfd712df1d4f3cf96cd70b131efe1de
SHA512 2f1b0465001011cb38056b443ccf23ab7ac92d053a0bf974a0502b981eb93c5d4eb9ab57f686aaa7033afda9f1464dcbdf75cf4f9c42c1ef13de1bdd7bc25bf5

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 176857728e20e9d65fca71c450717f95
SHA1 73d4d9b87d31d52c7935a89438471a82123bf2d9
SHA256 823cccf576d791ee83026e3dfe79b1dcd25a5c3ad85ab16f28a03134aed93073
SHA512 b1226a9eecfd9af63716d77d4268389361369fe6d1064252ad05b2d96e105323206663b4a236f7ad08c9a48c56b9af3a2c0f22c6ed50fcabf9d152444b834a63

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1864-231-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4988-238-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1864-241-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2296-243-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1864-244-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1864-247-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2296-249-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1864-250-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1864-253-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1864-256-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1864-259-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1864-262-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1864-265-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1864-268-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1864-271-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1864-274-0x0000000000400000-0x0000000001DFD000-memory.dmp